Menu Close
Configuring and using a CUPS printing server
Configure your system to operate as a CUPS server and manage printers, print queues and your printing environment.
Abstract
Providing feedback on Red Hat documentation
We appreciate your input on our documentation. Please let us know how we could make it better.
For simple comments on specific passages:
- Make sure you are viewing the documentation in the Multi-page HTML format. In addition, ensure you see the Feedback button in the upper right corner of the document.
- Use your mouse cursor to highlight the part of text that you want to comment on.
- Click the Add Feedback pop-up that appears below the highlighted text.
- Follow the displayed instructions.
For submitting feedback via Bugzilla, create a new ticket:
- Go to the Bugzilla website.
- As the Component, use Documentation.
- Fill in the Description field with your suggestion for improvement. Include a link to the relevant part(s) of documentation.
- Click Submit Bug.
Chapter 1. Configuring printing
Printing on Red Hat Enterprise Linux 8 is based on the Common Unix Printing System (CUPS).
This documentation describes how to configure your system to be able to operate as a CUPS server.
1.1. Activating the cups service
This section describes how to activate the cups
service on your system.
Prerequisites
The
cups
package, which is available in the Appstream repository, must be installed on your system:# dnf install cups
Procedure
Start the
cups
service:# systemctl start cups
Configure the
cups
service to be automatically started at boot time:# systemctl enable cups
Optionally, check the status of the
cups
service:$ systemctl status cups
1.2. Print settings tools
To achieve various tasks related to printing, you can choose one of the following tools:
- CUPS web user interface (UI)
- GNOME Control center
The Print Settings configuration tool, which was used in Red Hat Enterprise Linux 7, is no longer available.
Tasks that you can achieve by using tools mentioned above include:
- Adding and configuring a new printer
- Maintaining printer configuration
- Managing printer classes
Note that this documentation covers only printing in CUPS web user interface (UI). If you want to print using GNOME Control center, you need to have a GUI available. For more information about printing using GNOME Control center, see Handling printing using GNOME.
1.3. Accessing and configuring the CUPS web UI
This section describes accessing the CUPS web user interface (web UI) and configuring it to be able to manage printing through this interface.
Procedure
To access the CUPS web UI:
Allow the CUPS server to listen to connections from the network by setting
Port 631
in the/etc/cups/cupsd.conf
file:#Listen localhost:631 Port 631
WarningEnabling the CUPS server to listen on port 631 opens this port for any address accessible by the server. Therefore, use this setting only in local networks that are unreachable from an external network. Red Hat doesn’t recommend configuring CUPS server on a publicly accessible server.
Allow your system to access the CUPS server by including the following directive in the
/etc/cups/cupsd.conf
file:<Location /> Allow from <your_ip_address> Order allow,deny </Location>
where <your_ip_address> is the real IP address of your system. You can also use regular expressions for subnets.
WarningThe CUPS configuration offers the
Allow from all
directive in the <Location> tags, but Red Hat recommends using this directive only in trusted networks. The setupAllow from all
enables access for all users who can connect to the server through port 631. If you set thePort
directive to 631, and the server is accessible from an outside network, anyone on the Internet can access the CUPS service on your system.Restart the cups.service:
# systemctl restart cups
Open your browser, and go to
http://<IP_address_of_the_CUPS_server>:631/
.All menus except for the
Administration
menu are now available.If you click on the
Administration
menu, you receive the Forbidden message:To acquire the access to the
Administration
menu, follow the instructions in Acquiring administration access to CUPS web UI.
1.4. Acquiring administration access to the CUPS web UI
This section describes how to acquire administration access to the CUPS web UI.
Procedure
To be able to access the
Administration
menu in the CUPS web UI, include the following lines in the/etc/cups/cupsd.conf
file:<Location /admin> Allow from <your_ip_address> Order allow,deny </Location>
NoteReplace
<your_ip_address>
with the real IP address of your system.To be able to access configuration files in the CUPS web UI, include the following in the
/etc/cups/cupsd.conf
file:<Location /admin/conf> AuthType Default Require user @SYSTEM Allow from <your_ip_address> Order allow,deny </Location>
NoteReplace
<your_ip_address>
with the real IP address of your system.To be able to access log files in the CUPS web UI, include the following in the
/etc/cups/cupsd.conf
file:<Location /admin/log> AuthType Default Require user @SYSTEM Allow from <your_ip_address> Order allow,deny </Location>
NoteReplace
<your_ip_address>
with the real IP address of your system.To specify the use of encryption for authenticated requests in the CUPS web UI, include
DefaultEncryption
in the/etc/cups/cupsd.conf
file:DefaultEncryption IfRequested
With this setting, you will receive an authentication window to enter the username of a user allowed to add printers when you attempt to access the
Administration
menu. However, there are also other options on how to setDefaultEncryption
. For more details, see thecupsd.conf
man page.Restart the
cups
service:# systemctl restart cups
WarningIf you do not restart the
cups
service, the changes in/etc/cups/cupsd.conf
will not be applied. Consequently, you will not be able to obtain administration access to the CUPS web UI.
Additional resources
-
The
cupsd.conf
man page
1.5. Configuring driverless printing
As an administrator, you can configure driverless printing to use printers or remote CUPS queues without any special software.
RHEL 9 provides driverless printing support for following driverless standards:
- IPP Everywhere model in CUPS supports AirPrint, IPP Everywhere and Wi-Fi Direct standards.
- Driverless model in cups-filters supports the same standards as CUPS and in addition also PCLm document format.
These standards use the Internet Printing Protocol (IPP) 2.0 or higher to communicate the printer setup, and eliminate the need to install specific drivers for specific printers. To use the printer without a specific driver, you need to have a printer, which supports one of the driverless standards. To determine if your printer supports a driverless standard, choose one of the following options:
- Refer to the printer specification, and search for a driverless standard support or ask your vendor.
- Search for certified printers.
- Determine the driverless support based on the attributes of a printer with the ipptool command.
To install a print queue on the client with IPP Everywhere model, which points to a queue on the print server, you need to have both your remote print server and your client with RHEL 8.6 installation or newer.
You can verify the driverless support based on the attributes of a print server with the ipptool command.
1.5.1. Determining printer attributes using ipptool
To determine if your printer or print server supports a driverless standard, you can inspect your printer attributes using the ipptool
command available in the ipptool
package.
Procedure
Display attributes of a printer or a print server:
$ ipptool -tv <URI> get-printer-attributes.test
NoteReplace <URI> with the URI of your printer, for example
ipp://<hostname_or_IP_address>:631/ipp/print
for printers oripp://<hostname_or_IP_address>:631/printers/<remote_print_queue>
for remote print queues from print servers.
Your printer or print server supports driverless printing if:
-
the
ipp-version-supported
attribute contains2.0
or higher for IPP protocol 2.0, and -
the
document-format-supported
attribute contains one of the supported document formats listed in the driverless printing standards.
1.5.2. Adding a driverless printer in CUPS web UI
Since RHEL 8.6, you can add a driverless printer in the CUPS web UI and use it to print directly from an application to network printers or print servers using CUPS, without installing any specific drivers or software for specific printers.
Prerequisites
- You have administration access to the CUPS web UI as described in Acquiring administration access to CUPS web UI.
- Your printer or print server has the IPP Everywhere standard implementation.
- Open IPP port: port 631 for IPP, or port 443 for secure printing with IPPS.
-
Enable the
ipp
andipp-client
communication in the firewall of the print server. - If your destination is another CUPS server, allow remote access on the remote server, or if you are using a network printer, open the web user interface, search for IPP related settings: IPP or AirPrint, and enable those settings.
Procedure
- Start the CUPS web UI as described in Accessing and configuring the CUPS.
-
In your browser, go to
localhost:631
and select theAdministration
tab. Under
Printers
clickAdd printer
.Authenticate with your username and password:
ImportantTo be able to add a new printer by using the CUPS web UI, you must authenticate as a user who belongs to a group defined by the SystemGroup directive in
/etc/cups/cups-files
. The default groups are:- root
- sys
- wheel
In the
Administrator
tab, underAdd Printer
, select one of the options:-
Internet Printing Protocol (ipp)
or Internet Printing Protocol (ipps)
option, and clickContinue
.
-
In the
Connection
field, enter the URI of your device and clickContinue
.NoteThe URI consists of the following parts:
-
protocol
ipp://
oripps://
if printer or print server supports encryption, - hostname or IP address of the printer,
- port,
resource part
/ipp/print
for printers, or/printers/<remote_queue_name>
for remote CUPS queues.For example:
ipp://myprinter.mydomain:631/ipp/print
oripp://myserver.mydomain:631/printers/myqueue
.
-
protocol
Add details about the new printer: name, description and location. To set a printer to be shared over the network, check the
Share This Printer
checkbox.Note'Name' is the only required field, other fields are optional.
From the
Make
dropdown menu, select the printer manufacturer, and clickContinue
.To proceed with the installation of a driverless printer, from the dropdown menu, select
IPP Everywhere
, and clickAdd Printer
.After adding the new printer, you can set the default print options of your choice.
The last window confirms that you set the driverless printer and it is ready to use.

1.6. Adding a printer with a classic driver in the CUPS web UI
This section describes how to add a new printer using the CUPS web user interface.
Prerequisites
- You have administration access to the CUPS web UI as described in Acquiring administration access to CUPS web UI.
Procedure
- Start the CUPS web UI as described in Starting CUPS web UI
-
In your browser, go to
localhost:631
and select theAdministration
tab. Under
Printers
clickAdd printer
.Authenticate by username and password:
ImportantTo be able to add a new printer by using the CUPS web UI, you must authenticate as a user who belongs to groups defined by SystemGroup directive in
/etc/cups/cups-files
.Default groups:
- root
- sys
- wheel
If a local printer is connected, or CUPS finds a network printer available, select the printer. If neither local printer nor network printer is available, select one of the printer types from
Other Network Printers
, for example APP Socket/HP Jet direct, enter the IP address of the printer, and then clickContinue
.If you have selected for example APP Socket/HP Jet direct as shown above, enter the IP address of the printer, and then click
Continue
.You can add more details about the new printer, such as the name, description and location. To set a printer to be shared over the network, check the
Share This Printer
checkbox.Select the printer manufacturer, and then click
Continue
.Alternatively, you can provide a postscript printer description (PPD) file to be used as a driver for the printer, by clicking the
Browse…
button at the bottom.Select the model of the printer, and then click
Add Printer
.After the printer has been added, the next window allows you to set the default print options.
After clicking Set Default Options
, you will receive a confirmation that the new printer has been added successfully.

Verification steps
Print a test page especially if you have set up a printer:
Go to
Printers
menu, and clickMaintenance
→Print Test Page
.
1.7. Configuring a printer in the CUPS web UI
This section describes how to configure a new printer, and how to maintain a configuration of a printer using the CUPS web UI.
Prerequisites
- You have administration access to the CUPS web UI as described in Acquiring administration access to CUPS web UI.
Procedure
Click the
Printers
menu to see available printers that you can configure.Choose one printer that you want to configure.
Perform your selected task by using one of the available menus:
Choose
Maintenance
from the first drop-down menu.Choose
Administration
from the second drop-down menu.-
You can also check completed print jobs or all active print jobs by clicking the
Show Completed Jobs
orShow All Jobs
buttons.
Verification steps
Print a test page especially if you have changed a printer configuration:
Go to
Printers
menu, and clickMaintenance
→Print Test Page
.
1.8. Setting print options using the CUPS web UI
This section describes how to set common print options, such as the media size and type, print quality or the color mode, in the CUPS web UI.
Prerequisites
You have administration access to the CUPS web UI as described in Acquiring administration access to CUPS web UI.
Procedure
Go to
Administration
menu, and clickMaintenance
→Set Default Options
.Set the print options.
1.9. Installing certificates for a print server
To install certificates for a print server, you can choose one of the following options:
- Automatic installation using a self-signed certificate
- Manual installation using a certificate and a private key generated by a Certification Authority
Prerequisites
For the cupsd daemon on the server:
Set the following directive in the
/etc/cups/cupsd.conf
file to:Encryption Required
Restart the cups service:
$ sudo systemctl restart cups
Automatic installation using a self-signed certificate
With this option, CUPS generates the certificate and the key automatically.
The self-signed certificate does not provide as strong security as certificates generated by Identity Management (IdM), Active Directory (AD), or Red Hat Certificate System (RHCS) Certification Authorities, but it can be used for print servers located within a secure local network.
Procedure
To access the CUPS Web UI, open your browser and go to
https://<server>:631
where <server> is either the server IP address or the server host name.
NoteWhen CUPS connects to a system for the first time, the browser shows a warning about the self-signed certificate being a potential security risk.
To confirm that it is safe to proceed, click the
Advanced…
button.Click
Accept the Risk and Continue
button.
CUPS now starts to use the self-generated certificate and the key.
When you access the CUPS Web UI after an automatic installation, the browser displays a warning icon in the address bar. This is because you added the security exception by confirming the security risk warning. If you want to remove this warning icon permanently, perform the manual installation with a certificate and a private key generated by a Certification Authority.
Manual installation using a certificate and a private key generated by a Certification Authority
For print servers located within a public network or to permanently remove the warning in the browser, import the certificate and the key manually.
Prerequisites
- You have certificate and private key files generated by IdM, AD, or by RHCS Certification Authorities.
Procedure
-
Copy the
.crt
and.key
files into the/etc/cups/ssl
directory of the system on which you want to use the CUPS Web UI. Rename the copied files to
<hostname>.crt
and<hostname>.key
.Replace <hostname> with the host name of the system to which you want to connect the CUPS Web UI.
Set the following permissions to the renamed files:
-
# chmod 644 /etc/cups/ssl/<hostname>.crt
-
# chmod 644 /etc/cups/ssl/<hostname>.key
-
# chown root:root /etc/cups/ssl/<hostname>.crt
-
# chown root:root /etc/cups/ssl/<hostname>.key
-
Restart the cups service:
-
# systemctl restart cupsd
-
1.10. Using Samba to print to a Windows print server with Kerberos authentication
With the samba-krb5-printing
wrapper, Active Directory (AD) users who are logged in to Red Hat Enterprise Linux can authenticate to Active Directory (AD) by using Kerberos and then print to a local CUPS print server that forwards the print job to a Windows print server.
The benefit of this configuration is that the administrator of CUPS on Red Hat Enterprise Linux does not need to store a fixed user name and password in the configuration. CUPS authenticates to AD with the Kerberos ticket of the user that sends the print job.
This section describes how to configure CUPS for this scenario.
Red Hat only supports submitting print jobs to CUPS from your local system, and not to re-share a printer on a Samba print server.
Prerequisites
- The printer that you want to add to the local CUPS instance is shared on an AD print server.
- You joined the Red Hat Enterprise Linux host as a member to the AD.
-
CUPS is installed on Red Hat Enterprise Linux and the
cups
service is running. For details, see Activating CUPS service. -
The PostScript Printer Description (PPD) file for the printer is stored in the
/usr/share/cups/model/
directory.
Procedure
Install the
samba-krb5-printing
,samba-client
, andkrb5-workstation
packages:# dnf install samba-krb5-printing samba-client krb5-workstation
Optional: Authenticate as a domain administrator and display the list of printers that are shared on the Windows print server:
# smbclient -L win_print_srv.ad.example.com -U administrator@AD_KERBEROS_REALM --use-kerberos=required Sharename Type Comment --------- ---- ------- ... Example Printer Example ...
Optional: Display the list of CUPS models to identify the PPD name of your printer:
lpinfo -m ... samsung.ppd Samsung M267x 287x Series PXL ...
You require the name of the PPD file when you add the printer in the next step.
Add the printer to CUPS:
# lpadmin -p "example_printer" -v smb://win_print_srv.ad.example.com/Example -m samsung.ppd -o auth-info-required=negotiate -E
The command uses the following options:
-
-p printer_name
sets the name of the printer in CUPS. -
-v URI_to_Windows_printer
sets the URI to the Windows printer. Use the following format:smb://host_name/printer_share_name
. -
-m PPD_file
sets the PPD file the printer uses. -
-o auth-info-required=negotiate
configures CUPS to use Kerberos authentication when it forwards print jobs to the remote server. -
-E
enables the printer and CUPS accepts jobs for the printer.
-
Verification steps
- Log into the Red Hat Enterprise Linux host as an AD domain user.
Authenticate as an AD domain user:
# kinit domain_user_name@AD_KERBEROS_REALM
Print a file to the printer you added to the local CUPS print server:
# lp -d example_printer file
1.11. Working with CUPS logs
1.11.1. Types of CUPS logs
CUPS provides three different kinds of logs:
- Error log - Stores error messages, warnings and debugging messages.
- Access log - Stores messages about how many times CUPS clients and web UI have been accessed.
- Page log - Stores messages about the total number of pages printed for each print job.
In Red Hat Enterprise Linux 8, all three types are logged centrally in systemd-journald
together with logs from other programs.
In Red Hat Enterprise Linux 8, the logs are no longer stored in specific files within the /var/log/cups
directory, which was used in Red Hat Enterprise Linux 7.
1.11.2. Accessing all CUPS logs
You can list all CUPS logs available in systemd-journald
.
Procedure
- Filter CUPS logs:
$ journalctl -u cups
1.11.3. Accessing CUPS logs for a specific print job
If you need to find a CUPS log for a specific print job, you can do it by filtering the logs using the number of a print job.
Procedure
- Filter logs for a specific print job:
$ journalctl -u cups JID=N
Where N
is a number of a print job.
1.11.4. Accessing CUPS logs by specific time frame
If you need to access CUPS logs during a certain time period, you can filter the logs in systemd-journald
.
Procedure
- Filter logs within the specified time frame:
$ journalctl -u cups --since=YYYY-MM-DD --until=YYYY-MM-DD
Where YYYY
is year, MM
is month and DD
is day.
Additional resources
-
The
journalctl(1)
man page
1.11.5. Configuring the CUPS log location
This section describes how to configure the location of CUPS logs.
In Red Hat Enterprise Linux 8, CUPS logs are by default logged into systemd-journald, which is ensured by the following default setting in the /etc/cups/cups-files.conf
file:
ErrorLog syslog
Red Hat recommends keeping the default location of CUPS logs.
If you want to send the logs into a different location, you need to change the settings in the /etc/cups/cups-files.conf
file as follows:
ErrorLog <your_required_location>
If you change the default location of CUPS log, you might experience SELinux issues.