|
Install CUPS
On our server, we are going to install the CUPS print server. We can do that by running the following command:
# sudo apt-get install cups
Before doing any work on the CUPS system, it is generally a good idea to stop the cups service. You can do that with the following command:
# sudo systemctl stop cups.service
Now that we have CUPS installed, we want to have CUPS authenticate users from our domain. Since we already have Kerberos properly functioning on the server, we can enable Kerberos by running the following command:
# cupsctl DefaultAuthType=Negotiate
We can start the CUPS service again by running the following command:
# sudo systemctl stop cups.service
You should now be able to login to CUPS by going to 192.168.1.2:631 and using your domain account.
Other CUPS Settings
The CUPS system is quite advanced and offers TONS of options for complex environments. This tutorial does NOT cover all of the available options, just the ones a small office server is most likely to need. If you do not need an option, or if you do not know if you need a specific option, leave it at the default setting.
At the bottom of this page, we give an example cups configuration that should work for most small offices.
To edit the cups configuration file, run the following command:
# sudo nano /ect/cups.conf
Access Log Levels
AccessLogLevel actions # Options: actions | config | all
This directive specifies the logging level for the AccessLog file. The "config" level logs when printers and classes are added, deleted, or modified and when configuration files are accessed or updated. The "actions" level logs when print jobs are submitted, held, released, modified, or canceled, and any of the conditions for "config". The "all" level logs all requests. The default access log level is "actions".
AutoPurgeJobs
AutoPurgeJobs no # Options: yes | No
This directive specifies whether to purge job history data automatically when it is no longer required for quotas. The default is "No".
BrowseDNSSDSubTypes
BrowseDNSSDSubTypes _cups,_print
This directive specifies a list of Bonjour sub-types to advertise for each shared printer. _cups and _print are the two most commonly needed in a small office.
BrowseLocalProtocols
BrowseLocalProtocols all # Options: all | dnssd | none
This directive tells the cups server which protocols to use for local printer sharing.
BrowseWebIF
BrowseWebIF Yes # Options: Yes | No
This directive determines if the CUPS web interface is browsable. For most small offices, this should be set to yes.
Browsing
Browsing Yes # Options: Yes | No
This setting specifies whether shared printers are advertised on the network. In most small offices, this should be set to yes.
DefaultAuthType
DefaultAuthType Negotiate
This setting is used to authenticate users via the domain, and for the small business server, must be set to Negotiate
DefaultEncryption
DefaultEncryption IfRequested # Options: Never | IfRequested | Required
Specifies whether encryption will be used for authenticated requests. For most small businesses, this should be set to "IfRequested".
DefaultShared
DefaultShared Yes
Specifies whether local printers (those attached to the server) are shared by default. For a small business server, the default should generally be "yes", as that is where we will set up the printers to be shared.
Setting security
Most small offices won't need elaborate security settings for its printing. Telling CUPS to allow any valid system user to access printers and restricting the printer admin functions to your printeradmin domain group is generally sufficient for a small office. You can do that using the following directive:
<Policy Office.lan> <Location /> Require user @OWNER @DOMAINADMIN @SYSTEM Order allow,deny Allow from 192.168.1.* <Location /> <Location /admin> Order allow,deny Require user @DOMAINADMIN @SYSTEM Allow from 192.168.1.* </Location>
Example config
The following is an example of a /ect/cups.conf configuration for a small office Linux server:
AccessLogLevel actions AutoPurgeJobs no BrowseDNSSDSubTypes _cups,_print BrowseLocalProtocols all BrowseWebIF Yes Browsing Yes DefaultAuthType Negotiate DefaultEncryption IfRequested DefaultShared Yes <Policy Office.lan> <Location /> Require user @OWNER @DOMAINADMIN @SYSTEM Order allow,deny Allow from 192.168.1.* <Location /> <Location /admin> Order allow,deny Require user @DOMAINADMIN @SYSTEM Allow from 192.168.1.* </Location>