Chapter 8. Configuring printing

Printing on Red Hat Enterprise Linux 8 is based on the Common Unix Printing System (CUPS).

This documentation describes how to configure a machine to be able to operate as a CUPS server.

8.1. Activating the cups service

This section describes how activate the cups service on your system.

Prerequisites

  • The cups package, which is available in the Appstream repository, must be installed on your system:

    # yum install cups

Procedure

  1. Start the cups service:

    # systemctl start cups
  2. Configure the cups service to be automatically started at boot time:

    # systemctl enable cups
  3. Optionally, check the status of the cups service:

    $ systemctl status cups

8.3. Accessing and configuring the CUPS web UI

This section describes how to access the CUPS web UI and how to configure it to be able to manage printing through this interface.

To access the CUPS web UI:

  1. Allow the CUPS server to listen for connections from network by setting Port 631 in the /etc/cups/cupsd.conf file:

    #Listen localhost:631
    Port 631
  2. Allow your machine to access the CUPS server by including the following in the /etc/cups/cupsd.conf file:

    <Location />
    Allow from <your_ip_address>
    Order allow,deny
    </Location>
    Note

    Replace <your_ip_address> with the real IP address of your system.

  3. Restart the cups.service:

    # systemctl restart cups
  4. Open you browser, and go to http://<IP_address_of_the_CUPS_server>:631/.
cups ui intro

All menus except for the Administration menu are now available.

If you click on the Administration menu, you receive the Forbidden message:

forbidden message

To acquire the access to the Administration menu, follow the instructions in Section 8.3.1, “Acquiring administration access to the CUPS web UI”.

8.3.1. Acquiring administration access to the CUPS web UI

This section describes how to acquire administration access to the CUPS web UI.

Procedure

  1. To be able to access the Administation menu in the CUPS web UI, include the following in the /etc/cups/cupsd.conf file:

    <Location /admin>
    Allow from <your_ip_address>
    Order allow,deny
    </Location>
    Note

    Replace <your_ip_address> with the real IP address of your system.

  2. To be able to access configuration files in the CUPS web UI, include the following in the /etc/cups/cupsd.conf file:

    <Location /admin/conf>
    AuthType Default
    Require user @SYSTEM
    Allow from <your_ip_address>
    Order allow,deny
    </Location>
    Note

    Replace <your_ip_address> with the real IP address of your system.

  3. To be able to access log files in the CUPS web UI, include the following in the /etc/cups/cupsd.conf file:

    <Location /admin/log>
    AuthType Default
    Require user @SYSTEM
    Allow from <your_ip_address>
    Order allow,deny
    </Location>
    Note

    Replace <your_ip_address> with the real IP address of your system.

  4. To specify the use of encryption for authenticated requests in the CUPS web UI, include DefaultEncryption in the /etc/cups/cupsd.conf file:

    DefaultEncryption IfRequested

    With this setting, you will receive an authentication window to enter the username of a user allowed to add printers when you attempt to access the Administration menu. However, there are also other options how to set DefaultEncryption. For more details, see the cupsd.conf man page.

  5. Restart the cups service:

    # systemctl restart cups
    Warning

    If you do not restart the cups service, the changes in /etc/cups/cupsd.conf will not be applied. Consequently, you will not be able to obtain administration access to the CUPS web UI.

Additional resources

  • For more information on how to configure a CUPS server using the /etc/cups/cupsd.conf file, see the cupsd.conf man page.

8.4. Adding a printer in the CUPS web UI

This section describes how to add a new printer using the CUPS web user interface.

Prerequisites

You have acquired administration access to the CUPS web UI as described in Section 8.3.1, “Acquiring administration access to the CUPS web UI”.

Procedure

  1. Start the CUPS web UI as described in Section 8.3, “Accessing and configuring the CUPS web UI”
  2. Go to Adding Printers and Classes - Add printer

    add printer in cups ui 1
    add printer in cups ui 2
  3. Authenticate by username and password:

    add printer in cups ui auth n
    Important

    To be able to add a new printer by using the CUPS web UI, you must authenticate as one of the following users:

    • Superuser
    • Any user with the administration access provided by the sudo command (users listed within /etc/sudoers)
    • Any user belonging to the printadmin group in /etc/group
  4. If a local printer is connected, or CUPS finds a network printer available, select the printer. If neither local printer nor network printer is available, select one of the printer types from Other Network Printers, for example APP Socket/HP Jet direct, enter the IP address of the printer, and then click Continue.

    add printer in cups ui 4 new
  5. If you have selected for example APP Socket/HP Jet direct as shown above, enter the IP address of the printer, and then click Continue.

    add printer in cups ui 5 new
  6. You can add more details about the new printer, such as the name, description and location. To set a printer to be shared over the network, use Share This Printer as shown below.

    add printer in cups ui 6 new
  7. Select the printer manufacturer, and then click Continue.

    add printer in cups ui 7 new

    Alternatively, you can also provide a postscript printer description (PPD) file to be used as a driver for the printer, by click on Browse…​ at the bottom.

  8. Select the model of the printer, and then click Add Printer.

    add printer in cups ui 8 new
  9. After the printer has been added, the next window allows you to set the default print options.

    cups web ui set defaults n2

After clicking Set Default Options, you will receive a confirmation that the new printer has been added successfully.

add printer in cups ui final confirm

8.5. Configuring a printer in the CUPS web UI

This section describes how to configure a new printer, and how to maintain a configuration of a printer using the CUPS web UI.

Prerequisites

You have acquired administration access to the CUPS web UI as described in Section 8.3.1, “Acquiring administration access to the CUPS web UI”.

Procedure

  1. Click the Printers menu to see available printers that you can configure.

    conf printer cups 1
  2. Choose one printer that you want to configure.

    conf printer cups 2
  3. Perform your selected task by using one of the available menus:

    • Go to Maintenance for maintenance tasks.

      conf printer cups 3
    • Go to Administration for administration tasks.

      conf printer cups 4
    • You can also check completed print jobs or all active print jobs by clicking the Show Completed Jobs or Show All Jobs buttons.

8.6. Printing a test page using the CUPS web UI

This section describes how to print a test page to make sure that the printer functions properly.

You might want to print a test page if one of the below conditions is met.

  • A printer has been set up.
  • A printer configuration has been changed.

Prerequisites

You have acquired administration access to the CUPS web UI as described in Section 8.3.1, “Acquiring administration access to the CUPS web UI”.

Procedure

  • Go to Printers menu, and click MaintenancePrint Test Page.

    printing test page cups web ui

8.7. Setting print options using the CUPS web UI

This section describes how to set common print options, such as the media size and type, print quality or the color mode, in the CUPS web UI.

Prerequisites

You have acquired administration access to the CUPS web UI as described in Section 8.3.1, “Acquiring administration access to the CUPS web UI”.

Procedure

  1. Go to Administration menu, and click MaintenanceSet Default Options.

    cups web ui set defaults n1
  2. Set the print options.

    cups web ui set defaults n2

8.8. Installing certificates for a print server

To install certificates for a print server, you can choose one of the following options:

  • Automatic installation using a self-signed certificate
  • Manual installation using a certificate and a private key generated by a Certification Authority

Prerequisites

For the cupsd daemon on the server:

  1. Set the following directive in the /etc/cups/cupsd.conf file to:

    Encryption Required

  2. Restart the cups service:

    $ sudo systemctl restart cups

Automatic installation using a self-signed certificate

With this option, CUPS generates the certificate and the key automatically.

Note

The self-signed certificate does not provide as strong security as certificates generated by Identity Management (IdM), Active Directory (AD), or Red Hat Certificate System (RHCS) Certification Authorities, but it can be used for print servers located within a secure local network.

Procedure

  1. To access the CUPS Web UI, open your browser and go to https://<server>:631

    where <server> is either the server IP address or the server host name.

    Note

    When CUPS connects to a system for the first time, the browser shows a warning about the self-signed certificate being a potential security risk.

  2. To confirm that it is safe to proceed, click Advanced…​.

    cups ui certificate warning
  3. Click Accept the Risk and Continue.

    cups ui certificate warning2

CUPS now starts to use the self-generated certificate and the key.

Note

When you access the CUPS Web UI after automatic installation, the browser displays a warning icon in the address bar. This is because you added the security exception by confirming the security risk warning. If you want to remove this warning icon permanently, perform the manual installation with a certificate and a private key generated by a Certification Authority.

Manual installation using a certificate and a private key generated by a Certification Authority

For print servers located within a public network or to permanently remove the warning in the browser, import the certificate and the key manually.

Prerequisites

  • You have certificate and private key files generated by IdM, AD, or by RHCS Certification Authorities.

Procedure

  1. Copy the .crt and .key files into the /etc/cups/ssl directory of the system on which you want to use the CUPS Web UI.
  2. Rename the copied files to <hostname>.crt and <hostname>.key.

    Replace <hostname> with the host name of the system to which you want to connect the CUPS Web UI.

  3. Set the following permissions to the renamed files:

    • # chmod 644 /etc/cups/ssl/<hostname>.crt
    • # chmod 644 /etc/cups/ssl/<hostname>.key
    • # chown root:root /etc/cups/ssl/<hostname>.crt
    • # chown root:root /etc/cups/ssl/<hostname>.key
  4. Restart the cups service:

    • # systemctl restart cupsd

8.9. Using Samba to print to a Windows print server with Kerberos authentication

With the samba-krb5-printing wrapper, Active Directory (AD) users who are logged in to Red Hat Enterprise Linux can authenticate to Active Directory (AD) by using Kerberos and then print to a local CUPS print server that forwards the print job to a Windows print server.

The benefit of this configuration is that the administrator of CUPS on Red Hat Enterprise Linux does not need to store a fixed user name and password in the configuration. CUPS authenticates to AD with the Kerberos ticket of the user that sends the print job.

This section describes how to configure CUPS for this scenario.

Note

Red Hat only supports submitting print jobs to CUPS from your local system, and not to re-share a printer on a Samba print server.

Prerequisites

  • The printer that you want to add to the local CUPS instance is shared on an AD print server.
  • You joined the Red Hat Enterprise Linux host as a member to the AD. For details, see Section 2.5.1, “Joining Samba to a Domain”.
  • CUPS is installed on Red Hat Enterprise Linux and the cups service is running. For details, see Section 8.1, “Activating the cups service”.
  • The PostScript Printer Description (PPD) file for the printer is stored in the /usr/share/cups/model/ directory.

Procedure

  1. Install the samba-krb5-printing, samba-client, and krb5-workstation packages:

    # yum install samba-krb5-printing samba-client krb5-workstation
  2. Optional: Authenticate as a domain administrator and display the list of printers that are shared on the Windows print server:

    # kinit administrator@AD_KERBEROS_REALM
    # smbclient -L win_print_srv.ad.example.com -k
    
    	Sharename       Type      Comment
    	---------       ----      -------
    	...
    	Example         Printer   Example
    	...
  3. Optional: Display the list of CUPS models to identify the PPD name of your printer:

    lpinfo -m
    ...
    samsung.ppd Samsung M267x 287x Series PXL
    ...

    You require the name of the PPD file when you add the printer in the next step.

  4. Add the printer to CUPS:

    # lpadmin -p "example_printer" -v smb://win_print_srv.ad.example.com/Example -m samsung.ppd -o auth-info-required=negotiate -E

    The command uses the following options:

    • -p printer_name sets the name of the printer in CUPS.
    • -v URI_to_Windows_printer sets the URI to the Windows printer. Use the following format: smb://host_name/printer_share_name.
    • -m PPD_file sets the PPD file the printer uses.
    • -o auth-info-required=negotiate configures CUPS to use Kerberos authentication when it forwards print jobs to the remote server.
    • -E enables the printer and CUPS accepts jobs for the printer.

Verification steps

  1. Log into the Red Hat Enterprise Linux host as an AD domain user.
  2. Authenticate as an AD domain user:

    # kinit domain_user_name@AD_KERBEROS_REALM
  3. Print a file to the printer you added to the local CUPS print server:

    # lp -d example_printer file

8.10. Working with CUPS logs

8.10.1. Types of CUPS logs

CUPS provides three different kinds of logs:

  • Error log - Stores error messages, warnings and debugging messages.
  • Access log - Stores messages about how many times CUPS clients and web UI have been accessed.
  • Page log - Stores messages about the total number of pages printed for each print job.

In Red Hat Enterprise Linux 8, all three types are logged centrally in systemd-journald together with logs from other programs.

Warning

In Red Hat Enterprise Linux 8, the logs are no longer stored in specific files within the /var/log/cups directory, which was used in Red Hat Enterprise Linux 7.

8.10.2. Accessing CUPS logs

This section describes how to access:

  • All CUPS logs
  • CUPS logs for a specific print job
  • CUPS logs within a specific time frame

8.10.2.1. Accessing all CUPS logs

Procedure

  • Filter CUPS logs from systemd-journald:
$ journalctl -u cups

8.10.2.2. Accessing CUPS logs for a specific print job

Procedure

  • Filter logs for a specific print job:
$ journalctl -u cups JID=N

Where N is a number of a print job.

8.10.2.3. Accessing CUPS logs by specific time frame

Procedure

  • Filter logs within the specified time frame:
$ journalctl -u cups --since=YYYY-MM-DD --until=YYYY-MM-DD

Where YYYY is year, MM is month and DD is day.

8.10.3. Configuring the CUPS log location

This section describes how to configure the location of CUPS logs.

In Red Hat Enterprise Linux 8, CUPS logs are by default logged into systemd-journald, which is ensured by the following default setting in the /etc/cups/cups-files.conf file:

ErrorLog syslog
Important

Red Hat recommends to keep the default location of CUPS logs.

If you want to send the logs into a different location, you need to change the settings in the /etc/cups/cups-files.conf file as follows:

ErrorLog <your_required_location>
Warning

If you change the default location of CUPS log, you may experience an unexpected behavior or SELinux issues.

context: configuring-printing

context: Deploying-different-types-of-servers