WPKG Blog

Today I noticed non-admin users can’t print on a new Samba server. Samba log for a given host would just say: client-error-not-authorized. Turned out, it’s a CUPS configuration problem, so let’s write a short article about it.

Normally one configures Samba to use a CUPS server running on the same host. When a user wants to print anything, Samba uses a username/password to access the CUPS server. After authorization checks are successful, Samba connects to CUPS as root, and thus, bypasses all security checks (they were done just a while ago with username/password).

So, if a CUPS server requires authentication, including for jobs scheduled from a localhost, printing from Windows clients will most likely fail. This is because Samba, as a CUPS client, runs on a localhost.
Of course, a change to allow printing from a localhost is trivial – just add or uncomment Allow localhost in <Location /> section of /etc/cups/cupsd.conf. Some distros will have this as a default setting (Debian seems to be more restrictive though).

What if we want to allow everyone to print from the localhost, but require credentials from all other hosts? Well, here it is:


# Restrict access to the server...
<Location />
AuthType Basic
Require valid-user


Order deny,allow
Deny all
Allow localhost


Satisfy any
</Location>