Creating greyscale queue for colour printer with optioned alias

John A. Murdie john at cs.york.ac.uk
Tue Aug 17 11:08:22 PDT 2010 

I'm trying to create a greyscale queue for an existing colour printer with an optioned alias - as root using lpadmin(8) on the Linux print server. I wish to encourage users to pick the greyscale-only queue on a colour printer if they are not willing to walk further to an actual greyscale device, this to keep costs down! (I can do this almost successfully if I create another CUPS queue with the same socket address as the colour printer and use 'Set Default Options' -> 'Colour Options': 'Print Colour As Gray' = 'On', but then the two queues will suffer a race condition in getting their pagecounts by SNMP; see the source of socket(8). I'm actually using an external page-counting backend which directly stores the pagecounts in a database, so even if socket(8) were right the external backend's page-counting facility would not be good enough - it simply forks the real socket(8), but it can't prevent a race condition either, at least, without some kind of per-printer lock.)

I presume that the operation policy that is required to permit this action with lpadmin(8) is CUPS-Add-Modify-Printer (or CUPS-Add-Printer?).

I tried and saw:

# lpadmin -p cp04-bw -v ipp://localhost/printers/cp04 -o ColorModel=Gray
lpadmin: Unauthorized
#

The error_log file shows:

D [17/Aug/2010:19:01:30 +0100] cupsdAcceptClient: 11 from localhost:631 (IPv4)
D [17/Aug/2010:19:01:30 +0100] cupsdReadClient: 11 POST /admin/ HTTP/1.1
D [17/Aug/2010:19:01:30 +0100] cupsdSetBusyState: Active clients and printing jobs
D [17/Aug/2010:19:01:30 +0100] cupsdAuthorize: No authentication data provided.
D [17/Aug/2010:19:01:30 +0100] cupsdIsAuthorized: username=""
D [17/Aug/2010:19:01:30 +0100] cupsdReadClient: 11 1.1 CUPS-Add-Modify-Printer 1
D [17/Aug/2010:19:01:30 +0100] CUPS-Add-Modify-Printer ipp://localhost/printers/cp04-bw
D [17/Aug/2010:19:01:30 +0100] cupsdIsAuthorized: username=""
D [17/Aug/2010:19:01:30 +0100] Returning HTTP Unauthorized for CUPS-Add-Modify-Printer (ipp://localhost/printers/cp04-bw) from localhost
D [17/Aug/2010:19:01:30 +0100] cupsdSendHeader: 11 WWW-Authenticate: Negotiate
D [17/Aug/2010:19:01:30 +0100] cupsdReadClient: 11 WAITING Closing on EOF
D [17/Aug/2010:19:01:30 +0100] cupsdCloseClient: 11
D [17/Aug/2010:19:01:30 +0100] cupsdSetBusyState: Printing jobs

Surely username should not be ""? Using the lpadmin(8) -E (encrypt) option makes no difference to the outcome.

Sometimes,

D [17/Aug/2010:19:01:30 +0100] cupsdSetBusyState: Printing jobs and dirty files
E [17/Aug/2010:19:01:30 +0100] Bad request line "^W^C^A" from A.B.C.D!

is added to the error log after 'cupsdCloseClient: 11'. See bug #3288, which we've suffered (apparently harmlessly) for a long time. I rarely attempt to use lpadmin(8).

I'm using OpenSSL 0.9.8n and MIT Kerberos (package krb5) 1.8.2 on Slackware Linux 13.1, but with my own build of CUPS 1.4.4.

The cupsd.conf file contains (user root is in cupsadmin):

ServerName cups.blah.blah.blah
ServerAlias *

Krb5Keytab /secure/cups.keytab
GSSServiceName ipp

# Log general information in error_log - change to "info" or "debug" for
# troubleshooting...
LogLevel info

# Administrator user group...
SystemGroup root cupsadmin

# Listen
Listen 0.0.0.0:631

ServerCertificate /secure/cups.crt
ServerKey /secure/cups.key

# Send browse packets (printer descriptions) to:
BrowseAddress V.W.X.Y	# Staff Linux desktops and servers
Browsing On

# Don't accept browse packets from other CUPS servers:
BrowseOrder allow,deny
BrowseAllow from none
BrowseDeny from all

# Default authentication type, when authentication is required...
DefaultAuthType Negotiate

# Restrict access to the server...
# Note that we need to 'Allow from localhost' for Windows LPR printing
<Location />
  Order allow,deny
  Allow from localhost
  Require user @SYSTEM @staff
  Encryption Required
  AuthType Default	# required to force authentication
  Satisfy any
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Require user @SYSTEM
  Encryption Required
  AuthType Default	# required to force authentication
  Satisfy any
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  Order allow,deny
  Require user @SYSTEM
  Encryption Required
  AuthType Default	# required to force authentication
  Satisfy any
</Location>

# Set the default printer/job policies...
<Policy default>

  # Job-related operations must be done by the owner or an adminstrator...
  # Note that we need to 'Allow from localhost' for Windows LPR printing
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job Get-Job-Attributes CUPS-Authenticate-Job>
    Order allow,deny
    AuthType Default	# required to force authentication
    Require user @OWNER @SYSTEM
    Allow from localhost
    Satisfy any
  </Limit>

  # All administration operations require an adminstrator to authenticate...
  # None of these operations requires 'Allow from localhost' for Windows LPR printing
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Modify-Printer CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default Create-Printer-Subscription Get-Subscription-Attributes Get-Subscriptions Send-Notifications Get-Printer-Support-Files>
    Order allow,deny
    AuthType Default	# required to force authentication
    Require user @SYSTEM
  </Limit>

  # Actions for all...
  # Note that we need to 'Allow from localhost' for Windows LPR printing
  <Limit Create-Job Print-Job Print-URI Validate-Job Get-Jobs CUPS-Get-Printers Get-Printer-Attributes Get-Printer-Supported-Values CUPS-Get-Default CUPS-Get-Classes CUPS-Get-Devices CUPS-Get-PPDs>
    Order allow,deny
    AuthType Default	# required to force authentication
    Require user @SYSTEM @staff
    Allow from localhost
    Satisfy any
  </Limit>

  # Reject everything else ...
  <Limit All>
    Order allow,deny
  </Limit>

</Policy>

More information about the cups mailing list