[cups.general] lppasswd problem

Thu Jul 5 03:15:31 PDT 2007

Hello,

On Jul 4 20:43 russbucket wrote (shortened):
> Reinstalled complete system since disk failure. Using SUSE10.2, Cups
> 1.2.7-12.1. When I put in password with lppassword ...

Up to Suse Linux 10.1 we had CUPS 1.1 and since openSUSE 10.2 we have
CUPS 1.2 which is not fully backward compatible with CUPS 1.1.

For example RunAsUser is no longer supported so that since
openSUSE 10.2 / CUPS 1.2 the cupsd runs as root and therefore
we are back to its  default "basic authentication" via system users
and system passwords (in /etc/shadow). Therefore
http://en.opensuse.org/SDB:Printer_Configuration_from_SUSE_LINUX_9.0_on
is partially outdated for openSUSE 10.2

Additionally by default cupsd in CUPS 1.2 listens only on internal
("localhost") network interfaces (and a Unix domain socket)
in /etc/cups/cupsd.conf:
------------------------------------------------------------
# Only listen for connections from the local machine.
Listen localhost:631
Listen /var/run/cups/cups.sock
------------------------------------------------------------
For a CUPS network server you must change it to listen
on the outer network too.
Either add someting like "Listen IP.of.your.server", see
http://localhost:631/help/ref-cupsd-conf.html?TOPIC=References&QUERY=#Listen
or use YaST via "Other" -> "Change remote access"
and make sure that you use the firewall to protect your host
if it is accessible from any untrusted network.

In case of an update it is recommended not to use an outdated
cupsd.conf from a CUPS 1.1 installation before but to start
from scratch with the original cupsd.conf from our CUPS 1.2 RPM.

By the way: Regarding firewall:

In particular note that port 631 TCP and UDP must be allowed
in firewall settings, see
http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
"The Spooler"

In the YaST firewall module there are predefined "services"
for IPP (and also for Samba if you use Samba) so that it
should be easiest to use the YaST firewall module.

Check if a firewall is active for a network zone in which
services should be used which require trusted users
(nobody lets arbitraty users print on his printer).

By default the Suse firewall allows any access via a network
interface which belongs to the "internal zone" because this
zone is trusted by default.

If the CUPS server and the client systems are in an internal
network and when you trust all what there is in your internal
network, your network interface must be set to be in the
"internal zone".

It doesn't make sense to have a network setup in a trusted
internal network with a network interface which belongs to the
untrusted "external zone" (which is the default to be safe).

Kind Regards
Johannes Meixner
-- 
SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany
AG Nuernberg, HRB 16746, GF: Markus Rex