Status: DECOMMISSIONED 2026-05-06 — CUPS-Container auf vm-hm-svc-prod-01 wurde am 2026-05-06 entfernt. Druck läuft jetzt direkt über die Windows-Print-Spooler auf vm-dc-01 (AD-natives Setup).
Container-Daten archiviert in
/opt/cups.archived-2026-05-06/auf vm-hm-svc-prod-01 (Compose-File + LDAP-Bind-Secrets + cupsd.conf bleiben für eventuellen Rollback).DNS-Record
cups.blackreset.comaus Hetzner gelöscht. IP-Updater-Eintrag disabled. Uptime-Kuma-Monitore entfernt.Diese Page wird in
/archive/policies/printer-accessverschoben — die untenstehende Doku gilt nur noch historisch (für den Fall dass CUPS jemals wieder aktiviert wird, z. B. wenn AD-Print-Spooler ausfällt).
GS-Print-* groups)Status: locked 2026-05-02. Owner: Alex (A.Korff). Source-of-truth for membership: Active Directory in xio.bio (managed via VM-DC-01).
CUPS runs as a single container (cups) on VM-HM-SVC-PROD-01 (10.100.100.102:631), reverse-proxied by the HOME EDGE Traefik on cups.blackreset.com (LE HTTP-01 cert, behind Authentik perimeter SSO). Authentication and group resolution are delegated to the on-prem Active Directory in xio.bio:
+--------+ IPP/HTTP Basic +--------+ PAM +-----------+ LDAPS:636 +-----------+
| client | -- A.Korff:****** -> | cupsd | -----> | pam_ldap | ------------> | vm-dc-01 |
+--------+ +--------+ +-----------+ +-----------+
|
| Require user @GS-Print-Home
v (uses NSS group lookup)
+-----------+ LDAPS:636 +-----------+
| nslcd | ------------> | vm-dc-01 |
+-----------+ +-----------+
The CUPS image is a custom build (harbor.blackreset.com/blackreset/cups:2026-05-02-ldap) extending olbat/cupsd with libnss-ldapd, libpam-ldapd, nslcd, a templated /etc/nslcd.conf, and a pam_ldap-first PAM cups service. Bind details are passed via env in compose.yml; the bind password is a Docker secret (/opt/cups/data/secrets/ldap_bind_pw, mode 0400).
Why direct AD rather than via the Authentik LDAP outpost (auth.blackreset.com:636)?
GS-Print-Home etc., which is what Require user @GS-Print-Home expects literally; no name-mangling to worry about.HM-SVC-PROD-01 -> VM-DC-01 is RFC1918 over the existing site-to-site VPN.| Printer queue | Device | Default for | AD group |
|---|---|---|---|
PI-IO-01 (Brother Color) |
socket://10.110.100.40:9100 |
HOME VLAN clients (Family) | GS-Print-Home |
PI-IO-03 (Brother Generic) |
socket://10.110.100.43:9100 |
Lager clients (Mitarbeiter) | GS-Print-Lager |
The CUPS web UI at https://cups.blackreset.com/admin is restricted to GS-Print-Admin.
| Group | Members | Notes |
|---|---|---|
GS-Print-Home |
A.Korff, F.Korff, H.Korff, L.Korff, M.Korff, R.Korff |
All Korffs. Mitarbeiter (J.Placzek, K.Ekelt) are NOT members and CANNOT print to the Home printer. |
GS-Print-Lager |
A.Korff, J.Placzek, K.Ekelt |
A.Korff included so admin can also print from his account. |
GS-Print-Admin |
A.Korff |
Full CUPS admin (manage queues, cancel any job). Add others sparingly via DC. |
All three groups live at CN=...,CN=Users,DC=xio,DC=bio (the default Users container, group scope Global, category Security). They were created with tools/dc-create-print-groups.ps1 (idempotent; safe to re-run).
Set on the client side (Windows: rundll32 printui.dll,PrintUIEntry /y /n "..."). The convention is:
10.100.100.0/24) clients -> default = PI-IO-01 (Brother Color, Family room).PI-IO-03 (Brother Generic, Lager).VM-DC-01 (New-ADUser), in the appropriate OU.GS-Print-* group via Add-ADGroupMember -Identity GS-Print-Home -Members new.user.ldap-xio-bio source, pk 56f1652d-b988-46ab-9c1b-8e5f76b6aa20) -- this is only relevant if the user also needs SSO to cups.blackreset.com via the perimeter Authentik proxy outpost. The CUPS in-app ACL itself reads AD directly, so it picks up the change as soon as nslcd's cache TTL expires (default 600 s).ssh blackreset@10.100.100.102 \
"docker exec cups nslcd -c reload || \
docker restart cups"
getent group GS-Print-Home (run inside the container) should now show the new member.https://cups.blackreset.com/printers/<queue>, supplying their AD credentials when prompted. Windows caches the credential.https://cups.blackreset.com/admin (sign in as a member of GS-Print-Admin).AppSocket/HP JetDirect -> socket://<printer-ip>:9100 -> driver -> name -> share = no (sharing is via CUPS's IPP listener, not Samba).GS-Print-Home, GS-Print-Lager, or a new GS-Print-<purpose>). If a new group: create it in AD first (New-ADGroup -Name GS-Print-<purpose> -GroupScope Global -GroupCategory Security -Path "CN=Users,DC=xio,DC=bio")./opt/cups/data/etc/cupsd.conf to append a Location block:<Location /printers/<NEW-QUEUE>>
AuthType Default
Require user @GS-Print-<purpose>
Order allow,deny
</Location>
tools/patch-cups-acl.py is the canonical place to extend; keep it idempotent.)docker exec cups cupsd -t to validate.docker exec cups kill -HUP 1 (or docker restart cups) to reload./migration/2026-05-02-vm-sw-03-archive and this page if the queue list or default-printer convention changes.Remove-ADGroupMember -Identity GS-Print-Home -Members <samaccountname> on VM-DC-01. Take effect: max 600 s (nslcd cache).<Location> block from cupsd.conf. Reload.ssh blackreset@10.100.100.102 \
"docker exec cups getent group GS-Print-Home; \
docker exec cups getent group GS-Print-Lager; \
docker exec cups getent group GS-Print-Admin; \
docker exec cups lpstat -t"
A correct run prints something like:
GS-Print-Home:*:2205:F.Korff,R.Korff,H.Korff,L.Korff,A.Korff,M.Korff
GS-Print-Lager:*:2203:J.Placzek,K.Ekelt,A.Korff
GS-Print-Admin:*:2204:A.Korff
scheduler is running
device for PI-IO-01: socket://10.110.100.40:9100
device for PI-IO-03: socket://10.110.100.43:9100
PI-IO-01 accepting requests since ...
PI-IO-03 accepting requests since ...
ACL probes (anonymous, expect HTTP 403; authenticated as a member, expect HTTP 200; authenticated as a non-member, expect HTTP 403):
curl -sk -o /dev/null -w '%{http_code}\n' http://10.100.100.102:631/printers/PI-IO-01 # 403
curl -sk -o /dev/null -w '%{http_code}\n' -u 'A.Korff:****' http://10.100.100.102:631/printers/PI-IO-01 # 200
curl -sk -o /dev/null -w '%{http_code}\n' -u 'J.Placzek:****' http://10.100.100.102:631/printers/PI-IO-01 # 403
The CUPS error log (docker exec cups tail -f /var/log/cups/error_log) shows pam_authenticate() returned 7 (Authentication failure) for bad passwords, which proves the PAM->LDAP path is live.
| Failure | Effect | Mitigation |
|---|---|---|
| AD/DC unreachable (VPN drop, DC down) | New auth requests fail; nslcd returns no users/groups |
Print server effectively offline. Cached nslcd entries (TTL 10 min by default) keep recently-active users working briefly. Fix: restore VPN / DC. |
nslcd config drift |
All auth fails (HTTP 403) | docker exec cups cat /etc/nslcd.conf to confirm LDAP_URI/LDAP_BIND_DN/LDAP_DOMAIN_SID rendered correctly. Restart container to re-template. |
Bind password rotated in AD without updating /opt/cups/data/secrets/ldap_bind_pw |
nslcd cannot bind, all auth fails |
Resync the secret file from .secrets/credentials.env (AD__LDAP_ACCOUNT__PASSWORD), chmod 0400, restart cups. |
| User in correct group but still rejected | Likely nslcd cache lag or PAM ordering issue |
docker restart cups forces a cold cache. Check error_log for the actual pam_authenticate return code. |
| HM-EDGE Traefik / Authentik outpost down | Public host https://cups.blackreset.com unreachable, but direct LAN at http://10.100.100.102:631 keeps working |
Use direct IP for emergency printing; restore EDGE separately. |
CUPS itself does not have a "fall back to local users" toggle once Require user @<group> is set -- the group must resolve. The pam-cups stack does fall back to pam_unix.so for password verification of local accounts (root etc.), but the Location ACL still requires the user to be in the AD group, so local accounts cannot print to the protected queues.
| Path | Purpose |
|---|---|
tools/stacks/cups/Dockerfile |
Custom image build (adds nslcd + pam_ldap + entrypoint) |
tools/stacks/cups/nslcd.conf.tmpl |
nslcd config template (env-substituted at container start) |
tools/stacks/cups/pam-cups |
PAM service stack for the cups service |
tools/stacks/cups/entrypoint-cups-ldap.sh |
Renders config + starts nslcd + execs cupsd |
tools/stacks/cups/compose.yml |
Compose file (env vars + secret + bind mounts) |
tools/dc-create-print-groups.ps1 |
Idempotent AD-group + membership creation on VM-DC-01 |
tools/patch-cups-acl.py |
Idempotent patch for /opt/cups/data/etc/cupsd.conf |
/opt/cups/data/etc/cupsd.conf (on VM) |
Live CUPS config (per-printer Location blocks live here) |
/opt/cups/data/secrets/ldap_bind_pw (on VM) |
Bind password (mode 0400, owner root); mirrors AD__LDAP_ACCOUNT__PASSWORD from .secrets/credentials.env |
/opt/<service>/{compose.yml,.env,data/} convention.harbor.blackreset.com/blackreset/<repo>:<tag> (native push, not the broken docker.io proxy).cups container./policies/identity → /access/identity-policy (Page lebt unter /access/)./policies/compose-layout und /policies/image-registry existieren noch nicht als Wiki-Pages — geplant für 2026-05-04 Cleanup. Bestand vorerst in memory/policy_compose_layout.md + memory/policy_image_registry.md./vms/vm-hm-svc-prod-01 ist seit 2026-05-04 valide.