[MacTUG] Cupsd.conf mods (OS X 10.9.5 printing woes)

Donald Duff-McCracken dsmccrac at uwaterloo.ca
Wed Nov 26 14:07:37 EST 2014 

With 10.9.5 certain printing operations require the user to be part of “Printer Operator” group. This includes unpausing the printer or deleting one of your print jobs. This seemed to happen with 10.9.5 as it was not an issue with my mac clients when I built them in the Fall (10.9.2 I think).

We were talking a bit about tweaking the cupsd.conf file and I thought I would show folks what I have and discuss some of the things I have learned. Marlon requested stuff should be written down so I thought at the least I would document here what I have done. Also I would like to see what other folks have done — hint hint, Ed C ;-)

About the structure of the cupsd.conf file: Things are repeated three times in this file. The first is for “Policy Default” and then the same code is repeated for “Policy Authenticated” and “Policy Kerboros”. Through experimentation I have decided the changes I need to make for Macs authenticating to AD is under “Policy Authenticated”,  although I will probably change it in all three areas since I really do not care how the user gets on I want them to be able to do the tasks that are currently being prohibited.

The tasks in question are:

  *   Resume-Printer
  *   Release-Held-New-Jobs
  *   Cancel-Job
  *   CUPS-Authenticate-Job (note: this lets the user re-authenticate if a previous authentication failed due to bad password)

The section in question is, after I modified it:

 # All printer operations require a printer operator to authenticate...
  # Don removed "Resume-Printer" and "Release-Held-New-Jobs" from the following line:
  <Limit Pause-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @AUTHKEY(system.print.operator) @admin @lpadmin
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
    # Don commented out the following lines
  #<Limit Cancel-Job CUPS-Authenticate-Job>
  #  AuthType Default
  #  Require user @OWNER @AUTHKEY(system.print.operator) @admin @lpadmin
  #  Order deny,allow
  #</Limit>

This section is towards the end of <Policy Authenticated> section (somewhere around line 113 in an unmodified conf file from a 10.9.5 OS), but as I mentioned I will likely do this for all three sections.

I also set the DefaultAuthType (towards the top of the file) to "DefaultAuthType Negotiate”


And lastly, if you want to see the whole danged thing, it is below:
________________________________
#  This file has been modded by Don Nov 26 2014
# "$Id: cupsd.conf.in 11093 2013-07-03 20:48:42Z msweet $"
#
# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
# complete description of this file.
#

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn

# Only listen for connections from the local machine.
Listen localhost:631
Listen /private/var/run/cupsd

# Show shared printers on the local network.
Browsing Off
BrowseLocalProtocols dnssd

# Default authentication type, when authentication is required...
DefaultAuthType Negotiate

# Web interface setting...
WebInterface No

# Restrict access to the server...
<Location />
  Order allow,deny
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @AUTHKEY(system.print.operator) @admin @lpadmin
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @AUTHKEY(system.print.operator) @admin @lpadmin
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Default
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  # Don removed "Resume-Printer" and "Release-Held-New-Jobs" from the following line:
  <Limit Pause-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @AUTHKEY(system.print.operator) @admin @lpadmin
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
    # Don commented out the following lines
  #<Limit Cancel-Job CUPS-Authenticate-Job>
  #  AuthType Default
  #  Require user @OWNER @AUTHKEY(system.print.operator) @admin @lpadmin
  #  Order deny,allow
  #</Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the kerberized printer/job policies...
<Policy kerberos>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Negotiate
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Negotiate
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @AUTHKEY(system.print.operator) @admin @lpadmin
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Negotiate
    Require user @OWNER @AUTHKEY(system.print.operator) @admin @lpadmin
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
# End of "$Id: cupsd.conf.in 11093 2013-07-03 20:48:42Z msweet $".
#


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20141126/24990b2b/attachment-0001.html>

More information about the MacTUG mailing list