In my network, there are multiple printers over many locations, all connected to a single CUPS server via whatever protocols they require. Client machines on the network need to print to the printers near them, segregated by location, but each client shouldn't see every printer on the network.
Ideally, each client wouldn't need to run a CUPS spooler of their own, but instead just connect directly to the main print server. This would also allow for different authentication types, such as Kerberos, to facilitate single sign on to the print queue. However, adding the print server as the remote server in clients.conf shows all the printers on the print server, not just the ones relevant for that client.
It seems there is no way to get Kerberos authentication working over a standard IPP queue, so the current architecture uses the Samba printing backend that forwards the request to CUPS on the print server. Although this supports the single sign on authentication via Kerberos, it is messy and requires that clients have the PPD for the printer.
My question is this: is there any way to get a subset of printers on a print server shown to a client, or failing that, is there any way to get Kerberos (Negotiate) authentication working over a standard IPP connection?
