unable to use kerberos on ubuntu22.04&ubuntu24.04 cups server

[machencheng2]

Print server info:
ubuntu+cups server

Client info:
Client made with cups 2.4.2

Printer:
brother MFC-7895DW

---

There is a shared printer built on the cups server, and I have a client that wants to connect to the shared printer on the cups server and obtain printer information through negotiate communication.

I tried the following environments separately.
1.Ubuntu 20.04 (with built-in cups server 2.3.1): I set up a kerberos environment on it. After kinit, call cupsDoRequest, and negotiate communication succeeds.
2. Ubuntu 22.04 (with built-in cups server 2.4.1) and Ubuntu 24.04 (with built-in cups server 2.4.7): I set up the kerberos environment using the same manual. After kinit, I called cupsDoRequest, but the negotiate communication failed.
3. ubuntu20.04 (compiled cups server 2.4.7). After kinit, call cupsDoRequest, and negotiate communication succeeds.
Has anyone ever used the negotiate method of cups server on Ubuntu 22.04 and 24.04? Can it succeed?

Set up in the cupsd.conf file of the cups server
DefaultAuthType Negotiate

By checking the logs of the cups server, I can see the following logs /var/log/cups/error_log

D [11/Oct/2024:16:53:17 +0800] [Client 9] Error accepting GSSAPI security context.: Unspecified GSS failure.  Minor code may provide more information, Unknown error
D [11/Oct/2024:15:39:51 +0800] cupsdIsAuthorized: username=""
D [11/Oct/2024:15:39:51 +0800] [Client 40] cupsdSendHeader: code=401, type="text/html", auth_type=0
D [11/Oct/2024:15:39:51 +0800] [Client 40] WWW-Authenticate: Negotiate
D [11/Oct/2024:15:39:51 +0800] [Client 40] Closing connection.

reference resources #508
I made some changes to the code and can now see the detailed errors.
D [12/Oct/2024:10:37:08 +0800] [Client 35] Error accepting GSSAPI security context.: Unspecified GSS failure. Minor code may provide more information, Resource temporarily unavailable

After the cups server error, my client will receive
http_read: Connection reset by peer
Then a broken pipe occurs, and communication will fail.

It is normal on ubuntu20.04+cups server 2.3.1
D [11/Oct/2024:04:10:19 -0700] [Client 9] Connection now encrypted.
D [11/Oct/2024:04:10:19 -0700] [Client 9] POST /printers/ricoh231 HTTP/1.1
D [11/Oct/2024:04:10:19 -0700] cupsdSetBusyState: newbusy="Active clients", busy="Active clients"
D [11/Oct/2024:04:10:19 -0700] [Client 9] Read: status=200, state=6
D [11/Oct/2024:04:10:19 -0700] [Client 9] Authorized as "root@TESTAPP.COM" using Negotiate.
D [11/Oct/2024:04:10:19 -0700] cupsdIsAuthorized: username="root@TESTAPP.COM"
D [11/Oct/2024:04:10:19 -0700] [Client 9] 2.0 Get-Printer-Attributes 2

Because it is normal to set up cups 2.4.7 on Ubuntu 20.04, I suspect it is a problem with libgssappi.

I went to check the version of libgssapi-krb5. Is it related to the version of libgssapi-krb5?
ubuntu20.04
macc@ubuntu :/tmp/cups-2.4.7$ dpkg -l libgssapi-krb5-2 | grep ii
ii  libgssapi-krb5-2:amd64 1.17-6ubuntu4.7 amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism

ubuntu22.04
mcc@krb5 :/mnt/ldapAD$ dpkg -l libgssapi-krb5-2 | grep ii
ii libgssapi-krb5-2:amd64 1.19.2-2ubuntu0.4 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
mcc@krb5 :/mnt/ldapAD$

ubuntu24.04
mcc@krb5 :~/Desktop$ dpkg -l libgssapi-krb5-2 | grep ii
ii  libgssapi-krb5-2:amd64 1.20.1-6ubuntu2.1 amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism

[machencheng2]

I saw the wrong place

in log /var/log/syslog

2024-10-17T11:16:31.807354+08:00 krb5 kernel: audit: type=1400 audit(1729134991.805:1354): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/sbin/cupsd" name="/var/spool/cups/tmp/krb5_0.rcache2" pid=6898 comm="cupsd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

sudo systemctl disable apparmor
sudo systemctl stop apparmor
reboot

then
ubuntu 24.04+cups2.4.7 +krb is OK

vi /etc/apparmor.d/usr.sbin.cupsd
and add /var/spool/cups/tmp/krb5_*.rcache2 k,

sudo systemctl reload apparmor

then
ubuntu 24.04+cups2.4.7 +krb is OK

is this a bug?