[2] Restoring the client side CUPS printer browsing ability
My last blog entry outlined how Ubuntu users can restore the CUPS web interface to full functionality. The next one will explain how they can setup network printer auto-discovery goodness into their CUPS installation, a feature that was artificially crippled by their distro's packagers. This one investigates the "printer browsing" settings presented by Ubuntu, and demonstrates how to set them back to a fully functional (and more secure) mode. [image:2120 align="right" size="preview" hspace=4 vspace=2 border=0 class="showonplanet"]
So let's move to the meat of the matter.
Printer browsing is an über-cool feature, which lets CUPS clients use a CUPS print service and its shared printers in the LAN...
- ...without needing to install any printer locally,
- ...without needing to install any driver locally,
- ...without needing to run any special setup.
The benefits are obvious: True "zero configuration" print setup. Simple, but excellent and reliable printing goodness for lots of users. Very comfortable. Fully functional. Including the full access to every single printer driver option that may be interesting to use with a print job. Works from the commandline, works from KDEPrint/kprinter, works from gtklp, works from xpp (two other GUI frontends to conduct printing tasks). Not sure about Gnome-Print, though... But easy for administrators to run and overlook from one single point. Even allowing for simple and efficient fail-over, load-balancing and print-cluster setups. Waaaaay superior to what MS Windows has to offer when it comes to network printing, believe me.
CUPS' cool printer browsing abilities are often misunderstood. Users don't have a chance to even see and experience it, if their distro's packagers disable it. And packagers (at least some of those I talked to, often times in recent years) seem to disable it because they don't "get" its benefits. Or because they don't even understand its mechanics (and don't seem to be keen to learn more). And keep clinging to their once-assumed "But it's unsafe!"-presumption. So let's put up another round in this long fight. Let's start another 101 CUPS Browsing Primer course...
Actually, there's two different aspects to CUPS printer browsing:
- client-side printer browsing: this lets the CUPS clients passively discover all printers which are announced by CUPS servers in the LAN
- server-side printer browsing: this makes CUPS servers actively announce their printers to all CUPS clients in the LAN
Both aspects are separate from each other. Clients may ignore all, ignore a part or listen to all of the CUPS servers announcing their printers.
Printer browsing works through UDP (not TCP!) broadcasts. Like this:
- Every ${BrowseInterval} seconds (defaults to 30), a CUPS server sends one UDP broadcast package (with a size of approx. 100 - 200 Bytes) for each shared printer to ${BrowseAddress}.
- CUPS clients, if setup to use "Browsing On", pick up this info from the LAN, assemble a list of printservers and their shared printers and readily offer them to their user whenever she wants to print.
The screenshot on the top, taken on a Knoppix immediately after booting, shows which printqueues kprinter can "see" without any configuration. It's the result of client side printer browsing, that is enabled on the Knoppix Live CD out of the box. The browsing picked up 7 different printers, from 3 different CUPS servers (socceroo, 10.162.2.251 and elephants). [image:2119 align="right" size="preview" hspace=4 vspace=2 border=0 class="showonplanet"]
What could be a more easy than this? A user does not need to care about installing a printer. She does not need to search for the correct driver. She is not required to decide for a protocol backend. She just clicks on the "Print" icon and Pooof!, all available printers show up, magically brought to her desktop by a CUPS server with printer browsing enabled. Depriving users from this comfort for no good reason is a crime against the general rallying call of "Better usability for the Linux desktop!". Disabling it directly goes against the commonly agreed goals to "Make printing more easy!" as was declared by this April's OSDL desktop printing architects meeting. How more stupid could we be than hiding from our users and disabling a printing technology cornerpiece that makes our platform superiour in comparison to the market leader Microsoft?
Client side browsing of course also satisfies the needs of commandline users (see other shot showing Konsole). They can query CUPS for available printers (using the "lpstat -p" command), and will see this very same list, so they can pick one printqueue to send a job to.
CUPS.org's upstream default configuration does not make for an active print server out of the box. It only provides for a maximum user-friendlyness for each CUPS client. It enables workstations to effortlessly print without any configuration and with no setup headaches, should there be an active CUPS server around. Let's be overly clear: CUPS.org's default setup has tt>"Browsing On". But a client with only "Browsing On" enabled does not share his own locally installed printers with the rest of the world. "Browsing On" does not make it a print server. "Browsing On" does not make it a broadcaster! Clear now?
So why is it that Ubuntu deprives its users from a fully functional CUPS? Why don't they allow the web interface enabled like it is prepared by CUPS.org? Why do they suppress client-side printer browsing? When I asked, I was told: "It is our (and Debian's) policy to not open any un-needed port by default."
I agree to that policy, very much so. The point is: CUPS' default configuration from upstream does not open any external port by default, let alone "un-needed" ones! And yet it has a functional web interface. And yet it has a working client setup. And yet it can immediately discover all printers shared by CUPS servers. And yet it is a "zero configuration" effort to make it print out of the box in any environment where a CUPS server is at work. And yet it can utilize all driver-supported job options, without any need for messing with a local driver installation.
Let's have a look at the Dapper configuration for CUPS as compared to the one shipped by CUPS.org:
+--------------------------------+---------------------------------+
| .......Dapper's default....... | ......CUPS.org's default....... |
|--------------------------------+---------------------------------|
| Listen localhost:631 | Listen localhost:631 |
| Listen /var/run/cups/cups.sock | Listen /var/run/cups/cups.sock |
| Browsing Off | Browsing On |
| BrowseOrder allow,deny | BrowseOrder allow,deny |
| BrowseAllow @LOCAL | BrowseAllow @LOCAL |
| BrowseAddress @LOCAL | # no setting for BrowseAddress! |
|--------------------------------+---------------------------------|
| ------ (extracts from the respective CUPS configuration) ------- |
+------------------------------------------------------------------+
Now let's see what different results we get if we run a port scanner against each of these two configurations.
+--------+------------------------------------------------------------------+ | | Does "Browsing On" open a port? -- No! | |--------+--------------------------------+---------------------------------| |Setting:| Browsing Off | Browsing On | |--------+--------------------------------+---------------------------------| |Probe: | nmap -p 631 10.16.2.4 | nmap -p 631 10.16.2.4 | |--------+--------------------------------+---------------------------------| | | Interesting ports on 10.16.2.4:| Interesting ports on 10.16.2.4: | |Result: | PORT STATE SERVICE | PORT STATE SERVICE | | | 631/tcp closed ipp | 631/tcp closed ipp | +--------+--------------------------------+---------------------------------+
Thus, the whole argument of Ubuntu packagers why they disable client-side printer browsing in Dapper manifests itself as bogus. "Browsing On" on its own does not open a TCP port to the outside world. Hence, their modification to set "Browsing Off" does not close a TCP port, and does not make the system more secure. But it indeed does make the system less functional, less powerful, and more user-unfriendly, more crippled... It takes away out-of-the-box client-side printing capabilities, which work with zero setup and zero driver installation. It hurts Linux competitiveness on the desktop market, especially the small business, the public sector and the enterprise market segments.
But they made more modifications which are bad. Look at their "BrowseAddress @LOCAL" setting. It is enabled by default; the "@LOCAL" macro is shorthand to tell CUPS to address all local network interfaces and subnets (excluding modem, ISDN card or ppp0 links) in case it broadcasts its own printers. It does not do anything as long as the accompanying "Browsing Off" is kept. Now assume, a user wants to enable client-side printer browsing only (without any server-side browse announcements going out). She (of course) follows the advice given to her by CUPS.org and changes the setting to "Browsing On". But on Ubuntu all of a sudden something will happen that 99% of users (I bet!) are unaware of. And it certainly does not blend in well with the declared security goals of the Dapperistas: the "BrowseAddress @LOCAL" setting now kicks in as well; the user's box immediately starts to announce its own printers, effectively turning on server-side printer browsing and active broadcasts as well.... Oooops!!
Compare this to the default CUPS config file shipped with the sources by CUPS.org: since it has no default BrowseAddress enabled, this problem does not occur. Users can turn client browsing on or off at will without turning their computer into an active broadcaster.
All in all, Ubuntu Dapper does not convince me that its CUPS package maintainers have created a well considered printing setup. There is a lot to fix, and a lot to improve. Next topic: SNMP network printer auto-discovery. Stay tuned!
Syndicate Blogs
Cups and user identification
I have found your blog very interesting. I am a debian user !
The problem I have is that the remove cups server on my intranet requires username and login for user to be able to print.
I do see the printers listed. I do not have access to the status and location, and I can not print on them.
Unable to get printer status (client-error-forbidden)!
Asking Kde to look at the remote cups server and giving it identification information solves my problem. However, when I am away from my intranet.... I get to wait for the time out.
Thanks for any help
Eric
I don't quite understand...
...but I'm trying to guess (but unfortunately I can't guess your CUPS version).
You surely mean "remote" CUPS server, yes?
If your remote CUPS server is configured to use authentication for listing its printers (or do any other sort of access), you could use these commands:
See also "man lpstat".
As for KDEPrint: if it is configured to access a remote server that can not be reached you indeed have to wait for a timeout; very annoying.
But if you know your CUPS server is unavailable because you are away from your intranet, just change the setting before you use kprinter ("Host=localhost"):
Post this to kubuntu-devel
You're making some very convincing arguments. I highly suggest that you post them to the kubuntu-devel mailinglist.
kubuntu-devel
vladc,
your suggestion about kubuntu-devel is not very convincing. That particular mailing list doesn't look like being exactly the hotbed of Kubuntu development discussions.
Kubuntu development is very vibrant and dynamic, as one can see from even a cursory glance. But it must be happening elsewhere, certainly not on the kubuntu-devel mailing list....
Mistakes
Just to make some corrections on your comments, so that you readers don't get wrong ideas about CUPS.
BrowsingAddress doesn't enable or disable sharing of your printers. It can enable or disable _broadcasting_, not sharing.
If you set CUPS to listen on all interfaces, no mather what you have for Browsing or BrowseAddress, others will be able to print on your printers (if that's not forbidden trough some other directives).
If you set CUPS to listen on localhost:631 (which is the case in CUPS and Dappers default configs), no mather what you have for Browsing or BrowseAddress, others will *not* be able to print on your printers.
So, enabling Browsing (Browsing on) on Dapper, doesn't share nor broadcast local printers. It just enables detection of other printers on network which are shared trough IPP. That makes your assumption "the user's box immediately starts to announce its own printers, effectively turning on server-side printer browsing and active broadcasts as well" - wrong.
No, ivoks, no! You're wrong. Read again.
ivoks,
I like the way you display a seemingly never-ending self-confidence here....
It's similar to the current German Soccer Team's confidence.
Just be a bit careful -- it could quickly happen that you look like a big fool, if you are wrong. And wrong you are.
So you are able to make "corrections to my comments"? Maybe, I don't rule this out. But here you picked the wrong items. Let's first deal with the harmless ones. Them I let pass not as "corrections corrections" to my points, but as re-inforcements of what I explained about browsing:
However, now comes what is your major blunder. It proofs you didn't carefully read what I wrote, you didn't follow my argument, you didn't understand the crux of the matter, and you don't understand Dapper's configuration for this one item:
What happens if you change this to "Browsing On"?? Yes, it enables broadcasting of your local printers!!
And that, dear friend, makes my statement (not an assumption!), as you put it, "the user's box immediately starts to announce its own printers, effectively turning on server-side printer browsing and active broadcasts as well" -- nothing else but entirely correct. And your last sentence makes you look like a fool... I'm sorry, it's not my fault.
Pffft...
My point was...
...that Dapper, with default config and Browsing set to on doesn't share printers on ethX interfaces. It looks to me that you are forgeting "Listen localhost:631". There is no "Listen @LOCAL:631" in Dapper, by default.
When user changes Listen directive to something other than localhost, broadcasting and sharing printers starts on that interface, but only in Dapper, not in "vanilla" CUPS. We can talk if this is good or bad choice, but this is how it is on Dapper. It's just incorrect to say that changing "Browsing" directive in Dapper's default config makes it printer server. It does not. You can't print on it. Print jobs go over TCP. "Get printer list" and "Get printer status" goes over TCP too (and non-localhost TCP/631 is disabled by default in Dapper).
Broadcasting printers without listening on TCP/631 has no effect. Check out the source if you don't belive me.
Your argument misses the point (again)
You are making up a strawman's argument. You argue against me presumably having said that simply changing to "Browsing On" made Dapper a print server. Which is *not* what I said. I said it makes it *broadcast* its printers.
Anyway, don't try to sidestep my main point. My main point (in *this* blog entry, I've got a few more coming up, though) is:
Put into your cupsd.conf "Browsing On", please! Any arguments that were used against it ("It opens a port and is unsecure!") in the past, are simply bogus.
(Also, minor side point: comment out the "BrowseAddress @LOCAL" setting. It is useless in the context, and has unwanted side-effects when "Browsing On" is switched to for pure client-side printer browsing.)
It is what CUPS.org and Linuxprinting.org recommend. As default setting for a running local cupsd it enables easy and automatic client side printer browsing. (In case you do not understand what I mean with that expression: clients should be able to discover printers offered by available CUPS servers. It's not broadcasting their locally installed printers by the clients).
But, Kurt!
When you have:
Listen localhost:631
Browsing On
BrowseAddress @LOCAL
you *do not* broadcast printers on @LOCAL interfaces. Forget documentation for a moment (it's not very extensive and clear about this). You have the tools to check it out. Use tcpdump. Just check it out.
OTOH, I agree with you that Browsing should be "on" by default.
OK -- when?
So when will it be changed?