[CUPS]: HOWTO: A quick quide to CUPS for the Common User

HOWTO: 

Environment Setup and Configuration

1. On a Debian based distribution (Ubuntu, Kubuntu, etc), install the following using sudo apt-get install
   1. cupsys (For ubuntu 8.04. For newer releases, this may just be cups)
      • Example: sudo apt-get install cupsys
   2. cupsys-client
   3. cupsys-common
   4. cupsys-driver-gutenprint
   5. cups-pdf (If you want the ability to create PDFs on the server)
2. If you want the ability to "search" for the printer by navigating to the printer server "My Network Places" in Windows, execute the following:
   1. Install Samba with sudo apt-get install samba
   2. Modify the Samba configuration file located in /etc/samba/smb.conf to match your environment. Attached in Appendix A is an example configuration file, otherwise, consult the man pages for the configuration options (man smb.conf). Specifically, the following is required for printer navigation and driver installation:
      • The setup of [printers] and [print$]
      • The configuration of the [global] options: load printers, printer, printcap name, printer admin
      • Note: The "printer admin" option must be set to a valid user that has been added to the Samba database using the smbpasswd -a command as root (or using sudo). This user will be able to upload new printer drivers to the server.
   3. With the configuration of Appendix A, all users that need to connect to the server will have to have their own account on the Linux server, or, they will need to share a low security common account. You will need to create an account on the Linux server using the adduser command.
      • sudo adduser --shell /bin/true --no-create-home username.
   4. With the previous command, the user 'username' will be created but they will not be able to login locally to the machine through terminal or SSH. If you want this user to be able to administer the printers (add, remove, upload drivers to the print server), that user needs to be apart of thelpadmin group.
      • Note: NOT EVERY USER NEEDS TO BE IN THE lpadmin GROUP. ONLY THE ADMINISTRATOR.
   5. To add a user to the lpadmin group, execute the following command:
      • sudo adduser username lpadmin
   6. You will now need to add all of the users that will have access to the server to the Samba password database. Execute the following command with each user that you want to give access to server from Windows (the user(s) that you created in step 2c)
      • sudo smbpasswd -a username
      • Note: This user must already exist from step 2c. You will need to re-enter the password to the user. They do not need to match, but this will be the password that will be required to connect to the server by using the "My Network Places" browsing feature.
3. Setup CUPS as follows:
   1. Find the configuration file at /etc/cups/cupsd.conf
   2. See Appendix Bfor an example configuration file.
   3. The following options need to be changed: SystemGroup, Port, Browsing, BrowseAllow, BrowseAddress and the setup of <Location /> and <Location /admin>
4. Allow the lpadmin group to create files in the printer directory
   1. Acquire the location of the printer drivers directory. Using Appendix A, this will be located in /var/lib/samba/printers. You can find this directory under the [print$] heading in /etc/samba/smb.conf.
   2. Modify the permissions of the folder and its sub folders such that they have the group set to lpadmin, sticky group bit and read, write, execute on group. Example using /var/lib/samba/printers
      • sudo chown -R root:lpadmin /var/lib/samba/printers
      • sudo chmod -R 2775 /var/lib/samba/printers
   3. These steps ensure that a remote user that is in the lpadmin group can upload new print drivers to the server. When you first connect to the server by browsing to it in "My Network Places" in Windows, you will need to supply a username and password of a user that is in the lpadmin group (a user as setup in step 2e and added to the Samba database in step 2f). Once this has completed, you will have the option to upload new print drivers which will be explained later.
5. At this point, the server should show up in "My Network Places" on Windows based machines that are connected to the same network as the Linux/Samba server. You should be able to connect to the server by double clicking its name. If you supply a valid username and password as setup in steps 2e and 2f then you should be able to view a folder called "Printers and Faxes" which should be empty. If you decided to install the pdf printer, it should show up and you should be able to connect and print to it. If a connection fails to be established to the server, restart the the Windows machine as Windows will cache connection credentials to the server that do not get flushed for a long period of time.

CUPS Specific Configuration

Using a computer that is connected to the same network as the CUPS server, or on a network that you defined to be allowable in the cupsd.conf file, use a browser to connect to the CUPS configuration webpage. You will need to supply the IP address of the server followed by a colon (:) and the port as defined in the cupsd.conf. The default port is 631.

• Example:http://192.168.1.7:631/

After navigating to this page, you will be presented with the CUPS control panel. Here you can add, remove and modify printers, setup printer groups called classes (3rdFloor, 2nd Floor, East Wing, etc), print test pages, change printer options, move print jobs between printers and much more.

You may to need find and download Linux/CUPS specific drivers for your server. Sometimes the printer will be auto-detected and may not need the following steps. If your printer was auto-detected, make sure it is functioning correctly by printing a test page; otherwise, you may have to follow the vendor specific instructions for your printer to install the appropriate Linux print drivers.

View Appendix C for an example setup of a Samsung ML2010 printer.

To setup a new printer, follow these steps after connecting to the CUPS control panel with a browser:

1. Click on the Administration tab to setup a new printer. In this tab you will see the PDF printer if you opted to install this is step 1e.
2. Click Add Printer under the Printers heading
3. Type in a name, location and description following the instructions on this page. Click Continue.
4. Select the driver's connection type from the drop down list. If you are using CUPS to manage a printer that is connected to another computer, for example a Windows machine that has a printer shared, you will need to select Samba.
   • Note: If the printer is connected by USB, the printer must be connected to the computer and powered on BEFORE the CUPS software is started up. CUPS is started when the computer is turned on. If your printer was not connected and turned on before you turned on the server, do the following steps on the server:
     1. Stop CUPS with the following command: sudo /etc/init.d/cupsys stop. For newer installations cupsys might be cups.
     2. Turn on the printer and connect the printer's USB cable to the server.
     3. Start CUPS with the following command: sudo /etc/init.d/cupsys start. For newer installations, cupsys might be cups.
     4. Refresh your browser that is connected to the CUPS control panel.
5. There is a chance that the printer will be auto-detected at this stage and it will select the recommended driver. Try this driver first.
6. The printer should be installed and ready for use.

Test the printer by printing a test page

1. Click the Printers tab.
2. Under your printer's heading, click Print Test Page.
3. Verify the printer prints the correct test page. You may need to modify the the printer options under the Set Printer Options to select the paper size, quality, etc.

At this point you should have a working CUPS printer that is browsable through the network.

Setup a Vendor Specific Driver for Auto-download

In order to execute these steps, you must connect to the server using the username that was set with the "printer admin = ..." option in the smb.conf file. This user must also be added to Samba's user database using sudo smbpasswd -a. Before beginning these steps, restart samba and cups on the server with the following commands: sudo /etc/init.d/samba restart; sudo/etc/init.d/cups restart

1. Download the Windows driver for your printer and install the software according the its installation instructions. If you can, only install the driver, not the extra software or control panels for the printer.
2. Navigate to the server computer through "My Network Places" (Start | My Network Places).
3. Double click the server's name
4. Double click "Printers and Faxes" folder.
5. Right click on the printer that you installed from the previous section and clickProperties. A dialog will be displayed asking if you want to install the print driver. It is crucial that you click NO.
6. Click the Advanced Tab.
7. Click the New Driver button
8. Find the vendor for your printer in the manufacturer pane. Select your printer model in the printer pane. Click Next.
9. Click Finish. The printer's drivers for Windows will be uploaded to the print server. This will allow users to automatically download the required drivers for their computer when they connect to the server.
10. Click Ok.

At this point, you can right click the printer and click connect. This will "install" the printer on to the current machine and you will be able to print to the printer.

Security Considerations

The configuration files that are provided with this guide are considered to relatively restrictive. If you wish to relax the security restrictions, follow these steps:

smb.conf

Set the following options in /etc/samba/smb.conf:

• security = user
• guest account = nobody
• map to guest = Bad Password
• guest ok = yes
• The previous option will apply to all of the share definitions such as [printers], [print$], etc

This setup allows all computers to connect and browse the Samba server. If the user account from Windows that is connecting to the server exists on the server and has been added to Samba's user database (using smbpasswd -a) and has been supplied the correct password (ie: the Window's account name and password exactly matches the username and password in the Samba database) then the user is considered to be an authenticated user.

If the Windows account name and password does not exist, or the wrong password was supplied, the user the is attempting to connect to the Samba server becomes a "guest" using the Linux account "nobody" obtaining the filesystem permissions of "nobody".

With this setup, all users should be able to browse to the server, view its shares, connect to the printer and print documents.

cupsd.conf

Cupsd.conf requires special considerations for its security configuration. In the <Location> tags, careful attention must be given to the "Allow From" directives and they should be setup to apply only to the network configuration that is available.

Generally, it is best practice to only allow access to the CUPS Control panel from the localhost of the server so only users directly connected to the server can modify printer configurations.

The attached cupsd.conf is configured to be very permissive.

Appendix A

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = YOURWORKGROUP

# server string is the equivalent of the NT Description field
# The following displays whatever you set your HOST name as
server string = %h

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
;   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = true

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = user

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
# tdbsam is the default. You can modify it with pdbedit or smbpasswd 
   passdb backend = tdbsam
   obey pam restrictions = yes

#   guest account = nobody
# The following is good for network security. If this server can indirectly be accessed from the internet, you should probably include the following line.
   invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan < for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = no

# If the supplied password is incorrect for the username (for Windows machines, they send the current
# username and password of the logged in user), then reject and DONT allow that user to connect or browse.
# This will essentially not drop the user to Guest permissions
map to guest = never

########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes
   printing = cups
   printcap name = cups
   printer admin = USERADMIN


############ Misc ############

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

[printers]
   comment = All Printers
   browseable = yes
   path = /var/spool/samba
   printable = yes
   guest ok = yes
   read only = yes

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = yes
   write list = root, @lpadmin, YOURUSER

Appendix B

#
#   Sample configuration file for the Common UNIX Printing System (CUPS)
#   scheduler.  See "man cupsd.conf" for a complete description of this
#   file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel warning

# Administrator user group...
SystemGroup lpadmin


# Use the following line to only allow connections from the local machine
#Listen localhost:631
Listen /var/run/cups/cups.sock

# The following line allows connections from anywhere to port 631
Port 631

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all

# The following allows browse access from the 192.168.1.* network. This will need to be adjusted for your network.
BrowseAddress 192.168.1.255

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow From 192.168.1.*
  Allow From 192.168.0.*
  Allow From 127.0.0.1
  Allow From localhost
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow From 192.168.1.104
</Location>


# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
#  Require group lpadmin
#  Require user ubuntu
  Order allow,deny
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an administrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

Appendix C

To install the Linux driver for the Samsung ML2010 printer on Ubuntu 8.04, follow these steps:

1. Go to http://ubuntuforums.org/showthread.php?t=341621 and read the first post. This explains how to install the Samsung Unified Printer drivers.
2. On your server computer type the following:
   • sudo su
     • Type in the current user's password. This user must be a member of sudoers. If you know the root password, you may su root.
   • echo "deb http://www-personal.umich.edu/~tjwatt/suldr/ debian extra" >> /etc/apt/sources.list
   • echo "deb http://archive.ubuntu.com/ubuntu hardy universe" >> /etc/apt/sources.list
   • wget -O - http://www-personal.umich.edu/~tjwatt/suldr/suldr.gpg | apt-key add -
   • apt-get update
   • apt-get install sane-utils
   • apt-get install samsungmfp-driver samsungmfp-data
3. Execute the following commands:
   • /etc/init.d/cupsys restart
   • exit
4. Verify the packages installation with dpkg -l samsung*. Both samsungmfp-data and samsungmfp-driver should have "ii" to the left of their name.
5. Navigate to the CUPS control panel (ex: http://192.168.1.7:631)
6. Add your printer.

The specific driver should now show up. For more information view the thread from step 1 and also the instructions located at http://www-personal.umich.edu/~tjwatt/suldr/A quick guide to CUPS for the Common User