CUPS 共享打印机在 Windows 计算机上存在身份验证和 SSL 连接问题

Question 1

经过一周的努力解决这个问题后，我找到了一个解决办法。

在 Windows 10 1903 更新中，添加带有身份验证的打印机时出现问题。您必须先设置端口，甚至在添加打印机之前，之后您就可以毫无问题地添加它。您可以编辑和运行的漂亮脚本在这里

或者您可以通过配置寄存器手动添加它，请参阅第二个链接。成功添加端口和打印机后（不会要求您提供任何凭据），转到打印机设置、端口设置并使用提供的凭据配置端口。没有它们，您将无法打印。

其次，您必须在 cupsd.conf 中授予对每个位置的访问权限，无需身份验证，甚至包括“/”和“/printers”。之后，创建策略限制<Limit Get-Printer-Attributes>，并且根本不需要在那里进行身份验证。然后在<Limit Cancel-Job CUPS-Authenticate-Job>和中启用身份验证<Limit Create-Job Print-Job Print-URI Validate-Job>。

如果您尝试使用自签名证书，请点击链接在 Windows 中添加自签名证书。不要忘记将此证书添加到“受信任的根第三方证书”中

当您将 IPP 打印机添加到 Windows 时，您必须面对更多存在问题的来源 Windows 上的 Cups 身份验证问题 Windows 上的 Cups 身份验证问题

我的 cupsd.conf（匿名）

LogLevel debug
PageLogFormat
MaxLogSize 0

SSLPort 636
SSLListen *:636

Browsing On
BrowseLocalProtocols dnssd
BrowseAllow All

DefaultAuthType Basic

WebInterface yes


DefaultEncryption required

ServerKey /etc/cups/ssl/server.key
ServerCertificate /etc/cups/ssl/server.crt

ServerAlias hostname.my_domain.net


# Restrict access to the server...
<Location />
  Order allow,deny
  Allow 192.168.X1.*
  Allow 192.168.X2.*
  Allow localhost 
</Location>

<Location /printers>
  Order allow,deny
  Allow 192.168.X1.*
  Allow 192.168.X2.*
  Allow localhost
</Location>


# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow localhost
  Deny all
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Allow localhost
  Order allow,deny
</Location>

# Restrict access to log files...
<Location /admin/log>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
    Allow all
    AuthType Basic
    Require user @SYSTEM cups_print
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@ cups_print
    AuthType Basic
    Order deny,allow
  </Limit>

  <Limit Get-Printer-Attributes>
    Order allow,deny
    Allow all
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Basic
    Require user @SYSTEM cups_print
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@ cups_print
    Order deny,allow
  </Limit>

  <Limit Get-Printer-Attributes>
    Order allow,deny
    Allow all
   </Limit>


  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

Answer

经过一周的努力解决这个问题后，我找到了一个解决办法。

在 Windows 10 1903 更新中，添加带有身份验证的打印机时出现问题。您必须先设置端口，甚至在添加打印机之前，之后您就可以毫无问题地添加它。您可以编辑和运行的漂亮脚本在这里

添加打印机 https 和 auth 的说明

修改寄存器并添加端口的脚本

或者您可以通过配置寄存器手动添加它，请参阅第二个链接。成功添加端口和打印机后（不会要求您提供任何凭据），转到打印机设置、端口设置并使用提供的凭据配置端口。没有它们，您将无法打印。

其次，您必须在 cupsd.conf 中授予对每个位置的访问权限，无需身份验证，甚至包括“/”和“/printers”。之后，创建策略限制<Limit Get-Printer-Attributes>，并且根本不需要在那里进行身份验证。然后在<Limit Cancel-Job CUPS-Authenticate-Job>和中启用身份验证<Limit Create-Job Print-Job Print-URI Validate-Job>。

如果您尝试使用自签名证书，请点击链接在 Windows 中添加自签名证书。不要忘记将此证书添加到“受信任的根第三方证书”中

当您将 IPP 打印机添加到 Windows 时，您必须面对更多存在问题的来源 Windows 上的 Cups 身份验证问题 Windows 上的 Cups 身份验证问题

我的 cupsd.conf（匿名）

LogLevel debug
PageLogFormat
MaxLogSize 0

SSLPort 636
SSLListen *:636

Browsing On
BrowseLocalProtocols dnssd
BrowseAllow All

DefaultAuthType Basic

WebInterface yes


DefaultEncryption required

ServerKey /etc/cups/ssl/server.key
ServerCertificate /etc/cups/ssl/server.crt

ServerAlias hostname.my_domain.net


# Restrict access to the server...
<Location />
  Order allow,deny
  Allow 192.168.X1.*
  Allow 192.168.X2.*
  Allow localhost 
</Location>

<Location /printers>
  Order allow,deny
  Allow 192.168.X1.*
  Allow 192.168.X2.*
  Allow localhost
</Location>


# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow localhost
  Deny all
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Allow localhost
  Order allow,deny
</Location>

# Restrict access to log files...
<Location /admin/log>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
    Allow all
    AuthType Basic
    Require user @SYSTEM cups_print
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@ cups_print
    AuthType Basic
    Order deny,allow
  </Limit>

  <Limit Get-Printer-Attributes>
    Order allow,deny
    Allow all
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Basic
    Require user @SYSTEM cups_print
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@ cups_print
    Order deny,allow
  </Limit>

  <Limit Get-Printer-Attributes>
    Order allow,deny
    Allow all
   </Limit>


  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

Question 2

警告

对于 cups 2.2.1 及更高版本，cupsd.conf 中使用的 ServerCertificate 和 ServerKey 指令已被撤销。

除非在 cups-files.conf 中将指令 CreateSelfSignedCerts 设置为“no”，否则 cups 将使用名称 ${HOSTNAME}.crt 和 ${HOSTNAME}.key 生成自己的自签名证书

证书的默认路径仍然是 cups_root + ssl 目录，但可以使用 cups-files.conf 中的指令 ServerKeyChain 进行更改。

因此，如果您有自己的证书（自签名或权威签名），则必须将它们复制到 ssl 目录中，名称为 ${HOSTNAME}.crt 和 ${HOSTNAME}.key，否则端口 631 上的 https 连接将失败，并且 /var/log/cups/error.log 包含多行抱怨无法读取证书文件的内容。

Answer

警告

对于 cups 2.2.1 及更高版本，cupsd.conf 中使用的 ServerCertificate 和 ServerKey 指令已被撤销。

除非在 cups-files.conf 中将指令 CreateSelfSignedCerts 设置为“no”，否则 cups 将使用名称 ${HOSTNAME}.crt 和 ${HOSTNAME}.key 生成自己的自签名证书

证书的默认路径仍然是 cups_root + ssl 目录，但可以使用 cups-files.conf 中的指令 ServerKeyChain 进行更改。

因此，如果您有自己的证书（自签名或权威签名），则必须将它们复制到 ssl 目录中，名称为 ${HOSTNAME}.crt 和 ${HOSTNAME}.key，否则端口 631 上的 https 连接将失败，并且 /var/log/cups/error.log 包含多行抱怨无法读取证书文件的内容。

CUPS 共享打印机在 Windows 计算机上存在身份验证和 SSL 连接问题

答案1

答案2

相关内容