Non-admin Printer Setup?

Follow up to my previous post.

After some further thought, there are permutations to the procedure I set out before. If you want to open it up for all users to add and administer printers, you can comment out the applicable Policy sections of cupsd.conf. Specifically, the following blocks commented out will allow a Standard user (or any user) to add and administer printers. This can be done through the web interface, command line 'lpadmin', or through *Add Printer* from a print window. With this configuration, no password will be required.

EDIT: No Parental Controls need be set with this method. The user could be Standard or Managed.

<pre style="overflow: auto;font-size:small; font-family: Monaco, 'Courier New', Courier, monospace; color: #222; background: #ddd; padding: .3em .8em .3em .8em; font-size: 9px;"># <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
# AuthType Default
# Require user @SYSTEM
# Order deny,allow
# </Limit>
# <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
# AuthType Default
# Require user @AUTHKEY(system.print.admin) @admin @lpadmin
# Order deny,allow
# </Limit></pre>

Obviously, there are policy and security implications with the above. You will have to decide if the new policies are within your overall security limits.

Note that I have left in place the earlier directive to allow only admin (sudoers) to change the cupsd.conf file.

<pre style="overflow: auto;font-size:small; font-family: Monaco, 'Courier New', Courier, monospace; color: #222; background: #ddd; padding: .3em .8em .3em .8em; font-size: 9px;"><Location /admin/conf>
AuthType Default
Require user @SYSTEM
# Restrict access to the configuration files...
Order allow,deny
Allow localhost
</Location></pre>


Matt

Message was edited by: Matt Broughton

Douglas McLaughlin wrote:
I enabled the root account, deleted my changes, saved, restarted and logged back in as root and re-commented out the same lines again and restarted again. I have now tried both a local standard user and the previous network user and both were still prompted for the admin name and password to add a printer. I was thinking you were probably not trying this suggestion with network users, but result is the same.

You are correct that I did not try any network users. I was just using an admin and standard account on one computer. No Open Directory, just a siimple computer with multiple users.

I don't claim to be well versed in networks or Open Directory. I made the assumption (ah-oh) that you would have to place a copy of the modified cupsd.conf on all the client machines. Are you not talking about the client adding a printer to their local machine? The only way to do that is through printing services which is controlled by the cupsd.conf file. Adding a printer writes the necessary information to /etc/cups/printers.conf among other things.

Are we at least talking about somewhat the ideas?

Matt

Finally found a way to do this. The only way I have found to do this is to:

1. User Parental Controls and specifiy that the user can administer printers.

2. Edit the CUPS configuration file (/etc/cups/cupsd.conf). Easiest way is to use the web interface http://localhost:631/admin?op=config-server You need to be an administrator to do this. You may find it easier to push a modified cupsd.conf file to the user's computers and restart cupsd.

You want to edit the block to add @lpadmin as shown:
<pre style="overflow: auto;font-size:small; font-family: Monaco, 'Courier New', Courier, monospace; color: #222; background: #ddd; padding: .3em .8em .3em .8em; font-size: 9px;"> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM @lpadmin
Order deny,allow
</Limit></pre>
Click the button to Save Changes.

3. The user will now be able to add a printer through the web interface http://localhost:631/admin?op=add-printer It will still require a user name and password, but it will accept the managed user's name and password. The web interface is the only way for the managed user to perform this. Add Printer from a print window will not work. Command line 'lpadmin' will not work. These latter two still require an administrator's user name and password.

A word of caution. Apple will frequently replace the cupsd.conf file during system updates with the default cupsd.conf file. You are back to pushing the modified configuration file to your user's computers.

Matt

Douglas McLaughlin wrote:
Is there a way to do it without using the Parental Controls System Preferences?

Yes. My follow up post details the changes needed to the cupsd.conf file that are needed to allow any user to add and administer printers. No password required either.

Matt

Douglas McLaughlin wrote:
Okay, on a test Mac, I commented out that section (by putting the # at the beginning of each line). I had to save the file to my own user's documents. Then I used the Terminal to delete the original and copy over the edited file. I also then used the Terminal to change the permissions back to the original settings. Unfortunately, I'm still challenged to put in an administrator's name and password when using the "Add Printer..." option

You need to restart the printing system for the changes to take effect. By using the Terminal to replace the cupsd.conf file, you bypassed the *Save Changes* button in the web interface. The *Save Changes* button would have restarted the CUPS daemon. Remember that we are changing a configuration file for a daemon, so the daemon must be restarted for it to read the new configuration file.

There are several ways to restart the CUPS daemon. Restart the computer, use the Terminal command 'sudo killall -HUP cupsd', or by toggling *Printer Sharing* in System Preferences.


Matt

Douglas McLaughlin wrote:
The next time the authentication window popped-up, I clicked on the "Details" disclosure triangle and, in fact, it's the System Preferences asking for permission not any of the CUPS services:

I read that as the application "AddPrinter" (/System/Library/CoreServices/AddPrinter) is the requester and wants to use the password from the user account as detailed in System Preferences.

Believe me that I am as frustrated as you in explaining why it is not working for you as it is for me. We are commenting out the section that says adding a printer is for admins only. We are also commenting out the line that says to ask for a password.

The one other thought I had was that I have not applied the latest security patches. I will add those to my test configuration tonight and see if that makes any difference.

Unfortunately, I'm afraid some of my users simply won't be able to use the Web page to configure all their printers

I agree that is a real concern. As far as I can tell, the web interface only knows about printers that have a static model PPD on file. There are some printers that create a PPD on the fly. I believe Epson printers do this. They do not show in the list of printers for in the web interface.

Matt

McToast wrote:
Is this whole "must be an admin to add or delete printers" business a bug or a purposeful change on Apple's part?

I believe it is a very deliberate and purposeful change.

Matt

It's such a bad thing for System Administrators, just makes their jobs more difficult, users should be able to add and delete their own printers, and defeats part of the convenience of a Print Server.

Hello Doug & Matt,

I spent a couple of hours looking at this issue and from my testing I found that Matt's comments made to the cupsd.conf are sufficient in allowing a standard user to add an IP and USB printer without having to authenticate.

My test Mac (a trusty old G5) had a clean install of 10.5 and then upped to 10.5.1 using the Combo updater from the ADC Jan 08 DVD (my lab is isolated from our corporate network so no internet access). Logged in as an admin account, opened Terminal and used Nano to make the changes to the cups daemon config file. Rebooted, logged in as the local standard user and was able to create the printer queues without any challenge.

From reading your postings I thought that maybe the problem was due to the rights granted by the AD to the network user and this was challenging the creation of the queue.

So I repeated the test, this time the authentication was being done using Directory Access > AD to a 2003 SP1 server. The client was just a basic user account, no network or local home folder creation, just simply an authentication to the network. However this account was also able to add a local printer without having to authenticate.

So I have a couple of questions as I'd like to play with this some more.

1. Can you give some details re the network environment and the authentication process being employed (especially any schemas).

2. I read that your 10.5 install was an upgrade from the 10.4 image. Is this correct? If yes, have you tried a clean Leopard install? Just concerned we could have some Tiger left-overs, like the AD plug-in...

Well, that's about it from me for now. It's getting close to 11pm here and I'm gettin tired....

Hope this was helpful Matt.

'Night-all

PaHu