Red Hat Enterprise Linux-9-Configuring and Using A CUPS Printing server-en-US
Red Hat Enterprise Linux-9-Configuring and Using A CUPS Printing server-en-US
Configure your system to operate as a CUPS server and manage printers, print
queues and your printing environment
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,
Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States
and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and
other countries.
Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the
official Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
Abstract
The Common Unix Printing System (CUPS) manages printing on Red Hat Enterprise Linux. Users
configure printers in CUPS on their host to print. Additionally, you can share printers in CUPS to use
the host as a print server. CUPS supports printing to: AirPrint and IPP Everywhere printers Network
and local USB printers with printer applications Network and local USB printers with legacy
PostScript Printer Description (PPD)-based drivers
Table of Contents
Table of Contents
. . . . . . . . . . . . . FEEDBACK
PROVIDING . . . . . . . . . . . . ON
. . . .RED
. . . . .HAT
. . . . .DOCUMENTATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. . . . . . . . . . . . .
. . . . . . . . . . . 1.. .INSTALLING
CHAPTER . . . . . . . . . . . . . AND
. . . . . .CONFIGURING
. . . . . . . . . . . . . . . .CUPS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . . .
. . . . . . . . . . . 2.
CHAPTER . . CONFIGURING
. . . . . . . . . . . . . . . . TLS
. . . . .ENCRYPTION
. . . . . . . . . . . . . . .ON
. . .A
. . CUPS
. . . . . . .SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. . . . . . . . . . . . .
. . . . . . . . . . . 4.
CHAPTER . . .OVERVIEW
. . . . . . . . . . . .OF
. . . PACKAGES
. . . . . . . . . . . . WITH
. . . . . . PRINTER
. . . . . . . . . . DRIVERS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
..............
. . . . . . . . . . . 5.
CHAPTER . . DETERMINING
. . . . . . . . . . . . . . . . WHETHER
. . . . . . . . . . .A
. . PRINTER
. . . . . . . . . .SUPPORTS
. . . . . . . . . . . . DRIVERLESS
. . . . . . . . . . . . . .PRINTING
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11. . . . . . . . . . . . .
. . . . . . . . . . . 6.
CHAPTER . . .ADDING
. . . . . . . . .A. .PRINTER
. . . . . . . . . TO
. . . .CUPS
. . . . . . BY
. . . .USING
. . . . . . .THE
. . . . .WEB
. . . . . INTERFACE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
..............
. . . . . . . . . . . 7.
CHAPTER . . ADDING
.........A
. . PRINTER
. . . . . . . . . . TO
. . . .CUPS
. . . . . . BY
. . . .USING
. . . . . . .THE
. . . . .LPADMIN
. . . . . . . . . . UTILITY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
..............
. . . . . . . . . . . 9.
CHAPTER . . .USING
. . . . . . .SAMBA
. . . . . . . .TO
. . . .PRINT
. . . . . . .TO
. . .A
. . WINDOWS
. . . . . . . . . . . PRINT
. . . . . . . SERVER
. . . . . . . . . WITH
. . . . . . KERBEROS
. . . . . . . . . . . . AUTHENTICATION
................................
21
CHAPTER 10. USING CUPS-BROWSED TO LOCALLY INTEGRATE PRINTERS FROM A REMOTE PRINT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
SERVER ..............
. . . . . . . . . . . 11.
CHAPTER . . .ACCESSING
. . . . . . . . . . . . .THE
. . . . .CUPS
. . . . . .LOGS
. . . . . . IN
. . . THE
. . . . .SYSTEMD
. . . . . . . . . . .JOURNAL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
..............
. . . . . . . . . . . 12.
CHAPTER . . . CONFIGURING
. . . . . . . . . . . . . . . .CUPS
. . . . . . TO
. . . .STORE
. . . . . . . .LOGS
. . . . . . IN
. . .FILES
. . . . . . .INSTEAD
. . . . . . . . . OF
. . . .THE
. . . . .SYSTEMD
. . . . . . . . . . .JOURNAL
. . . . . . . . . . . . . . .26
..............
. . . . . . . . . . . 13.
CHAPTER . . . ACCESSING
. . . . . . . . . . . . . THE
. . . . .CUPS
. . . . . . DOCUMENTATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
..............
1
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
2
PROVIDING FEEDBACK ON RED HAT DOCUMENTATION
4. Enter your suggestion for improvement in the Description field. Include links to the relevant
parts of the documentation.
3
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
Procedure
2. If you configure a CUPS as a print server, edit the /etc/cups/cupsd.conf file, and make the
following changes:
a. If you want to remotely configure CUPS or use this host as a print server, configure on which
IP addresses and ports the service listens:
Listen 192.0.2.1:631
Listen [2001:db8:1::1]:631
By default, CUPS listens only on localhost interfaces (127.0.0.1 and ::1). Specify IPv6
addresses in square brackets.
IMPORTANT
b. Configure which IP ranges can access the service by allowing the respective IP ranges in the
<Location /> directive:
<Location />
Allow from 192.0.2.0/24
Allow from [2001:db8:1::1]/32
Order allow,deny
</Location>
c. In the <Location /admin> directive, configure which IP addresses and ranges can access
the CUPS administration services:
<Location /admin>
Allow from 192.0.2.15/32
Allow from [2001:db8:1::22]/128
Order allow,deny
</Location>
With these settings, only the hosts with the IP addresses 192.0.2.15 and 2001:db8:1::22
can access the administration services.
d. Optional: Configure IP addresses and ranges that are allowed to access the configuration
and log files in the web interface:
<Location /admin/conf>
4
CHAPTER 1. INSTALLING AND CONFIGURING CUPS
<Location /admin/log>
Allow from 192.0.2.15/32
Allow from [2001:db8:1::22]/128
...
</Location>
3. If you run the firewalld service and want to configure remote access to CUPS, open the CUPS
port in firewalld:
If you run CUPS on a host with multiple interfaces, consider limiting the access to the required
networks.
Verification
Use a browser, and access http://<hostname>:631. If you can connect to the web interface,
CUPS works.
Note that certain features, such as the Administration tab, require authentication and an
HTTPS connection. By default, CUPS uses a self-signed certificate for HTTPS access and,
consequently, the connection is not secure when you authenticate.
Next steps
Optional: Granting administration permissions to manage a CUPS server in the web interface
5
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
WARNING
Prerequisites
CUPS is configured.
You created a private key , and a CA issued a server certificate for it.
The private key is not protected by a password because CUPS provides no option to enter the
password when the service reads the key.
The Canonical Name (CN) or Subject Alternative Name (SAN) field in the certificate matches
one of the following:
The private key and server certificate files use the Privacy Enhanced Mail (PEM) format.
If the server runs RHEL 9.2 or later and the FIPS mode is enabled, clients must either support
the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS
fail. For more information, see the TLS extension "Extended Master Secret" enforced
Knowledgebase article.
Procedure
1. Edit the /etc/cups/cups-files.conf file, and add the following setting to disable the automatic
creation of self-signed certificates:
6
CHAPTER 2. CONFIGURING TLS ENCRYPTION ON A CUPS SERVER
CreateSelfSignedCerts no
# rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.key
# hostname -f
server.example.com
5. If the CN or SAN fields in the server certificate contains an alias that is different from the
server’s FQDN, add the ServerAlias parameter to the /etc/cups/cupsd.conf file:
ServerAlias alternative_name.example.com
In this case, use the alternative name instead of the FQDN in the rest of the procedure.
6. Store the private key and server certificate in the /etc/cups/ssl/ directory, for example:
# mv /root/server.key /etc/cups/ssl/server.example.com.key
# mv /root/server.crt /etc/cups/ssl/server.example.com.crt
IMPORTANT
CUPS requires that you name the private key <fqdn>.key and the server
certificate file <fqdn>.crt. If you use an alias, you must name the files <alias>.key
and <alias>.crt.
7. Set secure permissions on the private key that enable only the root user to read this file:
Because certificates are part of the communication between a client and the server before they
establish a secure connection, any client can retrieve the certificates without authentication.
Therefore, you do not need to set strict permissions on the server certificate file.
7
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
9. By default, CUPS enforces encrypted connections only if a task requires authentication, for
example when performing administrative tasks on the /admin page in the web interface.
To enforce encryption for the entire CUPS server, add Encryption Required to all <Location>
directives in the /etc/cups/cupsd.conf file, for example:
<Location />
...
Encryption Required
</Location>
Verification
2. If you configured that encryption is required for the entire server, access
http://<hostname>:631/. CUPS returns an Upgrade Required error in this case.
Troubleshooting
# journalctl -u cups
If the journal contains an Unable to encrypt connection: Error while reading file error after
you failed to connect to the web interface by using the HTTPS protocol, verify the name of the
private key and server certificate file.
Additional resources
8
CHAPTER 3. GRANTING ADMINISTRATION PERMISSIONS TO MANAGE A CUPS SERVER IN THE WEB INTERFACE
Prerequisites
CUPS is configured.
The IP address of the client you want to use has permissions to access the administration area in
the web interface.
Procedure
# groupadd cups-admins
2. Add the users who should manage the service in the web interface to the cups-admins group:
3. Update the value of the SystemGroup parameter in the /etc/cups/cups-files.conf file, and
append the cups-admin group:
If only the cups-admin group should have administrative access, remove the other group
names from the parameter.
4. Restart CUPS:
Verification
NOTE
You can access the administration area in the web UI only if you use the HTTPS
protocol.
3. The web interface prompts for a username and password. To proceed, authenticate by using
credentials of a user who is a member of the cups-admins group.
If authentication succeeds, this user can perform administrative tasks.
9
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
c2esp Kodak
foomatic Brother, Canon, Epson, Gestetner, HP, Infotec, Kyocera, Lanier, Lexmark, NRG, Ricoh,
Samsung, Savin, Sharp, Toshiba, Xerox, and others
gutenprint-cups Brother, Canon, Epson, Fujitsu, HP, Infotec, Kyocera, Lanier, NRG, Oki, Minolta, Ricoh,
Samsung, Savin, Xerox, and others
hplip HP
pnm2ppa HP
Note that some packages can contain drivers for the same printer vendor or model but with different
functionality.
After installing the required package, you can display the list of drivers in the CUPS web interface or by
using the lpinfo -m command.
10
CHAPTER 5. DETERMINING WHETHER A PRINTER SUPPORTS DRIVERLESS PRINTING
AirPrint™
IPP Everywhere™
Mopria®
You can use the ipptool utility to find out whether a printer supports driverless printing.
Prerequisites
The printer or remote print server supports the Internet Printing Protocol (IPP).
The host can connect to the IPP port of the printer or remote print server. The default IPP port
is 631.
Procedure
application/pdf
11
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
application/pdf
image/urf
image/pwg-raster
For color printers, the output contains one of the mentioned formats and, additionally,
image/jpeg.
Next steps:
12
CHAPTER 6. ADDING A PRINTER TO CUPS BY USING THE WEB INTERFACE
You can add printers by using the CUPS driverless feature or by using a PostScript Printer Description
(PPD) file.
NOTE
Red Hat Enterprise Linux (RHEL) does not provide the name service switch multicast DNS plug-in (nss-
mdns), which resolves requests by querying an mDNS responder. Consequently, automatic discovery
and installation for local driverless printers by using mDNS is not available in RHEL. To work around this
problem, install single printers manually or use cups-browsed to automatically install a high amount of
print queues that are available on a remote print server.
Prerequisites
CUPS is configured.
If you use CUPS as a print server, you configured TLS encryption to securely transmit data over
the network.
The printer supports driverless printing , if you want to use this feature.
Procedure
3. If you are not already authenticated, CUPS prompts for credentials of an administrative user.
Enter the username and password of an authorized user.
4. If you decide to not use driverless printing and the printer you want to add is detected
automatically, select it, and click Continue.
13
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
If your printer supports driverless printing and you want to use this feature, select the ipp or
ipps protocol.
b. Click Continue.
c. Enter the URL to the printer or to the queue on a remote print server.
d. Click Continue.
6. Enter a name and, optionally, a description and location. If you use CUPS as a print server, and
other clients should be able to print through CUPS on this printer, select also Share this printer.
14
CHAPTER 6. ADDING A PRINTER TO CUPS BY USING THE WEB INTERFACE
7. Select the printer manufacturer in the Make list. If the printer manufacturer is not on the list,
select Generic or upload a PPD file for the printer.
8. Click Continue.
If the printer supports driverless printing, select IPP Everywhere. Note that, if you
previously installed printer-specific drivers locally, it is possible that the list also contains
entries such as <printer_name> - IPP Everywhere.
If the printer does not support driverless printing, select the model or upload the PPD file
15
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
If the printer does not support driverless printing, select the model or upload the PPD file
for the printer.
11. The settings and tabs on the Set printer options page depend on the driver and the features
the printer supports. Use this page to set default options, such as for the paper size.
16
CHAPTER 6. ADDING A PRINTER TO CUPS BY USING THE WEB INTERFACE
Verification
Troubleshooting
If you use driverless printing, and printing does not work, use the lpadmin utility to add the
printer on the command line. For details, see Adding a printer to CUPS by using the lpadmin
utility.
17
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
You can add printers by using the CUPS driverless feature or by using a PostScript Printer Description
(PPD) file.
NOTE
Red Hat Enterprise Linux (RHEL) does not provide the name service switch multicast DNS plug-in (nss-
mdns), which resolves requests by querying an mDNS responder. Consequently, automatic discovery
and installation for local driverless printers by using mDNS is not available in RHEL. To work around this
problem, install single printers manually or use cups-browsed to automatically install a high amount of
print queues that are available on a remote print server.
Prerequisites
CUPS is configured.
The printer supports driverless printing , if you want to use this feature.
The printer accepts data on port 631 (IPP), 9100 (socket), or 515 (LPD). The port depends on
the method you use to connect to the printer.
Procedure
If the -m everywhere option does not work for your printer, try -m driverless:<uri>, for
example: -m driverless:ipp://192.0.2.200/ipp/print.
To add a queue from a remote print server with driverless support, enter:
If the -m everywhere option does not work for your printer, try -m driverless:<uri>, for
example: -m driverless:ipp://192.0.2.200/printers/example-queue.
To add a queue from a remote print server with a driver in a file, enter:
18
CHAPTER 7. ADDING A PRINTER TO CUPS BY USING THE LPADMIN UTILITY
# lpinfo -m
...
drv:///sample.drv/generpcl.ppd Generic PCL Laser Printer
...
ii. Add the printer with the URI to the driver in the database:
-E: Enables the printer and CUPS accepts jobs for it. Note that you must specify this option
after -p. See the option’s description in the man page for further details.
-v <uri>: Sets the URI to the printer or remote print server queue.
-m <driver_uri>: Sets the PPD file based on the provided driver URI obtained from the local
driver database.
Verification
# lpstat -p
printer Demo-printer is idle. enabled since Fri 23 Jun 2023 09:36:40 AM CEST
# lp -d Demo-printer /usr/share/cups/data/default-testpage.pdf
19
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
Maintenance tasks, such as temporary pausing a printer while a technician repairs a printer
You can perform these tasks by using the CUPS web interface.
Prerequisites
CUPS is configured.
If you use CUPS as a print server, you configured TLS encryption to not send credentials in plain
text over the network.
Procedure
3. Depending on whether you want to perform a maintenance or administration task, select the
required action from the corresponding list:
4. If you are not already authenticated, CUPS prompts for credentials of an administrative user.
Enter the username and password of an authorized user.
20
CHAPTER 9. USING SAMBA TO PRINT TO A WINDOWS PRINT SERVER WITH KERBEROS AUTHENTICATION
The benefit of this configuration is that the administrator of CUPS on RHEL does not need to store a
fixed user name and password in the configuration. CUPS authenticates to AD with the Kerberos ticket
of the user that sends the print job.
NOTE
Red Hat supports only submitting print jobs to CUPS from your local system, and not to
re-share a printer on a Samba print server.
Prerequisites
The printer that you want to add to the local CUPS instance is shared on an AD print server.
The PostScript Printer Description (PPD) file for the printer is stored in the
/usr/share/cups/model/ directory.
Procedure
2. Optional: Authenticate as a domain administrator and display the list of printers that are shared
on the Windows print server:
# smbclient -L win_print_srv.ad.example.com -U
administrator@AD_KERBEROS_REALM --use-kerberos=required
3. Optional: Display the list of CUPS models to identify the PPD name of your printer:
lpinfo -m
...
samsung.ppd Samsung M267x 287x Series PXL
...
You require the name of the PPD file when you add the printer in the next step.
21
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
-v URI_to_Windows_printer sets the URI to the Windows printer. Use the following format:
smb://host_name/printer_share_name.
-E enables the printer and CUPS accepts jobs for the printer.
Verification
# kinit domain_user_name@AD_KERBEROS_REALM
3. Print a file to the printer you added to the local CUPS print server:
# lp -d example_printer file
22
CHAPTER 10. USING CUPS-BROWSED TO LOCALLY INTEGRATE PRINTERS FROM A REMOTE PRINT SERVER
For example, administrators can use this feature on workstations to make only printers from a trusted
print server available in a print dialog of applications. It is also possible to configure cups-browsed to
filter the browsed printers by certain criteria to reduce the number of listed printers if a print server
shares a large number of printers.
NOTE
If the print dialog in an application uses other mechanisms than, for example DNS-SD, to
list remote printers, cups-browsed has no influence. The cups-browsed service also
does not prevent users from manually accessing non-listed printers.
Prerequisites
A remote CUPS print server exists, and the following conditions apply to this server:
The Allow from parameter in the server’s <Location /> directive in the
/etc/cups/cups.conf file allows access from the client’s IP address.
Firewall rules allow access from the client to the CUPS port on the server.
Procedure
a. Add BrowsePoll parameters for each remote CUPS server you want to poll:
BrowsePoll remote_cups_server.example.com
BrowsePoll 192.0.2.100:1631
Append :<port> to the hostname or IP address if the remote CUPS server listens on a port
different from 631.
b. Optional: Configure a filter to limit which printers are shown in the local CUPS service. For
example, to filter for queues whose name contain sales_, add:
You can filter by different field names, negate the filter, and match the exact values. For
further details, see the parameter description and examples in the cups-browsed.conf(5)
man page.
c. Optional: Change the polling interval and timeout to limit the number of browsing cycles:
23
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
BrowseInterval 1200
BrowseTimeout 6000
Increase both BrowseInterval and BrowseTimeout in the same ratio to avoid situations in
which printers disappear from the browsing list. This mean, multiply the value of
BrowseInterval by 5 or a higher integer, and use this result value for BrowseTimeout.
By default, cups-browsed polls remote servers every 60 seconds and the timeout is 300
seconds. However, on print servers with many queues, these default values can cost many
resources.
Verification
# lpstat -v
device for Demo-printer: implicitclass://Demo-printer/
...
If the output for a printer contains implicitclass, cups-browsed manages the printer in CUPS.
Additional resources
24
CHAPTER 11. ACCESSING THE CUPS LOGS IN THE SYSTEMD JOURNAL
Error messages
Prerequisites
CUPS is installed.
Procedure
# journalctl -u cups
Replace YYYY with the year, MM with the month, and DD with the day.
Additional resources
25
Red Hat Enterprise Linux 9 Configuring and using a CUPS printing server
Prerequisites
CUPS is installed.
Procedure
1. Edit the /etc/cups/cups-files.conf file, and set the AccessLog, ErrorLog, and PageLog
parameters to the paths where you want to store these log files:
AccessLog /var/log/cups/access_log
ErrorLog /var/log/cups/error_log
PageLog /var/log/cups/page_log
2. If you configure CUPS to store the logs in a directory other than /var/log/cups/, set the
cupsd_log_t SELinux context on this directory, for example:
Verification
# cat /var/log/cups/access_log
# cat /var/log/cups/error_log
# cat /var/log/cups/page_log
2. If you configured CUPS to store the logs in a directory other than /var/log/cups/, verify that the
SELinux context on the log directory is cupsd_log_t:
# ls -ldZ /var/log/printing/
drwxr-xr-x. 2 lp sys unconfined_u:object_r:cupsd_log_t:s0 6 Jun 20 15:55 /var/log/printing/
26
CHAPTER 13. ACCESSING THE CUPS DOCUMENTATION
Man pages
References
Specifications
Prerequisites
The IP address of the client you want to use has permissions to access the web interface.
Procedure
2. Expand the entries in Online Help Documents, and select the documentation you want to read.
27