Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

Configuring and using a CUPS printing server

Red Hat Enterprise Linux 10

Configure your system to operate as a CUPS server and manage printers, print queues and your printing environment

Red Hat Customer Content Services

概要

The Common Unix Printing System (CUPS) manages printing on {ProductName}. Users configure printers in CUPS on their host to print. Additionally, you can share printers in CUPS to use the host as a print server.
CUPS supports printing to:
  • AirPrint™ and IPP Everywhere™ printers
  • Network and local USB printers with printer applications
  • Network and local USB printers with legacy PostScript Printer Description (PPD)-based drivers

Providing feedback on Red Hat documentation
リンクのコピー

We appreciate your feedback on our documentation. Let us know how we can improve it.

Submitting feedback through Jira (account required)

  1. Log in to the Jira website.
  2. Click Create in the top navigation bar
  3. Enter a descriptive title in the Summary field.
  4. Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
  5. Click Create at the bottom of the dialogue.

第1章 Installing and configuring CUPS
リンクのコピー

You can use CUPS to print from a local host. You can also use this host to share printers in the network and act as a print server.

Procedure

  1. Install the cups package: 

    # dnf install cups

  2. If you configure CUPS as a print server, edit the /etc/cups/cupsd.conf file, and make the following changes:

    1. If you want to remotely configure CUPS or use this host as a print server, configure on which IP addresses and ports the service listens: 

      Listen 192.0.2.1:631
Listen [2001:db8:1::1]:631

      By default, CUPS listens only on localhost interfaces (127.0.0.1 and ::1). Specify IPv6 addresses in square brackets.

      重要

      Do not configure CUPS to listen on interfaces that allow access from untrustworthy networks, such as the internet.

    2. Configure which IP ranges can access the service by allowing the IP ranges in the <Location /> directive: 

      <Location />
  Allow from 192.0.2.0/24
  Allow from [2001:db8:1::1]/32
  Order allow,deny
</Location>

    3. In the <Location /admin> directive, configure which IP addresses and ranges can access the CUPS administration services: 

      <Location /admin>
  Allow from 192.0.2.15/32
  Allow from [2001:db8:1::22]/128
  Order allow,deny
</Location>

      With these settings, only the hosts with the IP addresses 192.0.2.15 and 2001:db8:1::22 can access the administration services.

    4. Optional: Configure IP addresses and ranges that are allowed to access the configuration and log files in the web interface: 

      <Location /admin/conf>
  Allow from 192.0.2.15/32
  Allow from [2001:db8:1::22]/128
  ...
</Location>

<Location /admin/log>
  Allow from 192.0.2.15/32
  Allow from [2001:db8:1::22]/128
  ...
</Location>

  3. If you run the firewalld service and want to configure remote access to CUPS, open the CUPS port in firewalld: 

    # firewall-cmd --permanent --add-port=631/tcp
# firewall-cmd --reload

    If you run CUPS on a host with multiple interfaces, consider limiting the access to the required networks.

  4. Enable and start the cups service: 

    # systemctl enable --now cups

Verification

  • Use a browser, and access http://<hostname>:631. If you can connect to the web interface, CUPS works.

    Note that certain features, such as the Administration tab, require authentication and an HTTPS connection. By default, CUPS uses a self-signed certificate for HTTPS access and, consequently, the connection is not secure when you authenticate.

第2章 Configuring TLS encryption on a CUPS server
リンクのコピー

CUPS supports TLS-encrypted connections and, by default, the service enforces encrypted connections for all requests that require authentication. If no certificates are configured, CUPS creates a private key and a self-signed certificate. This is only sufficient if you access CUPS from the local host itself. For a secure connection over the network, use a server certificate that is signed by a certificate authority (CA).

警告

Without encryption or with a self-signed certificates, a man-in-the-middle (MITM) attack can disclose sensitive data, for example:

  • Credentials of administrators when configuring CUPS by using the web interface
  • Confidential data when sending print jobs over the network

Prerequisites

  • CUPS is configured.
  • You created a private key, and a CA issued a server certificate for it.
  • If an intermediate certificate is required to validate the server certificate, append the intermediate certificate to the server certificate.
  • The private key is not protected by a password because CUPS provides no option to enter the password when the service reads the key.

  • The Canonical Name (CN) or Subject Alternative Name (SAN) field in the certificate matches one of the following:

    • The fully-qualified domain name (FQDN) of the CUPS server
    • An alias that the DNS resolves to the server’s IP address
  • The private key and server certificate files use the Privacy Enhanced Mail (PEM) format.
  • Clients trust the CA certificate.
  • If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.

Procedure

  1. Edit the /etc/cups/cups-files.conf file, and add the following setting to disable the automatic creation of self-signed certificates: 

    CreateSelfSignedCerts no

  2. Remove the self-signed certificate and private key: 

    # rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.key

  3. Optional: Display the FQDN of the server: 

    # hostname -f
server.example.com

  4. Store the private key and server certificate in the /etc/cups/ssl/ directory, for example: 

    # mv /root/server.key /etc/cups/ssl/server.example.com.key
# mv /root/server.crt /etc/cups/ssl/server.example.com.crt
    重要

    CUPS requires that you name the private key <fqdn>.key and the server certificate file <fqdn>.crt. If you use an alias, you must name the files <alias>.key and <alias>.crt.

  5. Set secure permissions on the private key that enable only the root user to read this file: 

    # chown root:root /etc/cups/ssl/server.example.com.key
# chmod 600 /etc/cups/ssl/server.example.com.key

    Because certificates are part of the communication between a client and the server before they establish a secure connection, any client can retrieve the certificates without authentication. Therefore, you do not need to set strict permissions on the server certificate file.

  6. Restore the SELinux context: 

    # restorecon -Rv /etc/cups/ssl/

  7. Optional: Display the CN and SAN fields of the certificate: 

    # openssl x509 -text -in /etc/cups/ssl/server.example.com.crt
Certificate:
  Data:
    ...
    Subject: CN = server.example.com
    ...
    X509v3 extensions:
      ...
      X509v3 Subject Alternative Name:
        DNS:server.example.com
  ...

  8. If the CN or SAN fields in the server certificate contains an alias that is different from the server’s FQDN, add the ServerAlias parameter to the /etc/cups/cupsd.conf file: 

    ServerAlias alternative_name.example.com

    In this case, use the alternative name instead of the FQDN in the rest of the procedure.

  9. By default, CUPS enforces encrypted connections only if a task requires authentication, for example when performing administrative tasks on the /admin page in the web interface.

    To enforce encryption for the entire CUPS server, add Encryption Required to all <Location> directives in the /etc/cups/cupsd.conf file, for example: 

    <Location />
  ...
  Encryption Required
</Location>

  10. Restart CUPS: 

    # systemctl restart cups

Verification

  1. Use a browser, and access https://<hostname>:631/admin/. This requires that your browser trusts the CA certificate. If the connection succeeds, you configured TLS encryption in CUPS correctly.
  2. If you configured that encryption is required for the entire server, access http://<hostname>:631/. CUPS returns an Upgrade Required error in this case.

Troubleshooting

  • Display the systemd journal entries of the cups service: 

    # journalctl -u cups

    If the journal contains an Unable to encrypt connection: Error while reading file error after you failed to connect to the web interface by using the HTTPS protocol, verify the name of the private key and server certificate file.

第3章 Granting administration permissions to manage a CUPS server in the web interface
リンクのコピー

By default, members of the sys, root, and wheel groups can perform administration tasks in the web interface. However, certain other services use these groups as well. For example, members of the wheel groups can, by default, run commands with root permissions by using sudo. To avoid that CUPS administrators gain unexpected permissions in other services, use a dedicated group for CUPS administrators.

Prerequisites

  • CUPS is configured.
  • The IP address of the client you want to use has permissions to access the administration area in the web interface.

Procedure

  1. Create a group for CUPS administrators: 

    # groupadd cups-admins

  2. Add the users who should manage the service in the web interface to the cups-admins group: 

    # usermod -a -G cups-admins <username>

  3. Update the value of the SystemGroup parameter in the /etc/cups/cups-files.conf file, and append the cups-admin group: 

    SystemGroup sys root wheel cups-admins

    If only the cups-admin group should have administrative access, remove the other group names from the parameter.

  4. Restart CUPS: 

    # systemctl restart cups

Verification

  1. Use a browser, and access https://<hostname_or_ip_address>:631/admin/.

    注記

    You can access the administration area in the web UI only if you use the HTTPS protocol.

  2. Start performing an administrative task. For example, click Add printer.

  3. The web interface prompts for a username and password. To proceed, authenticate by using credentials of a user who is a member of the cups-admins group.

    If authentication succeeds, this user can perform administrative tasks.

第4章 Overview of packages with printer drivers
リンクのコピー

Red Hat Enterprise Linux (RHEL) provides different packages with printer drivers for CUPS. The following is a general overview of these packages and for which vendors they contain drivers:

Expand
表4.1 Driver package list
Package nameDrivers for printers

cups

Zebra, Dymo

c2esp

Kodak

foomatic

Brother, Canon, Epson, Gestetner, HP, Infotec, Kyocera, Lanier, Lexmark, NRG, Ricoh, Samsung, Savin, Sharp, Toshiba, Xerox, and others

gutenprint-cups

Brother, Canon, Epson, Fujitsu, HP, Infotec, Kyocera, Lanier, NRG, Oki, Minolta, Ricoh, Samsung, Savin, Xerox, and others

hplip

HP

pnm2ppa

HP

splix

Samsung, Xerox, and others

Note that some packages can contain drivers for the same printer vendor or model but with different functionality.

After installing the required package, you can display the list of drivers in the CUPS web interface or by using the lpinfo -m command.

第5章 Determining whether a printer supports driverless printing
リンクのコピー

CUPS supports driverless printing, which means that you can print without providing any hardware-specific software for the printer model. For this, the printer must inform the client about its capabilities and use one of the following standards:

  • AirPrint™
  • IPP Everywhere™
  • Mopria®
  • Wi-Fi Direct Print Services

You can use the ipptool utility to discover whether a printer supports driverless printing.

Prerequisites

  • The printer or remote print server supports the Internet Printing Protocol (IPP).
  • The host can connect to the IPP port of the printer or remote print server. The default IPP port is 631.

Procedure

  • Query the ipp-versions-supported and document-format-supported attributes, and ensure that the get-printer-attributes test passes:

    • For a remote printer, enter: 

      # ipptool -tv ipp://<ip_address_or_hostname>:631/ipp/print get-printer-attributes.test | grep -E "ipp-versions-supported|document-format-supported|get-printer-attributes"
Get printer attributes using get-printer-attributes      [PASS]
    ipp-versions-supported (1setOf keyword) = ...
    document-format-supported (1setOf mimeMediaType) = ...

    • For a queue on a remote print server, enter: 

      # ipptool -tv ipp://<ip_address_or_hostname>:631/printers/<queue_name> get-printer-attributes.test | grep -E "ipp-versions-supported|document-format-supported|get-printer-attributes"
Get printer attributes using get-printer-attributes      [PASS]
    ipp-versions-supported (1setOf keyword) = ...
    document-format-supported (1setOf mimeMediaType) = ...

    To ensure that driverless printing works, verify in the output:

    • The get-printer-attributes test returns PASS.
    • The IPP version that the printer supports is 2.0 or higher.

    • The list of formats contains one of the following:

      • application/pdf
      • image/urf
      • image/pwg-raster
    • For color printers, the output contains one of the mentioned formats and, additionally, image/jpeg.

第6章 Driverless USB printing and scanning
リンクのコピー

Driverless printing and scanning has its variants for devices which are connected by using USB. It is covered by the IPP over USB standard. You need to install the ipp-usb package for driverless printing and scanning to work. It register’s the device with Avahi on local host, makes the USB device look as a network device.

6.1. Installing and checking device capabilities
リンクのコピー

In driverless printing, installing a device involves identifying this device on your network and using a print server to set up a print queue. You can then verify the device’s capabilities by accessing its settings within the print queue or using a tool such as ipptool.

Prerequisites

  • You update the device firmware.
  • You stopped and disabled the cups-browsed service if it is not used for installing printers from remote print servers. Note that in this case, the BrowsePoll server is used in /etc/cups/cups-browsed.conf file.

Procedure

  1. Install the ipp-usb package: 

    # dnf install ipp-usb
    注記

    The ipp-usb package is installed by default with CUPS and sane-airscane packages.

  2. Check if device has printing functionality:

    1. Verify that the device is recognized by ipp-usb: 

      # sudo ipp-usb check

    2. Check if the device is identified by CUPS among existing destinations. The service name created by ipp-usb has the suffix _USB. 

      $ lpstat -e
Canon_MF440_Series_USB

      The service name created by ipp-usb has the _USB suffix. For example, here Canon_MF440_Series_USB represents IPP-over-USB device called Canon I-Sensys MF433

      重要

      If the Canon_MF440_Series_USB is displayed in the output of the lpstat -e command, but not in your application, report the issue to the application.

    3. Check device capabilities: 

      # ipptool -tv ipp://localhost:60000/ipp/print get-printer-attributes.test

# lpoptions -p Canon_MF440_Series_USB -l

      The ipptool command returns all IPP attributes which the device supports. If your printing option is present in IPP response, but not in lpoptions output, then it is a CUPS issue because the common PPD options are generated from some of the attributes. The lpoptions utility returns available PPD options.

  3. Check if the device has scanning capabilities:

    1. Check if the sane-airscan backend recognizes your device: 

      # scanimage -L

device `airscan:e0:HP LaserJet MFP M130fw' is a eSCL HP LaserJet MFP M130fw ip=127.0.0.1
Here, the HP LaserJet MFP M130fw device here is used for illustration, it does not show its real IPP-over-USB compatibility or its real options shared via AirScan from ipp-usb.

    2. Check the device capabilities: 

      # scanimage --help -d 'airscan:e0:HP LaserJet MFP M130fw (E700D6)'

6.2. Migrating existing classic print queues and scanner devices
リンクのコピー

The ipp-usb package is incompatible with classic printing and scanning drivers for IPP-over-USB devices, so a manual intervention depending on user’s choice is required after upgrade. You can see the available printing and scanning capabilities and decide which type of support to use for the device:

  • Driverless
  • Classic drivers

Procedure

Using driverless to support the USB device

To migrate the existing configuration with classic drivers to driverless support for USB device, follow the below mentioned steps depending on the device capabilities:

  1. If the device has printing functionality, remove any existing printers installed for the device in the past.

  2. To search for printer name, run: 

    # lpstat -a

  3. Remove the printer: 

    # lpadmin -x <printer_name>

  4. If the device has scanning functionality, disable the SANE backend which provides the scanning support,for example, hpaio. You can achieve it by commenting out its name in the configuration file /etc/sane.d/dll.conf or in a specific file in directory /etc/sane.d/dll.d, or uninstall the scanning driver. For example, to disable hpaio scanning backend: 

    # scanimage -L
device `hpaio:/usb/laserjet_mfp_m129-m134?serial=XXXX' is a Hewlett-Packard laserjet_mfp_m129-m134 all-in-one
device `airscan:e0:HP LaserJet MFP M130fw (E700D6)' is a eSCL HP LaserJet MFP M130fw (E700D6) ip=127.0.0.1

# sudo sed -i 's,^\s*hpaio$,#hpaio,' /etc/sane.d/dll.d/hpaio

    As a result, scanning devices supported by the backend HPAIO are not visible in the list of scanners.

Using classic driver to support the device

Choosing a classic driver requires rejecting the printer model in the ipp-usb configuration.

  1. Search for device model name: 

    # sudo ipp-usb check
Configuration files: OK
IPP over USB devices:
 Num  Device              Vndr:Prod  Model
   1. Bus 001 Device 005  04a9:2823  "Canon MF440 Series"

  2. Create a quirk for ipp-usb and use the name in the new quirk file in the /etc/ipp-usb/quirks directory. Note that the .conf suffix is required. 

    # cat /etc/ipp-usb/quirks/canon.conf

[Canon MF440 Series]
blacklist = true

  3. Restart the ipp-usb service: 

    $ systemctl restart ipp-usb

    This quirk denies device’s support in ipp-usb, and classic drivers will work. The printer generated by ipp-usb is removed from the list of existing printers.

注記

You can opt-out from driverless USB support by removing the ipp-usb package and excluding it from DNF operations.

第7章 Setting up a legacy printer
リンクのコピー

You can use the printer applications for supporting legacy printers which do not support driverless standards. After you install the legacy printer in a printer application, the application makes the legacy printer available for CUPS to use.

重要

Installing printers with classic drivers in CUPS is deprecated.

You can utilize classic CUPS drivers with a modern printing architecture by configuring a legacy printer in a printer application. Currently, RHEL includes printer applications based on the PAPPL, such as lprint and legacy-printer-app. The current PAPPL-based printer applications in RHEL and their TCP ports they are listening at are the following:

  • LPrint: 8000
  • Legacy Printer Application: 8001

7.1. Setting up PAPPL-based printer application
リンクのコピー

To easily and effectively support various printing requirements and prepare it for installing legacy printers, you can set up a PAPPL-based printer application.

Prerequisites

  • CUPS is configured with TLS certificate.

Procedure

  1. Install a PAPPL-based printer application package, for example, lprint : 

    # dnf install <printer_application_name>

  2. Optional: Enable the port 8000 in firewalld to access the printer application web interface from a remote host: 

    # firewall-cmd --permanent --add-port=8000/tcp
# firewall-cmd --reload

  3. Enable and start the service: 

    # systemctl enable --now <printer_application_name>

You can check the port in the /etc/lprint.conf configuration file.

7.1.1. Installing a legacy printer in PAPPL based printer application by using web interface
リンクのコピー

You can install the legacy printer by using the PAPPL-based printer application web interface.

Prerequisites

  • CUPS is configured with TLS certificate.
  • Printer application is configured and running.

Procedure

  1. In the printer application home page, click Add Printer.

  2. Choose printer name, device, hostname/IP address in case of network printers, select the driver name from the offered list, and click on the Add Printer. You can also use auto-detect option to search for the driver.

    Using the auto-detection option for driver might result in finding an incompatible driver for your device, if the device model is too different from available drivers. It is recommended to check the assigned driver before printing and change the driver manually to prevent any printing issues.

  3. The used driver is on the second line in the block Status. You can test the functionality by clicking on the Print Test Page.

7.1.2. Installing a legacy printer in PAPPL based printer application by using the command line interface
リンクのコピー

You can install a legacy printer in the PAPPL-based printer application by using the command-line interface.

Prerequisites

  • CUPS is configured with TLS certificate.
  • Printer application is set and running.

Procedure

  1. Search the available drivers in PAPPL based printer application: 

    # lprint drivers
zpl_2inch-203dpi-dt "Zebra ZPL 2-inch/203dpi/Direct-Thermal

  2. Install the printer. For example, to install a network printer with a specified driver, enter: 

    # lprint add -d <printer name> -v socket://<hostname> -m zpl_2inch-203dpi-dt

Verification

  1. Check printer is visible in the printers list, together with its raw socket for sending raw data: 

    # lprint printers
<printer_name> - printer - ipp://localhost/ipp/print/<printer_name>
<printer_name> - raw socket - socket://localhost:9101/

7.2. Setting up a generated network printer as CUPS permanent queue
リンクのコピー

You can set up a generated network printer from a dedicated printer application as CUPS permanent queue by using the command line interface.

注記

In the following procedure, the LPrint printer application is used as an example. However, the similar steps are valid for any PAPPL-based printer application.

Prerequisites

  • CUPS is configured with TLS certificate.
  • You have permission in CUPS to manage printers.
  • The legacy printer is installed in a printer application.

Procedure

  1. Check if the generated network printer is available: 

    # lpstat -e
<printer_name_in_printer_application>

  2. Search for the port that the printer application is using: 

    # grep 'server-port=' /etc/lprint.conf
server-port=8000

  3. Install the permanent queue by using the port number 8000: 

    # lpadmin -p <printer_name_in_CUPS> -v ipps://localhost:8000/ipp/print/<printer_name_in_printer_application> -m everywhere -E

  4. Check if CUPS queue is installed: 

    # lpstat -a
<printer_name_in_CUPS>  accepting requests since Wed 07 May 2025 02:31:04 AM EDT

第8章 Adding a printer to CUPS by using the web interface
リンクのコピー

Before users can print through CUPS, you must add printers. You can use both network printers and printers that are directly attached to the CUPS host, for example over USB.

You can add printers by using the CUPS driverless feature or by using a PostScript Printer Description (PPD) file.

注記

CUPS prefers driverless printing, and using drivers is deprecated.

Red Hat Enterprise Linux (RHEL) does not provide the name service switch multicast DNS plugin (nss-mdns), which resolves requests by querying an mDNS responder. Consequently, automatic discovery and installation for local driverless printers by using mDNS is not available in RHEL. To work around this limitation, install single printers manually or use cups-browsed to automatically install a high amount of print queues that are available on a remote print server.

Prerequisites

Procedure

  1. Use a browser, and access https://<hostname>:631/admin/.

    You must connect to the web interface by using the HTTPS protocol. Otherwise, CUPS prevents you from authenticating in a later step for security reasons.

  2. Click Add printer.
  3. If you are not already authenticated, CUPS prompts for credentials of an administrative user. Enter the username and password of an authorized user.
  4. If you decide to not use driverless printing and the printer you want to add is detected automatically, select it, and click Continue.

  5. If the printer was not detected:

    1. Select the protocol that the printer supports.

      Select protocol

      If your printer supports driverless printing and you want to use this feature, select the ipp or ipps protocol.

    2. Click Continue.

    3. Enter the URL to the printer or to the queue on a remote print server.

      Enter printer URL
    4. Click Continue.

  6. Enter a name and, optionally, a description and location. If you use CUPS as a print server, and other clients should be able to print through CUPS on this printer, select also Share this printer.

    Enter printer details
  7. Select the printer manufacturer in the Make list. If the printer manufacturer is not on the list, select Generic or upload a PPD file for the printer.
  8. Click Continue.

  9. Select the printer model:

    • If the printer supports driverless printing, select IPP Everywhere. Note that, if you previously installed printer-specific drivers locally, it is possible that the list also contains entries such as <printer_name> - IPP Everywhere.
    • If the printer does not support driverless printing, select the model or upload the PPD file for the printer.
    Select printer model
  10. Click Add Printer

  11. The settings and tabs on the Set printer options page depend on the driver and the features the printer supports. Use this page to set default options, such as for the paper size.

    Set printer options
  12. Click Set default options.

Verification

  1. Open the Printers tab in the web interface.
  2. Click the printer’s name.
  3. In the Maintenance list, select Print test page.

Troubleshooting

第9章 Adding a printer to CUPS by using the lpadmin utility
リンクのコピー

Before users can print through CUPS, you must add printers. You can use both network printers and printers that are directly attached to the CUPS host, for example over USB.

You can add printers by using the CUPS driverless feature or by using a PostScript Printer Description (PPD) file.

注記

CUPS prefers driverless printing, and using drivers is deprecated.

Red Hat Enterprise Linux (RHEL) does not provide the name service switch multicast DNS plugin (nss-mdns), which resolves requests by querying an mDNS responder. Consequently, automatic discovery and installation for local driverless printers by using mDNS is not available in RHEL. To work around this limitation, install single printers manually or use cups-browsed to automatically install a high amount of print queues that are available on a remote print server.

Prerequisites

Procedure

  • Add the printer to CUPS:

    • To add a printer with driverless support, enter: 

      # lpadmin -p Demo-printer -E -v ipp://192.0.2.200/ipp/print -m everywhere

      If the -m everywhere option does not work for your printer, try -m driverless:<uri>, for example: -m driverless:ipp://192.0.2.200/ipp/print.

    • To add a queue from a remote print server with driverless support, enter: 

      # lpadmin -p Demo-printer -E -v ipp://192.0.2.201/printers/example-queue -m everywhere

      If the -m everywhere option does not work for your printer, try -m driverless:<uri>, for example: -m driverless:ipp://192.0.2.200/printers/example-queue.

    • To add a printer with a driver in file, enter: 

      # lpadmin -p Demo-printer -E -v socket://192.0.2.200/ -P /root/example.ppd

    • To add a queue from a remote print server with a driver in a file, enter: 

      # lpadmin -p Demo-printer -E -v ipp://192.0.2.201/printers/example-queue -P /root/example.ppd

    • To add a printer with a driver in the local driver database:

      1. List the drivers in the database: 

        # lpinfo -m
...
drv:///sample.drv/generpcl.ppd Generic PCL Laser Printer
...

      2. Add the printer with the URI to the driver in the database: 

        # lpadmin -p Demo-printer -E -v socket://192.0.2.200/ -m drv:///sample.drv/generpcl.ppd

    These commands uses the following options:

    • -p <printer_name>: Sets the name of the printer in CUPS.
    • -E: Enables the printer and CUPS accepts jobs for it. Note that you must specify this option after -p. See the option’s description in the man page on your system for further details.
    • -v <uri>: Sets the URI to the printer or remote print server queue.
    • -m <driver_uri>: Sets the PPD file based on the provided driver URI obtained from the local driver database.
    • -P <PPD_file>: Sets the path to the PPD file.

Verification

  1. Display the available printers: 

    # lpstat -p
printer Demo-printer is idle. enabled since Fri 23 Jun 2023 09:36:40 AM CEST

  2. Print a test page: 

    # lp -d Demo-printer /usr/share/cups/data/default-testpage.pdf

第10章 Performing maintenance and administration tasks on CUPS printers by using the web interface
リンクのコピー

Printer administrators sometimes need to perform different tasks on a print server. For example:

  • Maintenance tasks, such as temporary pausing a printer while a technician repairs a printer
  • Administrative tasks, such as changing a printer’s default settings

You can perform these tasks by using the CUPS web interface.

Prerequisites

Procedure

  1. Use a browser, and access https://<hostname>:631/printers/.

    You must connect to the web interface by using the HTTPS protocol. Otherwise, CUPS prevents you from authenticating in a later step for security reasons.

  2. Click the name of the printer that you want to configure.
  3. Depending on whether you want to perform a maintenance or administration task, select the required action from the list.
  4. If you are not already authenticated, CUPS prompts for credentials of an administrative user. Enter the username and password of an authorized user.
  5. Perform the task.

第11章 Using Samba to print to a Windows print server with Kerberos authentication
リンクのコピー

With the samba-krb5-printing wrapper, Active Directory (AD) users who are logged in to Red Hat Enterprise Linux (RHEL) can authenticate to Active Directory (AD) by using Kerberos and then print to a local CUPS print server that forwards the print job to a Windows print server.

The benefit of this configuration is that the administrator of CUPS on RHEL does not need to store a fixed user name and password in the configuration. CUPS authenticates to AD with the Kerberos ticket of the user that sends the print job.

注記

Red Hat supports only submitting print jobs to CUPS from your local system, and not to re-share a printer on a Samba print server.

Prerequisites

  • The printer that you want to add to the local CUPS instance is shared on an AD print server.
  • You joined the RHEL host as a member to the AD.
  • CUPS is installed on RHEL, and the cups service is running.
  • The PostScript Printer Description (PPD) file for the printer is stored in the /usr/share/cups/model/ directory.

Procedure

  1. Install the samba-krb5-printing, samba-client, and krb5-workstation packages: 

    # dnf install samba-krb5-printing samba-client krb5-workstation

  2. Optional: Authenticate as a domain administrator and display the list of printers that are shared on the Windows print server: 

    # smbclient -L <windows_print_server> -U administrator@<AD_KERBEROS_REALM> --use-kerberos=required

	Sharename       Type      Comment
	---------       ----      -------
	...
	Example         Printer   Example
	...

  3. Optional: Display the list of CUPS models to identify the PPD name of your printer: 

    lpinfo -m
...
samsung.ppd Samsung M267x 287x Series PXL
...

    You require the name of the PPD file when you add the printer in the next step.

  4. Add the printer to CUPS: 

    # lpadmin -p "<printer_name>" -v smb://<windows_print_server>/<printer_share_name> -m samsung.ppd -o auth-info-required=negotiate -E

    The command uses the following options:

    • -p <printer_name> sets the name of the printer in CUPS.
    • -v <URI_to_Windows_printer> sets the URI to the Windows printer. Use the following format: smb://<host_name>/<printer_share_name>.
    • -m <PPD_file> sets the PPD file the printer uses.
    • -o auth-info-required=negotiate configures CUPS to use Kerberos authentication when it forwards print jobs to the remote server.
    • -E enables the printer and CUPS accepts jobs for the printer.

Verification

  1. Log in to the RHEL host as an AD domain user.

  2. Authenticate as an AD domain user: 

    # kinit <domain_user_name>@<AD_KERBEROS_REALM>

  3. Print a file to the printer you added to the local CUPS print server: 

    # lp -d <printer_name> <file>

第12章 Using cups-browsed to locally integrate printers from a remote print server
リンクのコピー

The cups-browsed service uses DNS service discovery (DNS-SD) and CUPS browsing to make all or a filtered subset of shared remote printers automatically available in a local CUPS service.

For example, administrators can use this feature on workstations to make only printers from a trusted print server available in a print dialog of applications. It is also possible to configure cups-browsed to filter the browsed printers by certain criteria to reduce the number of listed printers if a print server shares a large number of printers.

注記

If the print dialog in an application uses other mechanisms than, for example DNS-SD, to list remote printers, cups-browsed has no influence. The cups-browsed service also does not prevent users from manually accessing non-listed printers.

Prerequisites

  • The CUPS service is configured on the local host.

  • A remote CUPS print server exists, and the following conditions apply to this server:

    • The server listens on an interface that is accessible from the client.
    • The Allow from parameter in the server’s <Location /> directive in the /etc/cups/cups.conf file allows access from the client’s IP address.
    • The server shares printers.
    • Firewall rules allow access from the client to the CUPS port on the server.

Procedure

  1. Edit the /etc/cups/cups-browsed.conf file, and make the following changes:

    1. Add BrowsePoll parameters for each remote CUPS server you want to poll: 

      BrowsePoll remote_cups_server.example.com
BrowsePoll 192.0.2.100:1631

      Append :_<port>_ to the hostname or IP address if the remote CUPS server listens on a port different from 631.

    2. Optional: Configure a filter to limit which printers are shown in the local CUPS service. For example, to filter for queues whose name contain sales_, add: 

      BrowseFilter name sales_

      You can filter by different field names, negate the filter, and match the exact values. For further details, see the parameter description and examples in the cups-browsed.conf(5) man page on your system.

    3. Optional: Change the polling interval and timeout to limit the number of browsing cycles: 

      BrowseInterval 1200
BrowseTimeout 6000

      Increase both BrowseInterval and BrowseTimeout in the same ratio to avoid situations in which printers disappear from the browsing list. This mean, multiply the value of BrowseInterval by 5 or a higher integer, and use this result value for BrowseTimeout.

      By default, cups-browsed polls remote servers every 60 seconds and the timeout is 300 seconds. However, on print servers with many queues, these default values can cost many resources.

  2. Enable and start the cups-browsed service: 

    # systemctl enable --now cups-browsed

Verification

  • List the available printers: 

    # lpstat -v
device for Demo-printer: implicitclass://Demo-printer/
...

    If the output for a printer contains implicitclass, the cups-browsed service manages the printer in CUPS.

第13章 Accessing the CUPS logs in the systemd journal
リンクのコピー

By default, CUPS stores log messages in the systemd journal. This includes:

  • Error messages
  • Access log entries
  • Page log entries

Prerequisites

Procedure

  • Display the log entries:

    • To display all log entries, enter: 

      # journalctl -u cups

    • To display the log entries for a specific print job, enter: 

      # journalctl -u cups JID=<print_job_id>

    • To display log entries within a specific time frame, enter: 

      # journalectl -u cups --since=<YYYY-MM-DD> --until=<YYYY-MM-DD>

      Replace YYYY with the year, MM with the month, and DD with the day.

第14章 Configuring CUPS to store logs in files instead of the systemd journal
リンクのコピー

By default, CUPS stores log messages in the systemd journal. Alternatively, you can configure CUPS to store log messages in files.

Prerequisites

Procedure

  1. Edit the /etc/cups/cups-files.conf file, and set the AccessLog, ErrorLog, and PageLog parameters to the paths where you want to store these log files: 

    AccessLog /var/log/cups/access_log
ErrorLog /var/log/cups/error_log
PageLog /var/log/cups/page_log

  2. If you configure CUPS to store the logs in a directory other than /var/log/cups/, set the cupsd_log_t SELinux context on this directory, for example: 

    # semanage fcontext -a -t cupsd_log_t "/var/log/printing(/.*)?"
# restorecon -Rv /var/log/printing/

  3. Restart the cups service: 

    # systemctl restart cups

Verification

  1. Display the log files: 

    # cat /var/log/cups/access_log
# cat /var/log/cups/error_log
# cat /var/log/cups/page_log

  2. If you configured CUPS to store the logs in a directory other than /var/log/cups/, verify that the SELinux context on the log directory is cupsd_log_t: 

    # ls -ldZ /var/log/printing/
drwxr-xr-x. 2 lp sys unconfined_u:object_r:cupsd_log_t:s0 6 Jun 20 15:55 /var/log/printing/

第15章 Setting up a high-availability CUPS print server environment
リンクのコピー

If your clients require access to printers without interruption, you can set up CUPS on multiple hosts and use the print queue browsing feature to provide high availability. Print clients then automatically configure print queues shared by the different print servers. If a client sends a print job to its local print queue, CUPS on the client routes the job to one of the print servers which processes the job and sends it to the printer.

Procedure

  1. Set up CUPS on two or more servers:

    1. Install and configure CUPS.
    2. Enable TLS encryption.

    3. Add print queues to all CUPS instances by using the lpadmin utility or the web interface. If you use the web interface, ensure that you select the Share this printer option while you add the printer. The lpadmin utility enables this setting by default.

      重要

      For the high-availability scenario, each queue on one print server requires a queue with exactly the same queue name on the other servers. You can display the queue names on each server by using the lpstat -e command.

      Optional: You can configure the queues on each server to refer to different printers.

  2. On print clients:

    1. Edit the /etc/cups/cups-browsed.conf file, and add BrowsePoll directives for each CUPS print server: 

      BrowsePoll print_server_1.example.com:631
BrowsePoll print_server_2.example.com:631

    2. Enable and start both the cups and cups-browsed service: 

      # systemctl enable --now cups cups-browsed

Verification

  • Display the available printers on a client: 

    # lpstat -t
...
device for Demo-printer: implicitclass://Demo-printer/
Demo-printer accepting requests since Fri 22 Nov 2024 11:54:59 AM CET
printer Demo-printer is idle.  enabled since Fri 22 Nov 2024 11:54:59 AM CET
...

    The example output shows that the Demo-printer queue uses the implicitclass back end. As a result, cups-browsed routes print jobs for this queue to the hosts specified in the BrowsePoll directives on this client.

第16章 Accessing the CUPS documentation
リンクのコピー

CUPS provides browser-based access to the service’s documentation that is installed on the CUPS server. This documentation includes:

  • Administration documentation, such as for command-line printer administration and accounting
  • Man pages
  • Programming documentation, such as the administration API
  • References
  • Specifications

Prerequisites

Procedure

  1. Use a browser, and access http://<hostname_or_ip_address>:631/help/.
  2. Expand the entries in Online Help Documents, and select the documentation you want to read.

法律上の通知
リンクのコピー

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2026 Red Hatトップに戻る