Linux print server with AD integration
In this article, I wanted to settle on the experience of creating a linux-based print server with AD integration. Integration refers to entering a linux server into a Windows domain and sharing Cups printers via Samba, including printer drivers. Perhaps it was clumsily expressed, but if it is simpler, then it looks like this - in order to install a printer to a Windows user, just click on “install new printer”, list printers in AD and click on the desired printer - the printer will be installed automatically with all necessary drivers installed. At the same time, all rights to manage, access, print will be pulled from AD.
Assume that the linux OS is already installed and all the necessary packages are installed.
On entering linux into the Winodws domain I will not focus much attention, especially since there are plenty of articles on this topic. Let me give you a link to a pretty good article - https://habrahabr.ru/post/143190/
I will dwell only on important points. Also, below I will lay out all my working configs of the above services. Customized for various articles and manuals.
Time on the linux server must be identical with the domain controller, otherwise it will not drive into the domain.
There are several options for this: specify the same ntp time synchronization server on the domain controller and our print server, or specify the controller's IP domain as the ntp server on the print server. I configured the second option.
')
You can check the synchronization as follows:
Many people say that these settings are not needed at all for samba, like kerberos and LDAP, but I love everything with Feng Shui))). Earlier, I configured samba as a PDC (Primary Domain Controller) without kerberos and LDAP and it all worked with WinXP clients, I confirm.
These settings are not recommended by samba itself, starting with some versions 3.X, but in many articles they are indicated. If you specify these parameters in new versions of samba, then testparm will display:
realm parameter - domain name should be indicated in capital letters!
The realms section - the domain name must be in capital letters!
Otherwise, you can get this error when checking kerberos
Suppose you set up the necessary services and successfully entered the linux machine into the Windows domain. Let's go to the CUPS settings.
Here I will explain.
On account of the latter. I noticed the following in the logs:
I found two recommendations on this topic:
- disable sharing of printers in samba completely (very useful, especially for the print server)
- replace Basic with None wherever there is this option in cupsd.conf (did not feel the difference)
On cups.org I read that the values ​​of this option can be 2 - Basic and Negotiate, the last one for authentication using kerberos.
In any case, this error does not affect the work of cups.
I specified access for all local subnets. In principle, in the Allow directive you can specify different subnets, just as I did in BrowseAddress.
Next, set up access to the administrative panel and configuration files. Here you can also register the Allow directive (in each section) with the indication of subnets or a separate IP address from which / which printers can be administered. If you do not add this directive - adminit will be possible from any subnet locale - equivalently Allow all.
This completes the cups setting. Restart it. In openSUSE this is done through the systemctl
Now you can proceed to setting up printers via cups'a web interface. There is a small subtlety - to change, add, delete printers you need to go into cups web interface via ssl ( https ), i.e. in the web browser open
Otherwise, we get the following error:
Adding printers to cups via a web interface is a rather trivial task, so I will not describe it. The only thing I recommend on the “Administration” tab is to check whether the options are enabled:
- Allow sharing of printers connected to this system
- Allow printing from the Internet
And when installing the printer, do not forget to include the option "Allow sharing of this printer."
Who does not want to bother with samba, cups have the ability to print using ipp (Internet Printing Protocol). In Windows, the printer is installed as follows: control panel → printers → printer installation → network printer → connect to a printer on the Internet (“select shared printer by name” for Win7 / 8/10) as the url we specify the full path:
The full path to the printer can be copied from the address bar of the browser in the cups web interface.
The only thing with this method, the system will ask the printer driver. It will need to be pre-downloaded and fed to it during installation.
GRAB__1: in WinXP, ipp is enabled by default in the service pack since SP2; in Windows7 / 8/10, the Internet Printing component may not be included.
Installed through the control panel → programs and components - enable and disable Windows components. On server-side Windows, this protocol is disabled by default. Turn on through Server Manager → components → add components → print client via the Internet.
I suffered with this problem for 2 days. When I tried to install the printer in this way, I got out the error - “Windows cannot connect to the printer”. At the same time, there is nothing criminal in the cups and samba logs. It was a megatresh. I got to parse the entire flow of the network interface using tcpdump and wireshark, but the casket just opened. The problem was on the side of Windows.
Suppose cups printers are installed, now let's start copying and registering printer drivers for Windows.
You can manually copy the installed drivers to Windows -% WINDIR% \ system32 \ spool \ drivers \ W32X86 and \ x64 to the folder with the balloon for samba drivers - / var / lib / samba / drivers / W32X86 and ./x64 and then register them with console utility rpcclient, but this is an unreal quest and is not for the faint of heart.
We will go more simple way. Login on a Windows machine with Domain Admin account in our domain. I will show on the example of WinXP (further I will tell how to act with Win7). Open the explorer, in the address bar we drive in the address of the print server by IP or name: \\ Print-01 \ or \\ 10.10.15.11 \, go to the Printers and Faxes folder.
Right click on the printer → properties.
On the proposal to install the driver, we say No.
Go to the tab "Advanced" → change.
Install from the disk and specify the folder with the driver. Select the printer in the list and click OK.
IMPORTANT - in the beginning, you must specify a dad with 32-bit drivers, even if your system is 64-bit! 64-bit firewood can be installed after.
There is a copy of the drivers in the shared folder samba.
Go to the tab “access” → tick the checkbox “Insert into Active Diectory” → apply. If you need 64-bit drivers, click Additional Drivers "
And tick x64 → OK. The system will request a folder with drivers - we feed it to it in the same way.
If desired, on the "General" tab, you can rename the network printer. These names will be displayed when you navigate to the printserver \\ Print-01 \ or \\ 10.10.15.11 \.
In AD, printer names will be the same as you called them in cups.
Server Manager → Active Directory Domain Services → Active Directory users and computers → select the domain with the right mouse button → find → select the group from the “printers” drop-down list → find.
Find in the list the printer that we want to delete → right-click "delete"
In Windows 7/8/10, you can install drivers on a print server from the printmanagement.msc snap-in. Start → Run → printmanagement.msc
NOTE Home and Home Premium do not have this tool. You need to run this snap-in from under the Domain Admin account. First you need to add our print server by IP or name.
Further, here you can control the printers of the print server by analogy with the above instructions.
It is also convenient to manage print server drivers here - delete / add.
In Windows Server 2012 R2, well, no shared printers want to be installed. There are no errors in the cups and samba logs. The printer starts to install, the drivers are copied, but at the “installation completion” stage, the above error “Windows cannot connect to the printer” pops up. I think this is some kind of a cant of Windows and most likely an ipp protocol, although the component “Internet printing client” is installed.
In conclusion, I will share the secret of installing a Panasonic KX-FLB883RU printer in CUPS. There are no drivers for this printer for linux, but ljet2p.ppd (Panasonic KX-P4410 Foomatic / ljet2p), which is included in the standard OpenPrintingPPDs package, miraculously came up. Setting up the printer in CUPS via socket: // IP_address /. Everything works without glitches. I hope someone will come in handy.
My next article will be devoted to a remote automated system for installing printers to domain users. Or something like this)
My working configs see below.
Thanks for attention!
Part 1. Subtleties settings
Initial data
- Domain controller - Windows Server 2008 R2 (AD, DNS, DHCP) IP - 10.10.15.31
- Domain Name - INITIAL
- Print server - linux OS (I use OpenSUSE 13.2 x64, kernel 3.16.7-42-default) IP - 10.10.15.11
- kerberos 1.12.2-24.1
- winbind 4.2.4-40.1
- LDAP 2.4.39-8.9.1
- Samba 4.2.4-40.1
- CUPS 1.5.4-21.9.1
Assume that the linux OS is already installed and all the necessary packages are installed.
On entering linux into the Winodws domain I will not focus much attention, especially since there are plenty of articles on this topic. Let me give you a link to a pretty good article - https://habrahabr.ru/post/143190/
I will dwell only on important points. Also, below I will lay out all my working configs of the above services. Customized for various articles and manuals.
Time synchronization
Time on the linux server must be identical with the domain controller, otherwise it will not drive into the domain.
There are several options for this: specify the same ntp time synchronization server on the domain controller and our print server, or specify the controller's IP domain as the ntp server on the print server. I configured the second option.
')
/etc/ntp.conf server 10.10.15.31 iburst You can check the synchronization as follows:
print-01:~ # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *10.10.15.31 85.236.191.80 3 u 888 1024 377 0.698 6.690 7.232 Winbind
/etc/nsswitch.conf passwd: files winbind group: files winbind shadow: files winbind hosts: files [dns] wins Many people say that these settings are not needed at all for samba, like kerberos and LDAP, but I love everything with Feng Shui))). Earlier, I configured samba as a PDC (Primary Domain Controller) without kerberos and LDAP and it all worked with WinXP clients, I confirm.
/etc/samba/smb.conf winbind separator = / winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes Samba
/etc/samba/smb.conf idmap uid = 500-10000000 idmap gid = 500-10000000 idmap backend = ldap:ldap://10.10.15.31 These settings are not recommended by samba itself, starting with some versions 3.X, but in many articles they are indicated. If you specify these parameters in new versions of samba, then testparm will display:
print-01:/etc/samba # testparm -v Load smb config files from /etc/samba/smb.conf WARNING: The "idmap backend" option is deprecated WARNING: The "idmap gid" option is deprecated WARNING: The "idmap uid" option is deprecated realm parameter - domain name should be indicated in capital letters!
realm = DOMAIN.COM Kerberos
The realms section - the domain name must be in capital letters!
/etc/krb5.conf [realms] DOMAIN.COM = {... Otherwise, you can get this error when checking kerberos
kinit username@DOMAIN.COM kinit(v5): KDC reply did not match expectations while getting initial credentials Suppose you set up the necessary services and successfully entered the linux machine into the Windows domain. Let's go to the CUPS settings.
Cups
/etc/cups/cupsd.conf # LogLevel debug # (, , root) SystemGroup root # 631 / Listen for connections on Port 631. Port 631 Listen /run/cups/cups.sock BrowseLocalProtocols CUPS BrowseRemoteProtocols CUPS # / Show shared printers on the local network. Browsing On BrowseOrder allow,deny BrowseAllow all BrowseAddress 10.10.15.0/24 BrowseAddress 172.19.2.0/24 BrowseAddress 172.19.3.0/24 BrowseAddress 172.19.4.0/24 # Default authentication type, when authentication is required... DefaultAuthType Basic WebInterface Yes Here I will explain.
BrowseOrder allow, deny - the order in which the system considers allowing and prohibiting directives: all that is not allowed is prohibited.
BrowseAllow all - displays all available printers on the local network
BrowseAddress - we specify all subnets from which access to printers is needed
DefaultAuthType - authentication type. The default is Basic.
On account of the latter. I noticed the following in the logs:
/var/log/cups/error_log cupsdAuthorize: No authentication data provided. I found two recommendations on this topic:
- disable sharing of printers in samba completely (very useful, especially for the print server)
- replace Basic with None wherever there is this option in cupsd.conf (did not feel the difference)
On cups.org I read that the values ​​of this option can be 2 - Basic and Negotiate, the last one for authentication using kerberos.
In any case, this error does not affect the work of cups.
# . <Location /> # Allow remote access... Order allow,deny Allow all </Location> I specified access for all local subnets. In principle, in the Allow directive you can specify different subnets, just as I did in BrowseAddress.
Next, set up access to the administrative panel and configuration files. Here you can also register the Allow directive (in each section) with the indication of subnets or a separate IP address from which / which printers can be administered. If you do not add this directive - adminit will be possible from any subnet locale - equivalently Allow all.
<Location /admin> Order allow,deny </Location> <Location /admin/conf> AuthType Default Require user @SYSTEM </Location> This completes the cups setting. Restart it. In openSUSE this is done through the systemctl
systemctl restart cups.service Now you can proceed to setting up printers via cups'a web interface. There is a small subtlety - to change, add, delete printers you need to go into cups web interface via ssl ( https ), i.e. in the web browser open
https://10.10.15.11:631/ Otherwise, we get the following error:
Adding printers to cups via a web interface is a rather trivial task, so I will not describe it. The only thing I recommend on the “Administration” tab is to check whether the options are enabled:
- Allow sharing of printers connected to this system
- Allow printing from the Internet
And when installing the printer, do not forget to include the option "Allow sharing of this printer."
Who does not want to bother with samba, cups have the ability to print using ipp (Internet Printing Protocol). In Windows, the printer is installed as follows: control panel → printers → printer installation → network printer → connect to a printer on the Internet (“select shared printer by name” for Win7 / 8/10) as the url we specify the full path:
http://10.10.15.11:631/printers/Kyocera_6525_PTO http://Print-01:631/printers/Kyocera_6525_PTO The full path to the printer can be copied from the address bar of the browser in the cups web interface.
The only thing with this method, the system will ask the printer driver. It will need to be pre-downloaded and fed to it during installation.
GRAB__1: in WinXP, ipp is enabled by default in the service pack since SP2; in Windows7 / 8/10, the Internet Printing component may not be included.
Installed through the control panel → programs and components - enable and disable Windows components. On server-side Windows, this protocol is disabled by default. Turn on through Server Manager → components → add components → print client via the Internet.
I suffered with this problem for 2 days. When I tried to install the printer in this way, I got out the error - “Windows cannot connect to the printer”. At the same time, there is nothing criminal in the cups and samba logs. It was a megatresh. I got to parse the entire flow of the network interface using tcpdump and wireshark, but the casket just opened. The problem was on the side of Windows.
Part 2. Installing drivers
Suppose cups printers are installed, now let's start copying and registering printer drivers for Windows.
You can manually copy the installed drivers to Windows -% WINDIR% \ system32 \ spool \ drivers \ W32X86 and \ x64 to the folder with the balloon for samba drivers - / var / lib / samba / drivers / W32X86 and ./x64 and then register them with console utility rpcclient, but this is an unreal quest and is not for the faint of heart.
We will go more simple way. Login on a Windows machine with Domain Admin account in our domain. I will show on the example of WinXP (further I will tell how to act with Win7). Open the explorer, in the address bar we drive in the address of the print server by IP or name: \\ Print-01 \ or \\ 10.10.15.11 \, go to the Printers and Faxes folder.
Right click on the printer → properties.
On the proposal to install the driver, we say No.
Go to the tab "Advanced" → change.
Install from the disk and specify the folder with the driver. Select the printer in the list and click OK.
IMPORTANT - in the beginning, you must specify a dad with 32-bit drivers, even if your system is 64-bit! 64-bit firewood can be installed after.
There is a copy of the drivers in the shared folder samba.
Go to the tab “access” → tick the checkbox “Insert into Active Diectory” → apply. If you need 64-bit drivers, click Additional Drivers "
And tick x64 → OK. The system will request a folder with drivers - we feed it to it in the same way.
If desired, on the "General" tab, you can rename the network printer. These names will be displayed when you navigate to the printserver \\ Print-01 \ or \\ 10.10.15.11 \.
In AD, printer names will be the same as you called them in cups.
Remove printers from AD.
Server Manager → Active Directory Domain Services → Active Directory users and computers → select the domain with the right mouse button → find → select the group from the “printers” drop-down list → find.
Find in the list the printer that we want to delete → right-click "delete"
Installing drivers in Windows 7/8/10.
In Windows 7/8/10, you can install drivers on a print server from the printmanagement.msc snap-in. Start → Run → printmanagement.msc
NOTE Home and Home Premium do not have this tool. You need to run this snap-in from under the Domain Admin account. First you need to add our print server by IP or name.
Further, here you can control the printers of the print server by analogy with the above instructions.
It is also convenient to manage print server drivers here - delete / add.
What could not yet be solved
In Windows Server 2012 R2, well, no shared printers want to be installed. There are no errors in the cups and samba logs. The printer starts to install, the drivers are copied, but at the “installation completion” stage, the above error “Windows cannot connect to the printer” pops up. I think this is some kind of a cant of Windows and most likely an ipp protocol, although the component “Internet printing client” is installed.
In conclusion, I will share the secret of installing a Panasonic KX-FLB883RU printer in CUPS. There are no drivers for this printer for linux, but ljet2p.ppd (Panasonic KX-P4410 Foomatic / ljet2p), which is included in the standard OpenPrintingPPDs package, miraculously came up. Setting up the printer in CUPS via socket: // IP_address /. Everything works without glitches. I hope someone will come in handy.
My next article will be devoted to a remote automated system for installing printers to domain users. Or something like this)
My working configs see below.
/etc/krb5.conf
[libdefaults] ticket_lifetime = 24000 default_realm = INITIAL.LOCAL dns_lookup_realm = false dns_lookup_kds = false clockskew = 300 # ------------------------------------- kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] INITIAL.LOCAL = { kdc = dc-01.initial.local default_domain = initial.local # admin_server = kerberos.initial.local:749 admin_server = dc-01.initial.local } # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] .initial.local = INITIAL.LOCAL .INITIAL.local = INITIAL.LOCAL .INITIAL = INITIAL.LOCAL initial.local = INITIAL.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 1 use_shmem = sshd clockskew = 300 } /etc/nsswitch.conf
# /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # compat Use compatibility setup # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # [NOTFOUND=return] Stop searching if not found so far # # For more information, please read the nsswitch.conf.5 manual page. # # passwd: files nis # shadow: files nis # group: files nis # passwd: compat winbind # group: compat winbind # shadow: compat winbind passwd: files winbind group: files winbind shadow: files winbind # hosts: files mdns4_minimal [NOTFOUND=return] dns wins hosts: files [dns] wins networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases: files /etc/openldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://10.10.15.31 BASE DC=initial,DC=local /etc/samba/smb.conf
# smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. [global] workgroup = INITIAL # passdb backend = smbpasswd printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = Yes add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ domain logons = No domain master = No security = ADS encrypt passwords = yes # idmap backend = ldap:ldap://10.10.15.31 ldap admin dn = admin@initial.local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = DC=initial,DC=local ldap user suffix = ou=Users ldap ssl = Off ldapsam:trusted = yes ldapsam:editposix = yes # idmap gid = 500-10000000 # idmap uid = 500-10000000 netbios name = print-01 name resolve order = lmhost wins host bcast wins server = 10.10.15.31 wins support = No usershare max shares = 100 kerberos method = system keytab ## -------------------------------------- winbind separator = / winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes winbind nss info = rfc2307 winbind uid = 10000-20000 winbind gid = 10000-20000 realm = INITIAL.LOCAL template homedir = /home/%D/%U winbind refresh tickets = yes template shell = /bin/bash # [homes] # comment = Home Directories # valid users = %S, %D%w%S # browseable = No # read only = No # inherit acls = Yes # [profiles] # comment = Network Profiles Service # path = %H # read only = No # store dos attributes = Yes # create mask = 0600 # directory mask = 0700 # [users] # comment = All users # path = /home # read only = No # inherit acls = Yes # veto files = /aquota.user/groups/shares/ # guest ok = No # [groups] # comment = All groups # path = /home/groups # read only = No # inherit acls = Yes [printers] comment = All Printers path = /var/spool/samba printable = Yes create mask = 0664 browseable = Yes read only = No guest ok = Yes [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0700 read only = No guest ok = Yes writable = yes # inherit permissions = yes # -------------------------------- use client driver = yes # [netlogon] /etc/cups/cupsd.conf
LogLevel debug SystemGroup root # Allow remote access Port 631 Listen /run/cups/cups.sock Browsing On BrowseLocalProtocols CUPS BrowseRemoteProtocols CUPS BrowseOrder allow,deny BrowseAllow all BrowseAddress 10.10.15.0/24 BrowseAddress 172.19.2.0/24 BrowseAddress 172.19.3.0/24 BrowseAddress 172.19.4.0/24 DefaultAuthType Basic WebInterface Yes <Location /> # Allow remote access... Order allow,deny Allow all </Location> <Location /admin> Order deny,allow </Location> <Location /admin/conf> AuthType Default Require user @SYSTEM </Location> <Policy default> JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default <Limit Create-Job Print-Job Print-URI Validate-Job> Order deny,allow </Limit> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Cancel-Job CUPS-Authenticate-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit All> Order deny,allow </Limit> </Policy> <Policy authenticated> JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default <Limit Create-Job Print-Job Print-URI Validate-Job> AuthType Default Order deny,allow </Limit> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> AuthType Default Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Cancel-Job CUPS-Authenticate-Job> AuthType Default Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit All> Order deny,allow </Limit> </Policy> <Policy allowallforanybody> JobPrivateAccess all JobPrivateValues none SubscriptionPrivateAccess all SubscriptionPrivateValues none <Limit All Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document> Order deny,allow Allow from all </Limit> </Policy> DefaultPolicy default Thanks for attention!
Source: https://habr.com/ru/post/313636/
All Articles