ServerName server.name.goes.here
ServerAlias *

Krb5Keytab /n/cups/conf/cups.keytab
GSSServiceName ipp

# Log general information in error_log - change to "info" or "debug" for
# troubleshooting...
LogLevel info

# Administrator user group...
SystemGroup cupsadmin

# Listen
Listen 0.0.0.0:631
#MaxClients 256

ServerCertificate /n/cups/conf/ssl/cups.crt
ServerKey /n/cups/conf/ssl/cups.key

# Send browse packets (printer descriptions) to:
BrowseAddress M.N.O.P	# Staff Linux desktops and servers
#BrowseAddress Q.R.S.T	# Staff Windows desktops
Browsing On

# Don't accept browse packets from other CUPS servers:
BrowseOrder allow,deny
BrowseAllow from none
BrowseDeny from all

# Default authentication type, when authentication is required...
DefaultAuthType Negotiate

# Restrict access to the server...
# Note that we need to 'Allow from localhost' for Windows LPR printing
<Location />
  Order allow,deny
  Allow from localhost
  Require user @SYSTEM @staff
  Encryption Required
  AuthType Default	# required to force authentication
  Satisfy any
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Require user @SYSTEM
  Encryption Required
  AuthType Default	# required to force authentication
  Satisfy any
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  Order allow,deny
  Require user @SYSTEM
  Encryption Required
  AuthType Default	# required to force authentication
  Satisfy any
</Location>

# Set the default printer/job policies...
<Policy default>

  # Job-related operations must be done by the owner or an adminstrator...
  # Note that we need to 'Allow from localhost' for Windows LPR printing
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job Get-Job-Attributes CUPS-Authenticate-Job>
    Order allow,deny
    AuthType Default	# required to force authentication
    Require user @OWNER @SYSTEM
    Allow from localhost
    Satisfy any
  </Limit>

  # All administration operations require an adminstrator to authenticate...
  # None of these operations requires 'Allow from localhost' for Windows LPR printing
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Modify-Printer CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default Create-Printer-Subscription Get-Subscription-Attributes Get-Subscriptions Send-Notifications Get-Printer-Support-Files>
    Order allow,deny
    AuthType Default	# required to force authentication
    Require user @SYSTEM
  </Limit>

  # Actions for all...
  # Note that we need to 'Allow from localhost' for Windows LPR printing
  <Limit Create-Job Print-Job Print-URI Validate-Job Get-Jobs CUPS-Get-Printers Get-Printer-Attributes Get-Printer-Supported-Values CUPS-Get-Default CUPS-Get-Classes CUPS-Get-Devices CUPS-Get-PPDs>
    Order allow,deny
    AuthType Default	# required to force authentication
    Require user @SYSTEM @staff
    Allow from localhost
    Satisfy any
  </Limit>

  # Reject everything else ...
  <Limit All>
    Order allow,deny
  </Limit>

</Policy>