[cups] Authentication for thee but not for me

Rick Cochran rcc2 at cornell.edu
Mon Mar 21 07:34:33 PDT 2016 

Michael,

Thanks for your response.

As I mentioned to Helge:

 > I forgot to mention that I already have many, many users successfully submitting
 > print jobs from many OS X workstations. I also have users successfully
 > submitting print jobs from Linux workstations.
 >
 > The difference is that only print jobs sent by the CUPS IPP backend appear to
 > work. Print jobs sent by the "lp" command do not.

Other comments embedded below.

Yours,
-Rick


On 3/21/16 9:44 AM, Michael Sweet wrote:
> Rick,
>
>> On Mar 19, 2016, at 5:37 PM, Rick Cochran <rcc2 at cornell.edu> wrote:
>>
>> I have done a bit of research.
>>
>> The command PaperCut is using to move print jobs is:
>>
>>   lp -d "%printer%" -h "%server%" -t "%docname%" -U "%username%" -o raw "%spoolfile%"
>>
>> but I can change it to whatever I want.
>
> If the server is local, the local domain socket should probably be used (not localhost, but /var/run/cupsd or whatever the domain socket is on your system).

I was going to ask "what would I have to change in the 'lp' command to get it to 
use the socket?". But it occurred to me that simply leaving out the "-h" part 
would do it. This appears to work just fine. The print job then gets lost in 
PaperCut, but that's not your problem.

I'm still perplexed as to why printing to the server's port 631 via the backend 
works, but printing to port 631 does not.

>> The error messages I am getting when PaperCut attempts to move a print job are:
>>
>>   Unable to encrypt connection from localhost - A record packet with illegal version was received.
>
> What version of CUPS?  What OS?

cups-1.4.2-72.el6.x86_64

RHEL 6.7

>> Since I am using "SSLPort 631" instead of "Port 631" in cupsd.conf I think _all_ connections to port 631 will require SSL.
>
> Yes.
>
>> A relevant section of cupsd.conf is:
>>
>>   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
>>     AuthType Basic
>>     Encryption Required
>>     Order deny,allow
>>   </Limit>
>>
>> If this were an Apache httpd.conf, I could use
>>
>>     <If "%{REMOTE_ADDR} != '127.0.0.1'">
>>       AuthType Basic
>>       Encryption Required
>>       Order deny,allow
>>     </If>
>>
>> However the "If" directive is not found in the list of cupsd.conf directives.
>
> No, we never adopted any of the Apache conditional directives, although the encryption stuff (if you don't force it like you have in your policy) will be applied automatically for remote connections but not for local ones.
>
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer
>
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://www.cups.org/mailman/listinfo/cups
>

More information about the cups mailing list