[cups] Authenticated and unauthenticated queues

Rick Cochran rcc2 at cornell.edu
Tue Jul 21 16:03:35 PDT 2015


Hi,

I need to have both authenticated and unauthenticated queues.  The attached 
cupsd.conf _almost_ works.  The problem is in the following stanza:

<Location /printers>
   AuthType Basic
   Encryption Required
   Order deny,allow
   Allow localhost
#  Require user @SYSTEM
</Location>

If I set the AuthType to "Basic" as above, the authenticated queues work and the 
unauthenticated queues do not work.

If I set the AuthType to "None", the unauthenticated queues work and the 
authenticated queues do not work.

By "work", I mean prompt for ID/password (or not) and actually print.

By "do not work", I mean the server just sits there and does not fully accept 
the print job.

I use "-op-policy=noauth" when creating the unauthenticated queues.

Any help would be appreciated.

Thanks,
-Rick
-------------- next part --------------
# Config file for Net-Print CUPS
# 2015-06-15 rcc2

# NOTES:
# "Port 631" must be commented out to prevent non-SSL connections

# From the OS X man page "cupsd.conf (5)" (The Linux man pages suck):
# Require user {user-name|@group-name} ...
#            Specifies that an authenticated user must match one of  the
#            named users or be a member of one of the named groups.  The
#            group name "@SYSTEM" corresponds  to  the  list  of  groups
#            defined   by   the   SystemGroup  directive  in  the  cups-
#            files.conf(5) file.  The group name "@OWNER" corresponds to
#            the owner of the resource, for example the person that sub-
#            mitted a print job.

# When the "no_user_check" option is used in PAM, "@SYSTEM" is seems to be
# true for all authenticated users.

ServerName cupsserver.cornell.edu

# Fix 'using invalid Host: field "cupsserver.cornell.edu:631"' errors
ServerAlias *

MaxLogSize 2000000000
LogLevel info
#LogLevel debug
SystemGroup sys root
# Allow remote access
#Port 631
Listen /var/run/cups/cups.sock
SSLPort 631
ServerCertificate /etc/cups/ssl/cupsserver_cornell_edu_interm_and_cert.cer
ServerKey /etc/cups/ssl/cupsserver_cit_cornell_edu.key
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL
BrowseAddress @LOCAL
DefaultAuthType Basic
DefaultPolicy default
<Location />
  # Allow shared printing...
  Order allow,deny
  Allow all
</Location>
# Restrict access to the admin pages...
<Location /admin>
  AuthType Basic
  Encryption Required
  Order deny,allow
  Allow localhost
#  Require user @SYSTEM
  Require user user1 user2 user3
</Location>
# Restrict access to the configuration files...
<Location /admin/conf>
  AuthType Basic
  Encryption Required
  Order deny,allow
  Allow localhost
#  Require user @SYSTEM
  Require user user1 user2 user3
</Location>
<Location /printers>
  AuthType Basic
  Encryption Required
  Order deny,allow
  Allow localhost
#  Require user @SYSTEM
</Location>
# Access to the print queues must be allowed

# See http://www.cups.org/documentation.php/policies.html

# Policy which allows:
#   submit a print job:         Basic authentication
#   modify queues and printers: user1 user2 user3
#   manipulate print queues:    user1 user2 user3
#   cancel or authenticate job: owner of print job
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    AuthType Basic
    Encryption Required
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Basic
    Encryption Required
#    Require user user1 user2 user3
    Require user user1 user2
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Basic
    Encryption Required
#    Require user user1 user2 user3
    Require user user1 user2
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Encryption Required
    Require user @OWNER
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Policy which allows:
#   submit a print job:         unauthenticated
#   modify queues and printers: user1 user2 user3
#   manipulate print queues:    user1 user2 user3
#   cancel or authenticate job: owner of print job
<Policy noauth>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    AuthType none
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Basic
    Encryption Required
#    Require user user1 user2 user3
    Require user user1 user2
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Basic
    Encryption Required
#    Require user user1 user2 user3
    Require user user1 user2
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Encryption Required
    Require user @OWNER
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>


More information about the cups mailing list