The problem can be seen when a URI such as smb://server/share is used, without authentication details, but authentication is required by the server.
In this case, what is supposed to happen is that smbspool, acting as a CUPS backend, sets the IPP attribute auth-info-required indicating what type of authentication details it needs, such as:
or, if Kerberos authentication is required:
The trouble is that it is using the latter form ('negotiate') even when the server has not been configured to required Kerberos. This means that proxy authentication (which e.g. system-config-printer implements) cannot go ahead.
It also causes future jobs for that queue to fail even if the device URI is changed to include the authentication details in it, because CUPS caches this attribute in /etc/cups/printers.conf.
This relates slightly to https://bugzilla.samba.org/show_bug.cgi?id=4134, which is where the feature was originally requested.
Created attachment 3458 [details]
This is the patch created by Tim Waugh for this problem. It looks correct to me but the comment here :
claims James doesn't like it. I'll ping him before applying Tim's patch.
Created attachment 3459 [details]
Added got_kerberos_mechanism flag into cli struct.
Marking this one as fixed.
Patch will be in 3.2.2.
Please re-open if it is still an issue for you.
Thanks for reporting!