CUPS shared printer with Authentication and SSL connect issue on Windows machines

0

I have an issue with connecting printer in Windows 10 or 7. Everything works great in my Debian, either basic auth type or HTTPS. I have created user cups_print and assign him password with passwd command. I have tried to disable authentication and TLS/SSL and without them Windows stations can connect to HP P1006, which is connected to Raspi with CUPS running. I have also tried Require valid-user, but with this option I can print with any credentials e.g. username: "aa" password: "randompassword". I have also tried to listen on port 631 when doing SSL connection without any success on Windows, Linux works fine with every option.

I have tried to set up ipp url in Windows these ways:
https://192.168.X.132:632/printers/HP_LaserJet_P1006
https://cups_print:mypsswd@192.168.X.132:632/printers/HP_LaserJet_P1006
https://cups_print@192.168.X.132:632/printers/HP_LaserJet_P1006
http://cups_print@192.168.X.132:631/printers/HP_LaserJet_P1006
http://192.168.X.132:631/printers/HP_LaserJet_P1006
http://cups_print:mypsswd@192.168.X.132:631/printers/HP_LaserJet_P1006

Also I tried to add printer, when cupsd.conf is configured without authentication required and restart it afterwards with option on, then provided credentials to Windows via port edit. Again without any success. I am able to access cups configuration on any Windows station via web interface. It seems to be a problem with Windows, if not, can you please suggest any solution, I would like to have everything secured in my home network.

I enclose part of my cupsd.conf file

# Show troubleshooting information in error_log.
LogLevel debug
PageLogFormat
MaxLogSize 0
Port 631
Listen localhost:631
Listen /run/cups/cups.sock
Listen 192.168.X.X:631
Browsing On
BrowseLocalProtocols dnssd
BrowseAllow All
DefaultAuthType Basic
WebInterface Yes
DefaultEncryption Required
SSLPort 632
SSLListen *:632
<Location />
  Order allow,deny
  Allow 192.168.X.*
  Allow 192.168.X.*
  Allow localhost
  #Allow all
  Require user cups_print
  #Require user @SYSTEM cups_print  
</Location>
<Location /printers>
  Order allow,deny
  Allow 192.168.X.*
  Allow 192.168.X.*
 Allow localhost
  #Allow all
  AuthType Basic
  Require user cups_print
  #Require user @SYSTEM cups_print

korky

Posted 2019-08-21T10:17:40.667

Reputation: 1

Answers

0

After a week of struggling with this issue, I found a workaround.

In Windows 10 1903 update there is an issue with adding printer with authentication. You have to set port first, even before adding printer, after that, you are able to add it without any issue. Nice script you can edit and run is here

Instructions to add printer https and auth

Script modifying registers and adds port

Or you can add it manually by configuring registers, see second link. After successful adding port and printer(nothing should ask you for credentials), go to printer setting, port setting and configure port with provided credential. Without them, you are unable to print.

Secondly you have to grant access to every location without authentication, even "/" and "/printers" in cupsd.conf. After that, create policy limit <Limit Get-Printer-Attributes> and do not require authentication there at all. Then enable authentication in <Limit Cancel-Job CUPS-Authenticate-Job> and <Limit Create-Job Print-Job Print-URI Validate-Job>.

If you are trying to use self signed certificate, follow link Self-signed certificate add in Windows. Do not forget to add this certificate to "Trusted root 3rd party certificates"

Some more sources with issues, you have to face, when you are adding IPP printer to Windows Cups authentication problem Windows Cups authentication problem Windows

My cupsd.conf(anonymized)

LogLevel debug
PageLogFormat
MaxLogSize 0

SSLPort 636
SSLListen *:636

Browsing On
BrowseLocalProtocols dnssd
BrowseAllow All

DefaultAuthType Basic

WebInterface yes


DefaultEncryption required

ServerKey /etc/cups/ssl/server.key
ServerCertificate /etc/cups/ssl/server.crt

ServerAlias hostname.my_domain.net


# Restrict access to the server...
<Location />
  Order allow,deny
  Allow 192.168.X1.*
  Allow 192.168.X2.*
  Allow localhost 
</Location>

<Location /printers>
  Order allow,deny
  Allow 192.168.X1.*
  Allow 192.168.X2.*
  Allow localhost
</Location>


# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow localhost
  Deny all
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Allow localhost
  Order allow,deny
</Location>

# Restrict access to log files...
<Location /admin/log>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
    Allow all
    AuthType Basic
    Require user @SYSTEM cups_print
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@ cups_print
    AuthType Basic
    Order deny,allow
  </Limit>

  <Limit Get-Printer-Attributes>
    Order allow,deny
    Allow all
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Basic
    Require user @SYSTEM cups_print
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@ cups_print
    Order deny,allow
  </Limit>

  <Limit Get-Printer-Attributes>
    Order allow,deny
    Allow all
   </Limit>


  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

korky

Posted 2019-08-21T10:17:40.667

Reputation: 1

Asked: 2019-08-21T10:17:40.667

Viewed: 511 times

Active: 2019-08-25T12:16:21.890