CECM Home > About Us > CECM's Printers > Kerberos Printing FAQ
CECM Kerberos Printing FAQ
- Q #1: What is Kerberos?
- Q #2: Why would I want to use Kerberos pre-authentication for printing?
- Q #3: How do I verify whether or not a print queue will accept Kerberos pre-authentication?
- Q #4: How do I pre-authenticate with Kerberos before printing to an SFU_Print queue?
- Q #5: What is a Kerberos Ticket?
- Q #6: How do I acquire a Kerberos Ticket for printing?
- Q #7: How do I view my Kerberos Tickets?
- Q #8: How long does a Kerberos Ticket last?
- Q #9: What happens if I try to print without a valid Kerberos Ticket?
Advanced Kerberos FAQ
- Q #10: How do I auto-renew my Kerberos Ticket?
- Q #11: What if I want to auto-renew my Kerberos Ticket indefinitely?
Q #1: What is Kerberos?
Advanced Kerberos FAQ
In Greek mythology, Kerberos is the 3-headed dog that guards the gates of hell.
Kerberos is also a widely-used secure cryptographic system.
Q #2: Why would I want to use Kerberos pre-authentication for printing?
If you are using any of the SFU_Print queues, you need to authenticate so that the university can track printing and ensure that the service isn't being abused.
Kerberos Authentication is used by Microsoft Active Directory, which is central to the SFU Campus computing systems. In the near future, we will be switching the CECM logins to Active Directory, and then you'll automatically acquire a Kerberos Ticket upon login, without any extra effort on your part.
Q #3: How do I verify whether or not a print queue will accept Kerberos pre-authentication?
Some print queues will accept Kerberos pre-authentication and some will not. It depends upon many factors, such as how the print queue was set up, what Linux version your computer is using, and what state the print queue is in.
Suppose you want to verify whether or not the SFU_Print
queue is accepting Kerberos pre-authentication. First, make sure
there aren't any jobs stuck in the queue, by typing
Second, check the status of the queue by typing
SFU_Print accepting requests since Fri 22 Mar 2019 05:36:59 PM PDT
Third, check the printer options by typing
lpoptions -p SFU_Print auth-info-required=negotiate copies=1 device-uri=smb://ADSFU/cs-sfuprint-p.dc.sfu.ca/SFU_Print finishings=3 job-cancel-after=10800 job-hold-until=no-hold job-priority=50 job-sheets=none,none marker-change-time=0 number-up=1 printer-commands=none printer-info='SFU Print Queue for 2-sided greyscale printing' printer-is-accepting-jobs=true printer-is-shared=false printer-is-temporary=false printer-location='Multiple Locations on Campus' printer-make-and-model='Ricoh MP C6004ex PDF' printer-state=3 printer-state-change-time=1631836675 printer-state-reasons=none printer-type=2109692 printer-uri-supported=ipp://localhost/printers/SFU_Print
This means that the printer will accept Kerberos pre-authentication.
If, however, you see
lpoptions -p SFU_Print auth-info-required=username,password copies=1 device-uri=smb://ADSFU/cs-sfuprint-p.dc.sfu.ca/SFU_Print finishings=3 job-hold-until=no-hold job-priority=50 job-sheets=none,none marker-change-time=0 number-up=1 printer-commands=none printer-info='SFU Print Queue for 2-sided greyscale printing' printer-is-accepting-jobs=true printer-is-shared=false printer-location='Multiple Locations on Campus' printer-make-and-model='Ricoh MP C6004ex PDF' printer-state=3 printer-state-change-time=1551926708 printer-state-reasons=none printer-type=2109692 printer-uri-supported=ipp://localhost:631/printers/SFU_Print
then the print queue will not accept Kerberos pre-authentication and you'll need to type your username and password into the Job Authentication Window.
Q #4: How do I pre-authenticate with Kerberos before printing to an SFU_Print queue?
To pre-authenticate, you need to open a Terminal and type kinit in order to acquire a Kerberos Ticket. You'll be asked for a password. Use your Campus password here. (The same password you use to read your SFU e-mail.)
Q #5: What is a Kerberos Ticket?
A Kerberos Ticket is a chunk of encrypted data. When you type kinit, you acquire a Kerberos Ticket-Granting Ticket (TGT) which allows you to acquire other Kerberos Tickets for services such as printing. Your Kerberos Tickets are stored within the Linux kernel keyring. This is kept in RAM and is not written out to disk.
Kerberos Tickets are kind of like an encrypted password, except they are more secure because they have a limited lifetime and won't work after they expire.
Q #6: How do I acquire a Kerberos Ticket for printing?
After you have a Kerberos TGT (via kinit), just print. If
things are working correctly, and the printer's options have
Q #7: How do I view my Kerberos Tickets?
Just open a Terminal and type klist. You'll see something like this:
Ticket cache: KEYRING:persistent:5256:5256 Default principal: [email protected] Valid starting Expires Service principal 2021-11-23 23:44:05 2021-11-24 09:44:05 krbtgt/[email protected] renew until 2021-11-30 23:44:05
"krbtgt..." is the Kerberos Ticket-Granting Ticket (TGT).
After you successfully print to one of the SFU_Print Queues, then klist will show something like this:
Ticket cache: KEYRING:persistent:5256:5256 Default principal: [email protected] Valid starting Expires Service principal 2021-11-23 23:44:29 2021-11-24 09:44:05 cifs/[email protected] renew until 2021-11-30 23:44:05 2021-11-23 23:44:05 2021-11-24 09:44:05 krbtgt/[email protected] renew until 2021-11-30 23:44:05
"cifs..." is the Kerberos Ticket for the printing service.
Q #8: How long does a Kerberos Ticket last?
As illustrated above, SFU Campus Kerberos Tickets have a 10 hour lifetime before they expire, and a maximum renewal period of 1 week.
If you want to renew your Kerberos Ticket before it expires,
just type
Q #9: What happens if I try to print without a valid Kerberos Ticket?
If you try to print to SFU_Print without a valid Kerberos Ticket, then your print job will become stuck in the local print queue on your printer. You'll need to cancel your print job, kinit, and try again.
Advanced Kerberos FAQ
Q #10: How do I auto-renew my Kerberos Ticket?
You could set up a cron job to auto-renew your kerberos
ticket with
In order to do this, you need to edit your crontab with
For example, you could set up the following crontab entry on your Linux computer:
30 * * * * /usr/bin/kinit -R
This will renew your Kerberos TGT at 30 minutes past every
hour of every day. (See
Q #11: What if I want to auto-renew my Kerberos Ticket indefinitely?
You can achieve this via a crontab entry and your own private keytab file.
Suppose you want to keep your keytab within your home
directory in
mkdir myprivatestuff
chmod 0700 myprivatestuff
cd myprivatestuff
ktutil
addent -password -p [email protected] -k 1 -e aes256-cts-hmac-sha1-96
addent -password -p [email protected] -k 1 -e aes128-cts-hmac-sha1-96
(enter your password here when asked)
wkt username.keytab
q
You can call the directory whatever you want; just make
sure it's private -- that's what the "
You can then set up a crontab entry similar to the one
above, but instead of using
30 * * * * /usr/bin/kinit [email protected] -k -t /cecm/home/username/myprivatestuff/username.keytab
(Again, substitute your real username for "username" here.)
This will get a new Kerberos Ticket for user "username" at 30 minutes past every hour of every day, without having to type a password, by using the credentials stored in username's private keytab file.
NOTE: you should also add this command into your .login file (assuming that your shell is tcsh) so that you'll get a Kerberos Ticket upon login without waiting for your cron job to run (which might take up to an hour if it only runs at 30 minutes past every hour).
(And if your shell is bash, then add this command to your .profile file.)
This will work virtually forever (unless one changes one's Campus password, in which case the steps of creating a private keytab need to be redone.)
John Hebron
Research Computing Group
IT Services, SFU Last modified: Tue Nov 23 23:56:00 PST 2021