Network Printing on Linux – How to configure your CUPS server.

March 15th, 2008

Of all of the features that I rave about using Linux, network printing is not one of them. Linux uses CUPS (Common UNIX Printing System) to natively share printers and connect to shared printers on other UNIX boxes. Unlike Windows, this is not as simple as choosing the printer and sharing it among your peers. But, on the other hand, the network security is highly configurable albeit draconian and frustrating to figure out. Plus, once it is configured you can forget about it.

I’m sharing how I got my shared printers to work from my main server. I’ll admit that I may not have used all of the correct formatting, nor do I have a guru’s understanding of CUPS, but it works, it seems secure, and I’m hopeful that it doesn’t drain as many hours from the readers’ life as it did mine in order to get it working.

First off, the general idea is easy: just install cups, go to the web-based configuration tool, and voila, you’re up and running. Unfortunately it was not so simple in my case. My goal was to share my workstation printer among the desktops and laptops on my network.

To install CUPS on Debian or Ubuntu, simply log into the terminal and type “sudo apt-get install cups”. The system will ask you for your administrative password and will then install the latest version of the software. If you are using other distros, you can get cups by RPM on RedHat, Mandriva, and similar systems. On OpenBSD, you use the pkgadd script to get the program. At this point, there is not much to discuss. The installation programs will download and install the latest version on your system.

Once installed, open your browser and go to http://localhost:631 to access the web-based administration panel. You can choose your Basic Server Settings from the Administration tab. And now is where the frustration begins…

If you want to employ any reasonable security on your system, you will need to go to Edit Configuration File. This utility edits /etc/cups/cupsd.conf. If you choose, you can edit the file by hand using vim, pico, or your favorite edit from the terminal.

An annotated example of my cupsd.conf file. Note that all lines beginning with # are ignored, so this is where I will put my comments and explanations. Reference files and man files that describe each heading can be found at http://www.cups.org/documentation.php.
LogLevel error
#This can be set to none, emergency, alter, critical, error, warn, notice, info, and debug. I put mine to error to log all general errors.
AccessLog /var/log/cups/access_log-%s
ErrorLog /var/log/cups/error_log-%s
#You can choose where to store the logs. the -%s adds the system name behind the log name.
SystemGroup lpadmin system
#Name all system administration groups separated by spaces
# Allow remote access. Port specifies a port to listen on. 631 is the default port e.g. http:localhost:631
Port 631
Listen /var/run/cups/cups.sock

# Share local printers on the local network.
Browsing On
# Turn on port browsing to listen for clients

BrowseOrder allow,deny
# Set access. either allow, deny or deny, allow. I use allow, deny because it automatically denies all requests, then it allows requests as per the following lines, then it can specifically deny requests from within any of these groups.

BrowseAllow 10.0.0.*.*
# this allows any local address in the 10.0 network e.g your local network.

BrowseAllow nnn.nnn.nnn.nnn/255.255.255.0
#nnn… is your local internet viewable network and netmask if you have one

BrowseAddress @LOCAL
#Browse all local ports

ErrorPolicy retry-job
# what happens when there is an error. I set to retry the job.

JobRetryInterval 45
# How long to wait before retrying the job

JobRetryLimit 5
# How many times should it try to retry the job.

# And now we reach the most important part, how to allow access to CUPS.

<Location /> #Access to the root directory of CUPS
Encryption IfRequested # Use encryption if requested by client, Optional
Require user @SYSTEM #Require a system user from the server.
# Allow shared printing and remote administration…
Order allow, deny # Same as above, you can choose allow, deny or deny allow
Allow 10.0.*.* # Allow all computers on the subnet 10.0.0.0
Allow @Local # Allow all computers on the local network. If it is the same as 10.0.0.0 then you could only put this
Allow nnn.nnn.nnn.nnn/255.255.255.0 #nnn… is your local internet viewable network and netmask if you have one
</Location>

<Location /jobs> #Same as above
Encryption IfRequested
Require user @SYSTEM
Order allow, deny
Allow @Local
</Location>

<Location /printers> #Same as above
Encryption IfRequested
Require user @SYSTEM
Order allow, deny
Allow @Local
</Location>

 

<Location /admin> # who can access the administrative interface by going to http://yourserver:631
Encryption IfRequested
Require user @SYSTEM
Order allow, deny
Allow @Local
</Location>

<Location /admin/conf> # who can access the configuration interface by going to http://yourserver:631
Encryption IfRequested
Require user @SYSTEM
Order allow, deny
Allow @Local
</Location>

 

<Policy default> # Honestly, these settings are the default ones, it works, so I didn’t touch them.

<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>

<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>

<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>

<Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>

<Limit All>
Order deny,allow
</Limit>
</Policy>

If you are familiar with CUPS and see an error, I would appreciate any corrections. For a complete explanation of all options in the cupsd.conf, go to http://www.cups.org/documentation.php/ref-cupsd-conf.html

Now for the client side:

Using this configuration, I never was able to browse the IPP queues using the printers manager applet system-config-printer.py So I used the web interface on my client computers by going to http://localhost:631

From the client configuration page, shut down all access to the client as a server by unchecking everything but Allow users to cancel any job on the Basic Server Settings. I leave the Allow users to cancel any job because we have a small office and there is not a problem with persons usurping print queues.

Then go to Add Printer.

From here you can put in the printer name, no spaces no special characters. e.g. LaserPrinter. The next two fields allow you to add human readable text to describe the printer location and the printer itself. Click on Continue and move one.

The next screen lets you choose how the client computer will access the device. Choose Internet Printing Protocol and click on continue.

Now is when I wish that the browse function worked in system-config-printer.py, because you have to input the actual address. Fortunately it is relatively logical. type in ipp://yourprintserverhostname/printers/LaserPrinter Of course you will need the hostname of your print server and the actual name of your printer.

Click Continue and move on to choosing the driver for your printer. If you cannot find the specific driver that works with your printer, and if you do not have a ppd file for your printer, then go to http://linuxprinting.org and look up your printer there. This site has information on most printers and will state the driver that works best, and how well the printer works with Linux.

Finally, click on my printer. Voila, you should now have access to the network printer.

I am writing this because I spent two days trying to configure my CUPS server so that I could actually browse the queues over the system-config-printer application. Alas, I was unable to actually make that part work. If there is someone who knows how to answer this conundrum, I would find it helpful.

Otherwise, happy network printing, and I hope that this was helpful.

Posted in Linux General |

Leave a Reply

Copyright (c) 2008 by John Pierce. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).