This is the last bit about my local server setup that is driving me nuts for days now.
I figured out how to properly restrict my Locations (pretty loose still, but only for debugging) and use the Limits. Had to add the group adm to cups-files.conf because being in the lpadmin group for what ever reason was not enough for CUPS to restrict admin remote access, weird but its working now.
But for the last 3 days I have been struggeling with the fact das Windows just will not add the printers shared by my CUPS server due to being unable to locate them. And I am pretty sure that this got to do something with how my system ist setup on the server site, because this should be possible without running a samba-common on the server simply by avahi and what CUPS itself provides.
This is my cupsd.conf
LogLevel warn
PageLogFormat
MaxLogSize 0
# Allow remote access
Port 631
SSLPort 631
# SSLOptions [DenyDH] [DenyRC4] [DenySSL3] [DenyCBC] [DenyTLS1.0]
Listen 0.0.0.0:631
SSLListen 0.0.0.0:631
# Share local printers on the local network.
Browsing Yes
BrowseLocalProtocols dnssd
HostNameLookups On
DefaultAuthType Basic
WebInterface Yes
DefaultEncryption Required
ServerCertificate /etc/cups/ssl/dcsrv01.fritz.box_crt.pem
ServerKey /etc/cups/ssl/dcsrv01.fritz.box_key.pem
ServerName dcsrv01.fritz.box
ServerAlias *
<Location /> # Allow shared printing and remote administration... Encryption Required Order allow,deny Allow @LOCAL
</Location>
<Location /admin> # Allow remote administration... Encryption Required AuthType Default Require user @SYSTEM Order allow,deny Allow @LOCAL
</Location>
<Location /admin/conf> Encryption Required AuthType Default Require user @SYSTEM # Allow remote access to the configuration files... Order allow,deny Allow @LOCAL
</Location>
<Location /admin/log> Encryption Required AuthType Default Require user @SYSTEM Order allow,deny # Allow remote access to the log files... Order allow,deny Allow @LOCAL
</Location>
<Policy default> JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default <Limit Create-Job Print-Job Print-URI Validate-Job> Order deny,allow </Limit> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Cancel-Job CUPS-Authenticate-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit All> Order deny,allow </Limit>
</Policy>
<Policy authenticated> JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default <Limit Create-Job Print-Job Print-URI Validate-Job> AuthType Default Order deny,allow </Limit> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> AuthType Default Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Cancel-Job CUPS-Authenticate-Job> AuthType Default Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit All> Order deny,allow </Limit>
</Policy>
<Policy kerberos> JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default <Limit Create-Job Print-Job Print-URI Validate-Job> AuthType Negotiate Order deny,allow </Limit> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> AuthType Negotiate Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Cancel-Job CUPS-Authenticate-Job> AuthType Negotiate Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit All> Order deny,allow </Limit>
</Policy>Did I do the dumb somewhere in here? I am honestly at a loss.
102 Answers
To print to an IPP printer from a Windows system, you'll need to enable the "Internet Printing Client" feature on your system.
First part of top answer here outlines enabling this on Windows 7, but this applies to all currently supported Windows PC and Server versions:
1CONNECTING CUPS (IPP) PRINTER TO WINDOWS 10 W/O SAMBA:
Sofar Samsba will still not work, but there is a different way to setup secure printing via cups + windows client.
- In Windows enable Windows feature IPP
- Add the printer via its ip address and the ipp scheme to cups.
ipp://<printer_ip>/ipp/print. Understand that if you need to also securly forward from cups server to printer via ipp, ipps need to be used, but your printer has to support both, ipp and ipps. - Create a local PKI or use an existing one to create a key and crt for your server that ius running cups.
- Activate all the ssl shenannigans with cups.
- Now go to the windows client and add the printer via "identify by hostname or ipaddress"
- enter:
- select a driver
- done
Somehow Samsba sharing will still not work with my setup, but until then I can at least print this way.
