[cups.general] Authentication problem

P. Larry Nelson lnelson at uiuc.edu
Wed Aug 24 13:08:30 PDT 2011 

Hi,

I'm new to this list, but not to CUPS.  I have a few conceptual
questions about using authentication.

I've been using CUPS for many years now on a linux server to allow
our linux and Mac users access to our printers.  It has always just
worked with rarely any intervention on my part.  I'm currently
using cups-1.3.7-18.el5 (RedHat).  I expect that version to remain
the same unless there's an update from RedHat or at some time in
the future when/if we migrate the server to RedHat 6 - probably
a couple years down the road.

All our printers are HP laser printers and all are networked on our
group's LAN.  All our Windows users print via a Windows print server.
They can do that no matter whether they are on our LAN or on any
other LAN on campus because they authenticate thru the campus
Active Directory.  Group policy allows authorization to print
to our printers.

Access for the linux and Mac users has always been via the "Allow from"
in cupsd.conf, as in:

     Allow from <network>   where <network> is our group's LAN
or
     Allow from <IP address>  in the rare case where a user is
                              Connected to the Department LAN

This has worked just fine up until recently, but the Department
switched over to DHCP for assigning IP addresses *and* more of
our users will be moving to the Department LAN.  So now the
above printer authorization mechanism will not work for folks
who are *not* on our group's LAN, since their IP address will
more than likely be different every time they connect.

What I need is a simple authorization solution, not just from
my end, but also for the linux/Mac users viewpoint to keep
printing simple.

We are not running kerberos (and really do not want to venture
down that sticky road), but I do have Samba running on the same
linux server as the CUPS server, and from the little I've tried
to read and understand about it, it appears that Samba will play
quite well with CUPS.  Authentication thru our Samba server is
via our campus Active Directory and Group Policy.

Questions:
What besides uncommenting  the two lines in smb.conf ("printcap
name = CUPS" and "printing = cups") needs to happen on my end?

How do the linux/Mac users then authenticate to be able to print?
For instance, say they are running an app like Firefox or email
or some other and they click on the printer icon of the GUI.
Do they get a pop-up challenge box and then enter their AD login
and password?

Do they have to do that *every* time they want to print?

What if they use a terminal window command like 'enscript' to print
a file.  How do they authenticate in that case?

Do they have to have a Samba client running in the background
all the time?

If so, how does one do that on linux and Macs?

Or do they just need to have cupsd running?

If so, then how does cupsd on the user system know to print thru
my Samba server?

Hopefully I've given enough info about my setup that someone out
there has done just this very thing and can help.

Thanks!
- Larry
-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:lnelson at uiuc.edu        | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson

More information about the cups mailing list