The Authentication Cookbook - Recipes by example

This section discusses various solutions to the "authentication problem" in recipe style. The aim is not to provide detailed step by step instructions, but rather guide the user to the relevant procedures and chapters in other parts of the manual.

Windows systems with generic logins

This scenario arises either when users log into systems using a common username such as user or student, or if the workstations auto-login as a generic user. See introduction for details.

Preferred Method:

Other Methods:

  1. Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.

  2. Consider implementing domain level logins.

Windows laptops that do not authenticate against a domain

Portable systems may spend most of their time outside the organization's network and hence setting up domain authentication may not be desirable. The laptops/notebooks are often owned by a single individual and are not under the control of a central administrator.

Preferred Method:

Use popup authentication or hold/release queues as discussed in the section called “Handling Unauthenticated (non-domain) Laptops”.

Alternate Method 1:

If using a version of Windows that can authenticate with a domain (i.e. not the Windows Home editions), then the laptop can be configured to authenticate with the network as follows.

  • Teach the user how add their domain username and password to their Stored usernames and passwords:

    1. StartControl PanelUser Accounts

    2. Select the user's laptop login account

    3. Click Manage my network passwords

    4. Click Add

    5. Enter the name of the server and the user's network domain username and password

  • Teach the user how to add a network printer in the form \\server\printer.

  • Optional: Locally install client software using the client-local-install.exe install program. This is located on the \\Server\PCClient\win share. At the end of the install process the client will open asking the user to confirm their network identity. See the section called “User Client” for more detail.

Alternate Method 2:

  • Add a generic "LaptopUser", or "guest" user account to the domain. Make the password known to all users (e.g. password).

  • Set the unauthenticated option on this user (enable popup authentication).

  • Locally install client software using the client-local-install.exe install program. This is located on the \\Server\PCClient\win share. At the end of the install process the client will open asking the user to confirm their network identity. See the section called “User Client Options” for details.

  • Teach the user how to add a network printer pointing to \\server\printer.

  • See the preceding scenario for more detail.

Windows print server using LDAP or eDirectory authentication

The Microsoft Windows operating system does not play well in non Active Directory domain environments such as LDAP or eDirectory. Although it is possible to configure a Windows print server on any network, Windows does not normally provide the ability to use LDAP as an authentication source. Jobs will either list under a local Windows user identity or a guest account. PaperCut MF's popup authentication, bound to LDAP, can be used to work around this limitation.

Preferred Method:

  • Set up the Windows server and install and share printers.

  • Set printer permission to allow printing from a general "guest" type account. This will usually take the form of the built-in guest account, or a local account with a known username and password (e.g. printuser).

  • Configure printers on each workstation. Ensure all workstation users can print and jobs list in the print queue under the guest account configured in the previous step.

  • Install the PaperCut MF software. Select the LDAP server as your user/group source. PaperCut MF will then use this source for the user list and authentication. See the section called “Using LDAP for user synchronization” for more information about LDAP.

  • Set the Unauthenticated option on each printer (print queue). This will enable popup authentication. See the section called “Popup Authentication” for more information.

  • Install client software. See the section called “User Client” for more detail.

Other Methods:

Mac OS X systems with generic user accounts

Mac OS X workstations in a lab environment are often set up so users log in using a common, generic, or standard account. For example, "macuser" or "student".

Preferred Method:

  • Install client software. See the section called “User Client” for more detail.

  • Add a domain/network user account that matches the generic login account (i.e. "macuser"). This ensures that account will list in PaperCut MF.

  • Set the Unauthenticated option on the "macuser" account.

  • Add the printer(s) so jobs list under the "macuser" account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A DeviceURI like smb://macuser:password@servername/printer). See Chapter 25, Mac Printing in Detail for an explanation on how to add a printer using this method.

Other Methods:

  1. Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.

  2. Consider setting up domain-level authentication.

Mac OS X systems using domain authentication via Open Directory

Mac systems can be configured to authenticate users via a central Mac OS X server running Open Directory. Each user has their own login account.

Preferred Method:

  • Set up print queues on the Mac OS X Server.

  • Set up PaperCut MF on the server either as a primary server, or as a secondary server reporting to another primary server (either Mac, Linux or a Windows system). See Chapter 2, Installation.

  • Add printers to each Mac workstation. Ensure the local printers point to the shared print queue set up on the server.

  • Optional: Install client software as discussed in the section called “User Client”.

Other Methods:

  1. Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.

  2. Set up print queues on a Windows system and use popup authentication - see next recipe.

Mac OS X systems using domain authentication via Windows Active Directory

Mac systems can be configured so users log in using their Windows Active Directory domain username and password. The Mac Windows printer support using Samba/SMB however requires printers to be added using a single username and password and this is shared by all users. For this reason an extra layer of authentication is required.

Preferred Method:

  • Host printers and the PaperCut MF system on the Windows server.

  • Ensure the print server is running in Mixed mode or Pre-Windows 2000 Compatibility Mode. Macs currently have problems with Native Mode networks.

  • Add a domain/network user account that matches the generic login account (i.e. "macuser"). This ensures that the macuser account will appear in PaperCut MF's user list.

  • In PaperCut MF, turn on the Unauthenticated option on the "macuser" account to enable popup authentication. Also ensure that the account has zero balance and is restricted.

  • Add the printer(s) so jobs list under the "macuser" account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A DeviceURI like smb://macuser:password@servername/printer). See Chapter 25, Mac Printing in Detail for an explanation on how to add a printer using this method.

  • Install client software as discussed in the section called “User Client”.

Other Methods:

  1. Use LPR as a connection method. See the section called “Scenario Three: Multi-user Macs using LDAP or Active Directory authentication” in detail.

  2. Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.

  3. Host printers on a Mac Server (see the previous recipe).

Mac OS X laptops (or single user systems) printing to Windows print queues

Mac systems that are owned/used by a single user can benefit from having the printers added in such a way in that they automatically authenticate under their identity.

Preferred Method:

Other Methods:

  1. Locally install client software using the client-local-install program located in the directory [app-path]/client/mac. This install script will cause the client to display a popup asking them to confirm their network identity (via username/password).

Linux Workstations in a lab environment with printers hosted on a Windows server

Linux workstations typically use the CUPS print system. CUPS, through the use of Samba, can print directly to Windows print queues.

Preferred Method:

  • Ensure the system is configured to deny remote shell access to standard users - that is, only allow direct screen/console access. This ensures the system's IP address can be associated with a single user providing a suitable environment for popup authentication.

  • Ensure the print server is running in Mixed mode or Pre-Windows 2000 Compatibility Mode. Some Linux distributions currently have problems with Native Mode networks.

  • Add a domain/network user account that matches the generic login account (i.e. "linuxuser"). This ensures the "linuxuser" account will appear PaperCut MF's user list.

  • In PaperCut MF, turn on the Unauthenticated option on the "linuxuser" account to enable popup authentication. Also ensure that the account has zero balance and is restricted.

  • Add the printer(s) so jobs list under the "linuxuser" account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A DeviceURI like smb://linuxuser:password@servername/printer). Please refer to the CUPS or distribution documentation to read more how to add a CUPS printer using an smb backend.

  • Install client software as discussed in Chapter the section called “Deployment on Linux and Unix”. If users login to the workstations using a username that matches their Active Directory password, no additional client configuration is required. If users log in using a generic or non-matching account, use command-line options or the config.properties file to force the client to display under the user's domain identity. See the section called “User Client Options” for more information.

Other Methods:

  1. Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.

  2. Host printers on a CUPS server running on Linux.

  3. Install "Print Services for Unix on the Windows server" and use a LPR rather than CUPS (or CUPS with an LPR backend).

Linux Workstations in a lab environment with printers hosted on Linux CUPS server

Many network administrators running Linux labs may be most comfortable hosting the printers on a Linux server running CUPS. For convenience, CUPS is set up without authentication.

Preferred Method:

  • Set up CUPS print queues on a Linux server.

  • Ensure each user has an account on this system (or the domain depending on PaperCut MF's selected user list source)

  • Set up PaperCut MF on the server either as a primary server, or as a secondary server reporting to another primary server (either Mac, Linux or a Windows system). See Chapter 2, Installation.

  • Set the Unauthenticated option on each printer (print queue). This will enable popup authentication. See the section called “Popup Authentication”.

  • Ensure the system is configured to deny remote shell access to standard users - that is, only allow direct screen/console access. This ensures the system's IP address can be associated with a single user providing a suitable environment for popup authentication.

  • Install client software as discussed in the section called “User Client”.

Other Methods:

  1. Use standard release station in "Release Any" mode, or the end-user web release station configured to allow users to release any jobs. See Chapter 10, Hold/Release Queues & Print Release Stations.

  2. Use CUPS Authentication.

Linux laptops (or single user systems)

Modern Linux laptops will make use of the CUPS print system. This environment is equivalent to the Mac laptop recipes described above.

Multiuser Unix terminal servers

Unix or Linux systems allowing remote SSH, Telnet, VNC, or X connections differ from the other scenarios discussed above. These systems can not use the popup authentication as it is not possible to uniquely identify a user from the system's IP address. The only secure option is to use the release station.

Preferred Method:

  • Setup PaperCut MF on your preferred server - this does not need to be the multiuser terminal system itself. It could be another Windows or Linux server.

  • Ensure PaperCut MF sources its user list from the same source as that used by the multiuser terminal server - most likely an LDAP server.

  • Enable the release station option on all printers that will be accessed via users of the multiuser terminal system. Important: Enabling the release station option may be incompatible with objectives of other operating systems so it may be appropriate to set up a separate set of print queues. See Further Recommendations below for more detail.

  • Set up a release station. This commonly takes the form of a dedicated terminal located near the printers, however other options worth considering using the PaperCut MF end-user web interface to release jobs, or the release station command-line client. See Chapter 10, Hold/Release Queues & Print Release Stations for details.

  • Instruct users on how to use the release station.

Other Methods:

  1. No alternate methods.

Further Recommendations

  1. Decide on an authentication method and use it consistently throughout the organization and network. For example, using popup authentication on some systems and release stations on others may be confusing for users. Try to offer a consistent user experience.

  2. Where possible, configure workstations to communicate with the server using the server's native print protocol. For example, use SMB or standard Windows printing when printing to a Windows server, and Internet Printing Protocol (IPP) when printing to a CUPS server. Servers are most reliable when talking their own language!

  3. Consider the scope of any configuration change. For example, enabling popup authentication or release station on a print queue will affect ALL users of that printer. For example it may be desirable to ask Linux users to use the release station, however this may be regarded as an inconvenience for Windows users. In these cases, it may be advantageous to set up two print queues for each physical printer - the first queue without release station enabled for Windows users and the other with the release station option enabled for Linux users.