This section discusses various solutions to the "authentication problem" in recipe style. The aim is not to provide detailed step by step instructions, but rather guide the user to the relevant procedures and chapters in other parts of the manual.
This scenario arises either when users log into systems using a common username such
as user
or student
, or if the workstations
auto-login as a generic user. See introduction for details.
Ensure all users have an account (username and password) on the server (or domain) hosting the PaperCut MF software.
Install client software on all systems. See the section called “User Client” for more detail.
Enable popup authentication by selecting the Unauthenticated option on the corresponding generic user account.
See the section called “Popup Authentication” for more detail.
Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.
Consider implementing domain level logins.
Portable systems may spend most of their time outside the organization's network and hence setting up domain authentication may not be desirable. The laptops/notebooks are often owned by a single individual and are not under the control of a central administrator.
Use popup authentication or hold/release queues as discussed in the section called “Handling Unauthenticated (non-domain) Laptops”.
If using a version of Windows that can authenticate with a domain (i.e. not the Windows Home editions), then the laptop can be configured to authenticate with the network as follows.
Teach the user how add their domain username and password to their Stored usernames and passwords:
→ →
Select the user's laptop login account
Click Manage my network passwords
Click
Enter the name of the server and the user's network domain username and password
Teach the user how to add a network printer in the form \\server\printer
.
Optional: Locally install client software using the
client-local-install.exe
install program. This is located on the
\\Server\PCClient\win
share. At the end of the install process
the client will open asking the user to confirm their network identity.
See the section called “User Client” for more detail.
Add a generic "LaptopUser", or "guest" user account to the domain. Make the password
known to all users (e.g. password
).
Set the unauthenticated option on this user (enable popup authentication).
Locally install client software using the
client-local-install.exe
install program. This is located on the
\\Server\PCClient\win
share. At the end of the install process
the client will open asking the user to confirm their network identity.
See the section called “User Client Options” for details.
Teach the user how to add a network printer pointing to
\\server\printer
.
See the preceding scenario for more detail.
The Microsoft Windows operating system does not play well in non Active Directory domain environments such as LDAP or eDirectory. Although it is possible to configure a Windows print server on any network, Windows does not normally provide the ability to use LDAP as an authentication source. Jobs will either list under a local Windows user identity or a guest account. PaperCut MF's popup authentication, bound to LDAP, can be used to work around this limitation.
Set up the Windows server and install and share printers.
Set printer permission to allow printing from a general "guest" type account. This
will usually take the form of the built-in guest account, or a local account with a
known username and password (e.g. printuser
).
Configure printers on each workstation. Ensure all workstation users can print and jobs list in the print queue under the guest account configured in the previous step.
Install the PaperCut MF software. Select the LDAP server as your user/group source. PaperCut MF will then use this source for the user list and authentication. See the section called “Using LDAP for user synchronization” for more information about LDAP.
Set the Unauthenticated option on each printer (print queue). This will enable popup authentication. See the section called “Popup Authentication” for more information.
Install client software. See the section called “User Client” for more detail.
Mac OS X workstations in a lab environment are often set up so users log in using a common, generic, or standard account. For example, "macuser" or "student".
Install client software. See the section called “User Client” for more detail.
Add a domain/network user account that matches the generic login account (i.e. "macuser"). This ensures that account will list in PaperCut MF.
Set the Unauthenticated option on the "macuser" account.
Add the printer(s) so jobs list under the "macuser" account.
If the print queues are hosted on Windows, add the printer using Samba.
(e.g. A DeviceURI
like
smb://macuser:password@servername/printer
).
See Chapter 25, Mac Printing in Detail for an explanation on how to
add a printer using this method.
Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.
Consider setting up domain-level authentication.
Mac systems can be configured to authenticate users via a central Mac OS X server running Open Directory. Each user has their own login account.
Set up print queues on the Mac OS X Server.
Set up PaperCut MF on the server either as a primary server, or as a secondary server reporting to another primary server (either Mac, Linux or a Windows system). See Chapter 2, Installation.
Add printers to each Mac workstation. Ensure the local printers point to the shared print queue set up on the server.
Optional: Install client software as discussed in the section called “User Client”.
Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.
Set up print queues on a Windows system and use popup authentication - see next recipe.
Mac systems can be configured so users log in using their Windows Active Directory domain username and password. The Mac Windows printer support using Samba/SMB however requires printers to be added using a single username and password and this is shared by all users. For this reason an extra layer of authentication is required.
Host printers and the PaperCut MF system on the Windows server.
Ensure the print server is running in Mixed mode or
Pre-Windows 2000 Compatibility Mode. Macs currently
have problems with Native Mode
networks.
Add a domain/network user account that matches the generic login account
(i.e. "macuser"). This ensures that the macuser
account
will appear in PaperCut MF's user list.
In PaperCut MF, turn on the Unauthenticated option on the "macuser" account to enable popup authentication. Also ensure that the account has zero balance and is restricted.
Add the printer(s) so jobs list under the "macuser" account.
If the print queues are hosted on Windows, add the printer using Samba.
(e.g. A DeviceURI
like
smb://macuser:password@servername/printer
).
See Chapter 25, Mac Printing in Detail for an explanation on how to
add a printer using this method.
Install client software as discussed in the section called “User Client”.
Use LPR as a connection method. See the section called “Scenario Three: Multi-user Macs using LDAP or Active Directory authentication” in detail.
Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.
Host printers on a Mac Server (see the previous recipe).
Mac systems that are owned/used by a single user can benefit from having the printers added in such a way in that they automatically authenticate under their identity.
Teach users how to add printers using the method described in the section called “Scenario One: My Own Mac (Single User)”.
Use popup authentication or hold/release queues as discussed in the section called “Handling Unauthenticated (non-domain) Laptops”.
Linux workstations typically use the CUPS print system. CUPS, through the use of Samba, can print directly to Windows print queues.
Ensure the system is configured to deny remote shell access to standard users - that is, only allow direct screen/console access. This ensures the system's IP address can be associated with a single user providing a suitable environment for popup authentication.
Ensure the print server is running in Mixed mode or
Pre-Windows 2000 Compatibility Mode. Some Linux distributions
currently have problems with Native Mode
networks.
Add a domain/network user account that matches the generic login account (i.e. "linuxuser"). This ensures the "linuxuser" account will appear PaperCut MF's user list.
In PaperCut MF, turn on the Unauthenticated option on the "linuxuser" account to enable popup authentication. Also ensure that the account has zero balance and is restricted.
Add the printer(s) so jobs list under the "linuxuser" account.
If the print queues are hosted on Windows, add the printer using Samba.
(e.g. A DeviceURI
like
smb://linuxuser:password@servername/printer
).
Please refer to the CUPS or distribution documentation to read more
how to add a CUPS printer using an smb
backend.
Install client software as discussed in Chapter the section called “Deployment on Linux and Unix”.
If users login to the workstations using a username that matches their Active Directory password,
no additional client configuration is required. If users log in using a generic or non-matching
account, use command-line options or the config.properties
file to force the
client to display under the user's domain identity. See the section called “User Client Options” for
more information.
Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.
Host printers on a CUPS server running on Linux.
Install "Print Services for Unix on the Windows server" and use a LPR rather than CUPS (or CUPS with an LPR backend).
Many network administrators running Linux labs may be most comfortable hosting the printers on a Linux server running CUPS. For convenience, CUPS is set up without authentication.
Set up CUPS print queues on a Linux server.
Ensure each user has an account on this system (or the domain depending on PaperCut MF's selected user list source)
Set up PaperCut MF on the server either as a primary server, or as a secondary server reporting to another primary server (either Mac, Linux or a Windows system). See Chapter 2, Installation.
Set the Unauthenticated option on each printer (print queue). This will enable popup authentication. See the section called “Popup Authentication”.
Ensure the system is configured to deny remote shell access to standard users - that is, only allow direct screen/console access. This ensures the system's IP address can be associated with a single user providing a suitable environment for popup authentication.
Install client software as discussed in the section called “User Client”.
Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.
Use CUPS Authentication.
Modern Linux laptops will make use of the CUPS print system. This environment is equivalent to the Mac laptop recipes described above.
Unix or Linux systems allowing remote SSH, Telnet, VNC, or X connections differ from the other scenarios discussed above. These systems can not use the popup authentication as it is not possible to uniquely identify a user from the system's IP address. The only secure option is to use the release station.
Setup PaperCut MF on your preferred server - this does not need to be the multiuser terminal system itself. It could be another Windows or Linux server.
Ensure PaperCut MF sources its user list from the same source as that used by the multiuser terminal server - most likely an LDAP server.
Enable the release station option on all printers that will be accessed via users of the multiuser terminal system. Important: Enabling the release station option may be incompatible with objectives of other operating systems so it may be appropriate to set up a separate set of print queues. See Further Recommendations below for more detail.
Set up a release station. This commonly takes the form of a dedicated terminal located near the printers, however other options worth considering using the PaperCut MF end-user web interface to release jobs, or the release station command-line client. See Chapter 10, Hold/Release Queues & Print Release Stations for details.
Instruct users on how to use the release station.
Decide on an authentication method and use it consistently throughout the organization and network. For example, using popup authentication on some systems and release stations on others may be confusing for users. Try to offer a consistent user experience.
Where possible, configure workstations to communicate with the server using the server's native print protocol. For example, use SMB or standard Windows printing when printing to a Windows server, and Internet Printing Protocol (IPP) when printing to a CUPS server. Servers are most reliable when talking their own language!
Consider the scope of any configuration change. For example, enabling popup authentication or release station on a print queue will affect ALL users of that printer. For example it may be desirable to ask Linux users to use the release station, however this may be regarded as an inconvenience for Windows users. In these cases, it may be advantageous to set up two print queues for each physical printer - the first queue without release station enabled for Windows users and the other with the release station option enabled for Linux users.
© Copyright 1999-2010. PaperCut Software International Pty Ltd. All rights reserved.