Skip Ribbon Commands
Skip to main content

RHEL-7-Fedora-22-kerberos_en

Printer setup under Fedora/RHEL with Kerberos

1 Preface

For printing via Kerberos, the IT Services make their own Cups backend available.
The instructions refer primarily to managed multi-user computers:

The administrator manages several computers.
The manual is structured in such a way that the individual steps can be included in a script.

2 Requirements

The administrator has root rights.
The user-login on the computer should already be done with Active-Directory.
The binding to the Active Directory is described in the following instructions:

https://cd-portal.sp.ethz.ch/linux/Wiki/Authentisierung%20mit%20sssd.aspx

3 Version of the operating system

The version can be verified with the following command:

$ cat /etc/os-release

4 Install Cups backend smbethz

Download the cups backend smbethz and copy it into the right directory:

$ su -c 'wget https://printing.sp.ethz.ch/ethps/SiteAssets/SitePages/RHEL-7-Fedora-22-kerberos/smbethz -O /usr/lib/cups/backend/smbethz'

Set the access rights and the owner:

$ su -c 'chmod 700 /usr/lib/cups/backend/smbethz'
$ su -c 'chown root:root /usr/lib/cups/backend/smbethz'

5 Setting up a new printer with the backend

5.1 Device URI

The following format is used for our setup:

smbethz://<printserver>/<printqueue>

For example:

smbethz://pia01.d.ethz.ch/p-stbh-02

A list of the available printers can be found at :

https://pia01.d.ethz.ch (Zentrum)
https://pia02.d.ethz.ch (Hönggerberg)

5.2 Installing PPD

Under ’openprinting.org’ PPD can be searched and installed as a package.
In this manual we install the PPD for a ’Ricoh MPC 3003’.

$ su -c 'rpm -ip http://www.openprinting.org/download/printdriver/components/lsb3.2/main/RPMS/noarch/openprinting-ppds-postscript-ricoh-20140829-1lsb3.2.noarch.rpm'

The PPD is then stored at :

/opt/OpenPrinting-Ricoh/ppds/Ricoh/Ricoh-MP_C3003-Postscript-Ricoh-en.ppd.gz

5.3 Start printer installation

The installation is done according to the following scheme:

lpadmin -p <NAME> -v smbethz://<SERVER>/<PRINTER> -E -P <PATH-TO-PPD> -D <NAME> -L <LOCATION> -o printer-is-shared=false -o auth-info-required=negotiate

In our example, that would be:

$ su -c 'lpadmin -p Ricoh3003 -v smbethz://pia01.d.ethz.ch/p-stbh-02 -E -P /opt/OpenPrinting-Ricoh/ppds/Ricoh/Ricoh-MP_C3003-Postscript-Ricoh-en.ppd.gz -D Ricoh3003 -L STBH -o printer-is-shared=false -o auth-info-required=negotiate'

6 Testing

Send a test job as an authenticated user (not as root):

$ echo -e '%!PS-Adobe-1.0\n /Helvetica findfont 200 scalefont setfont 100 100 moveto (Test) show showpage' | lpr -P Ricoh3003

7 SELinux Policy

If SELinux is enabled, an appropriate policy extension must be created.
The policy extension is described in the following instructions:

https://cd-portal.sp.ethz.ch/linux/Wiki/SELinux%20Basics.aspx

For testing purposes, the policy can be turned off as follows:

$ su -c 'setenforce 0'

8 Unnecessary authentication message under Fedora 21

If an unnecessary message appears, it can be removed with a patch.
The following command creates the file '/etc/yum.repos.d/print-auth.repo':

$ echo -e '[print-auth]
name=Print Auth $releasever - $basearch
baseurl=http://files.intevation.de/projects/print-auth/kerberos/$releasever
enabled=1
gpgcheck=1
gpgkey=http://files.intevation.de/projects/print-auth/kerberos/$releasever/\c' >/etc/yum.repos.d/print-auth.repo; echo -e 'repodata/repomd.xml.key' >>/etc/yum.repos.d/print-auth.repo

And then update:

$ su -c 'yum update'

9 Error message in RHEL

If you get the error message '/usr/lib/cups/filter/foomatic-rip not available' in the log '/var/log/cups/error_log' you have to add the following package:

$ su -c 'yum install foomatic'