Local CUPS to Remote CUPS: Authenticated Printing on Ubuntu
In Network Printing Architecture and Ubuntu Categories, connecting a local CUPS instance to a remote server with a username and password requires a shift from "browsing" to "direct polling." While cups-browsed is great for open networks, authenticated environments require explicit IPP (Internet Printing Protocol) configurations.
1. The Server-Side Requirement
Before the local client can connect, the remote Ubuntu server must be configured to accept and challenge remote requests. This is handled in /etc/cups/cupsd.conf.
- Ensure Listening: The server must listen on the network interface, not just
localhost. (e.g.,Port 631). - Set AuthType: Within the
<Location />and<Location /printers>blocks, ensureAuthType DefaultorAuthType Basicis set. - Requirement: Ensure
Require valid-useris present to trigger the password prompt on the client side.
2. Local Client Configuration (The "ipp://" URI)
On the local Ubuntu machine, do not let the system "find" the printer automatically. Instead, add it manually using a URI that includes the authentication intent. Use the lpadmin tool for the most reliable setup in 2026:
sudo lpadmin -p "Remote_Printer_Name" \
-v "ipp://username@remote-server-ip:631/printers/printer_queue_name" \
-E -m everywhereNote: By putting username@ in the URI, you signal to the local CUPS daemon that it must negotiate credentials for this specific queue.
3. Handling the "Held for Authentication" Error
If your jobs get stuck in the local queue, it is often because the local CUPS doesn't know where to get the password. In Ubuntu 24.04+, you can store these credentials in the local /etc/cups/client.conf or the user-specific ~/.cups/client.conf.
| Method | Configuration Change | Best For |
|---|---|---|
| Global User | Add User [username] to /etc/cups/client.conf |
Single-user workstations. |
| Environment Variable | export CUPS_USER=[username] in .bashrc |
Temporary or scripted sessions. |
| Device URI Auth | AuthInfoRequired username,password in printers.conf |
Forcing a popup prompt in the GUI. |
4. Polling with cups-browsed (The Professional Method)
If you have many printers on the remote server, adding them one-by-one is inefficient. Use the BrowsePoll directive in /etc/cups/cups-browsed.conf to automatically sync the entire list while maintaining the authentication layer.
- Edit
/etc/cups/cups-browsed.conf. - Add:
BrowsePoll remote-server-ip:631. - Restart the service:
sudo systemctl restart cups-browsed.
5. Security: Encrypting the Password (IPPS)
Sending a password over standard ipp:// (Port 631) sends it in Plaintext. In 2026, this is a major security risk. You should always use IPPS (IPP over TLS) for authenticated remote printing.
- Change the URI: Use
ipps://instead ofipp://. - Certificate Handling: Ensure the remote server has a valid SSL certificate (self-signed is okay, but the client must trust it) located in
/etc/cups/ssl/.
Conclusion
Configuring Local CUPS to Remote CUPS on Ubuntu requires moving past simple discovery. By explicitly defining your AuthType on the server and using authenticated URIs or cups-browsed polling on the client, you can eliminate "Forbidden" errors and "Held" jobs. As Search Engine Optimize efforts for 2026 highlight, the transition to IPPS for all authenticated traffic is now the industry standard for secure Linux printing.
Keywords
local cups to remote cups authentication ubuntu, fix held for authentication cups ubuntu 24.04, cups remote printing password prompt, ipp everywhere authenticated printing, cups-browsed browsepoll guide 2026, setup authenticated printer ubuntu server, cupsd.conf allow remote admin, ipps vs ipp for authenticated printing.
