Install CUPS

On our server, we are going to install the CUPS print server. We can do that by running the following command: 

# sudo apt-get install cups

Before doing any work on the CUPS system, it is generally a good idea to stop the cups service. You can do that with the following command: 

# sudo systemctl stop cups.service

Now that we have CUPS installed, we want to have CUPS authenticate users from our domain. Since we already have Kerberos properly functioning on the server, we can enable Kerberos by running the following command: 

# cupsctl DefaultAuthType=Negotiate

We can start the CUPS service again by running the following command: 

# sudo systemctl stop cups.service

You should now be able to login to CUPS by going to 192.168.1.2:631 and using your domain account.

Other CUPS Settings

The CUPS system is quite advanced and offers TONS of options for complex environments. This tutorial does NOT cover all of the available options, just the ones a small office server is most likely to need. If you do not need an option, or if you do not know if you need a specific option, leave it at the default setting.

At the bottom of this page, we give an example cups configuration that should work for most small offices.

To edit the cups configuration file, run the following command: 

# sudo nano /ect/cups.conf

Access Log Levels

AccessLogLevel actions   # Options: actions | config | all

This directive specifies the logging level for the AccessLog file. The "config" level logs when printers and classes are added, deleted, or modified and when configuration files are accessed or updated. The "actions" level logs when print jobs are submitted, held, released, modified, or canceled, and any of the conditions for "config". The "all" level logs all requests. The default access log level is "actions".

AutoPurgeJobs

AutoPurgeJobs no        # Options: yes | No

This directive specifies whether to purge job history data automatically when it is no longer required for quotas. The default is "No".

BrowseDNSSDSubTypes

BrowseDNSSDSubTypes _cups,_print

This directive specifies a list of Bonjour sub-types to advertise for each shared printer. _cups and _print are the two most commonly needed in a small office.

BrowseLocalProtocols

BrowseLocalProtocols all     # Options: all | dnssd | none

This directive tells the cups server which protocols to use for local printer sharing.

BrowseWebIF

BrowseWebIF Yes      # Options: Yes | No

This directive determines if the CUPS web interface is browsable. For most small offices, this should be set to yes.

Browsing

Browsing Yes     # Options: Yes | No

This setting specifies whether shared printers are advertised on the network. In most small offices, this should be set to yes.

DefaultAuthType

DefaultAuthType Negotiate

This setting is used to authenticate users via the domain, and for the small business server, must be set to Negotiate

DefaultEncryption

DefaultEncryption IfRequested    # Options: Never | IfRequested | Required

Specifies whether encryption will be used for authenticated requests. For most small businesses, this should be set to "IfRequested".

DefaultShared

DefaultShared Yes

Specifies whether local printers (those attached to the server) are shared by default. For a small business server, the default should generally be "yes", as that is where we will set up the printers to be shared.

Setting security

Most small offices won't need elaborate security settings for its printing. Telling CUPS to allow any valid system user to access printers and restricting the printer admin functions to your printeradmin domain group is generally sufficient for a small office. You can do that using the following directive: 

 <Policy Office.lan>
  <Location />
     Require user @OWNER @DOMAINADMIN @SYSTEM
     Order allow,deny
     Allow from 192.168.1.*
  <Location />


  <Location /admin>
     Order allow,deny
     Require user @DOMAINADMIN @SYSTEM
     Allow from 192.168.1.*
  </Location>

Example config

The following is an example of a /ect/cups.conf configuration for a small office Linux server: 

     AccessLogLevel actions
     AutoPurgeJobs no
     BrowseDNSSDSubTypes _cups,_print
     BrowseLocalProtocols all
     BrowseWebIF Yes
     Browsing Yes
     DefaultAuthType Negotiate
     DefaultEncryption IfRequested
     DefaultShared Yes

     <Policy Office.lan>
      <Location />
         Require user @OWNER @DOMAINADMIN @SYSTEM
         Order allow,deny
         Allow from 192.168.1.*
      <Location />

      <Location /admin>
         Order allow,deny
         Require user @DOMAINADMIN @SYSTEM
         Allow from 192.168.1.*
      </Location>

SmallBusinessServer/CUPS (last edited 2021-04-01 00:40:49 by 5g3-steven-7tv)