Linux printing does not need a separate authentication step anymore

Department's Linux hosts now use University's central single sign on AD-authentication for printing. This means that a separate authentication step is no longer required when printing. This works if (and only if) your HYAD password is the same as your CS Dept account password.

Some boring technical details

When logging in to a Linux host, the Linux system now obtains two kerberos tickets. One for HYAD kerberos/AD domain and one for department's old CSWIN domain. The AD kerberos ticket looks like this:

$ ls -l /tmp/krb5cc_$(id -u)_AD_*
-rw------- 1 jjaakkol grpd 1406 Aug 28 12:38 /tmp/krb5cc_4392_AD_IrdmXj
$ klist /tmp/krb5cc_4392_AD_IrdmXj
Ticket cache: FILE:/tmp/krb5cc_4392_AD_IrdmXj
Default principal: jjaakkol@AD.HELSINKI.FI

Valid starting     Expires            Service principal
28/08/14 12:38:13  28/08/14 22:38:13  krbtgt/AD.HELSINKI.FI@AD.HELSINKI.FI
    renew until 04/09/14 12:38:13
$

The ticket is obtained by sssd daemon, which is now running on every Cubbli Linux host. The daemon also renews the ticket when necessary. This ticket is now used to authenticate print jobs to HYAD queues automatically.

 
28.08.2014 - 12:49 Pekka Niklander
28.08.2014 - 12:44 Jani Jaakkola