Windows hosted print queues
This section discusses printer configuration on Mac OS X workstation in environments systems where the print queues are hosted on a Windows operating system. See Mac hosted print queues for OS 10.8+ if your print queues are hosted on Mac OS 10.8+.
When a printer from a Windows environment is shared and added to a Mac system, Print and Scan requests printer access credentials in the form of username and password. Any user that prints to this printer uses these supplied credentials. This means that the administrator that added the printer to the workstation is the owner of all documents printed from the workstation irrespective of the current logged in user.
The ideal solutions varies from network to network and depends on factors including:
-
Your existing network configuration
-
The mix and makeup of operating systems used on the network
-
The underlying directory technologies (Active Directory, LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model., etc.) if used
-
Whether Macs are used by a single owner or multiple users
The following sections outline common set up scenarios and their pros and cons. Your solution might fit one of these scenarios or might be composed of a combination.
Scenario One: My own Mac (single user)
Many networks, particularly those in a business environment, have a dedicated desktop system for each user. This allows the desktop system's global settings to be customized for the user. Common examples include:
Dedicated computers used in a business
Staff laptops or desktops used in education
Requirements
-
Printers hosted and shared from a Windows or Linux server.
-
Mac systems used by a single user (or small group of known users).
-
Each user has a domain account and password.
-
The username associated with the account on the Mac matches the domain username (either the account used to log in, or the account set up as the automatic log in account).
-
Running Mac OS X 10.8 or higher.
Installation
Check the user account information:
Start up the Mac, log in as the local administrator, and ensure the system is connected to the network.
Select System Preferences
Depending on your Mac OS version, select Accounts or Users and Groups.
Click MyAccount. (Skip this step in Mac OS 10.8 and 10.9)
Ensure that the Short name associated with the account matches the user's domain account username. If not, create a new working account as appropriate.
Set up the printers
-
Select System Preferences > Print and Scan.
-
Click + to add a new printer.
-
Control-click the toolbar; then select Customize Toolbar.
- Drag the Advanced icon onto the bar; then click Advanced.
-
Select the Windows printer via spoolss device type.
-
Enter a Device URL, such as: smb://username:password@server_name/printer_name
-
Tip: server_name is the name of the server hosting the printer, and printer_name is the printer's share name
-
You might need to include the port in the DeviceURL: smb://server_name:139/printer_name
-
OS X can struggle with printer share names containing spaces. We recommend a share name without spaces
-
-
In Name, enter a friendly and informative printer name.
-
Choose a driver for this printer by selecting Select Software from the list.
-
Click Add.
-
Test print and ensure jobs are logged in PaperCut MF as the correct user.
Install the PaperCut MF User Client software
-
Open Finder; then select Go > Connect to Server.
-
Enter smb://servername/pcclient where servername is the name of the server hosting PaperCut MF. If you are prompted for a username and password, this is a username that has access to connect to the SMB share on your Windows server.
-
Drag the PCClient application across to the local Applications directory.
-
Open System Preferences
-
Select Users & Groups.
-
Click the Login items tab.
-
Click +; then select the newly installed PCClient application. Select the PC Client check box when it is displayed.
-
Restart the system and ensure the client starts upon login.
Tips and troubleshooting
-
Get the user to log in to the Mac. Verify that the PCClient program starts automatically and shows the user’s balance.
-
Print to the newly set up printer. On the server's print queueA print queue displays information about documents that are waiting to be printed, such as the printing status, document owner, and number of pages to print. You can use the print queue to view, pause, resume, restart, and cancel print jobs., ensure that the job is displayed under the correct username.
-
Ensure that the print job successfully reaches the printer and that the user gets charged in PaperCut.
-
Check that the balance has changed to reflect the new balance in the PCClient program.
Scenario Two: The multi-user Mac with popup authentication
Schools and universities often have Macs available for student use in dedicated computer labs. In these environments the Macs are shared by many users and Scenario One is not appropriate. Larger Mac networks already using LDAP or Active Directory authentication, or planning on doing so, might want to consider Scenario Three explained in the next section.
Scenario Two uses a popup authenticationPopup authentication involves matching the source IP address of the print job with the user confirmed to be operating from the popup client IP address. Authentication is provided by the PaperCut NG client software in the form of a popup dialog requesting a username and password. To print with popup authentication the client software must be running on the workstations or laptops. model. For more information, see Popup authentication.
The end user's perspective:
The user sees the PCClient program running.
When the user prints a job, the client pops up a window requesting the user to enter a username and password. See Popup authentication.
The user enters a domain username and password.
If the credentials are valid, the job is charged to the user account.
The explanation:
The print event is performed as a generic user - For example, "macuser", "student", etc.
In PaperCut MF, the "macuser" account is set up to use popup authentication by enabling the option Unauthenticated user. See Popup authentication for further details.
The popup requests the user to enter a username and password.
The password is authenticated and printing is charged against the supplied account.
Requirements
-
Printers are hosted and shared off a Windows, Mac or Linux server.
-
The Mac systems are set up to log in under a generic account name. (e.g. macuser, student, etc.)
-
The domain contains a user account matching the generic account.
Installing the PaperCut MF User Client software
-
Open Finder; then select Go > Connect to Server.
-
Enter smb://servername/pcclient where servername is the name of the server hosting PaperCut MF. If you are prompted for a username and password, this is a username that has access to connect to the SMB share on your Windows server.
-
Enter account details for an account able to connect to the SMB share if requested
-
Drag the PCClient application across to the local Applications directory.
-
Command-click the newly copied PCClient application in the Applications directory. Select Open Package Contents.
-
Navigate to Contents/Resources/.
-
Double-click the install-login-hook.command script.
-
Restart the system and ensure the client starts upon login.
Configure the popup settings
-
Click the Users tab.
The User List page is displayed.
-
Select macuser.
-
In the Account Details area, complete the following:
- Balance—set the account balance to zero.
- select the Restricted check box.
-
In the Advanced Options area, select the Unauthenticated user (enable popup authentication) check box.
-
Click Apply.
If users log in to the Mac using their AD/LDAP username, you can eliminate the authentication popup by configuring the client as described in Popup authentication.
Tips and troubleshooting
-
Get the user to log in to the Mac. Verify that the PCClient program starts automatically.
-
Print to the newly set up printer. On the server's print queue, ensure that the job is displayed under the correct username.
-
An authentication popup should display on the Mac. Enter a valid domain username and password.
-
Charge the corresponding user for the job. Also check that the balance has changed to reflect the new balance in the PCClient program.
Scenario Three: Multi-user Macs using LDAP or Active Directory authentication
Larger networks often run the Macs in a domain environment either authenticating with an Active Directory or an LDAP network. In an authenticated domain environment, the identity of the user (the user's username) is known and verified at the time of log in. With the help of the TCP/IP PrintingIP Printing is a generic term used to describe a number of print protocols that are used to exchange print documents between a computer, a server queue, or a physical printer. Services for Microsoft Windows, and the LPRThe Line Printer Remote protocol (LPR) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPR software is installed on the client device./LPDThe Line Printer Daemon protocol (LPD) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPD software is stored on the printer or print server. support on the Mac, print jobs can be identified on the server and associated with the user's login name. This avoids the need for the popup authentication used in Scenario Two.
Using the LPR and IPP printing protocols on Windows print servers
LPR is a legacy protocol developed for UNIX that clients use to send print jobs to print servers. Microsoft has supported this protocol for a number of years via an add-on module called Print Services for UNIX (PSfU). Under certain conditions Windows LPD printers can cause issues when using PaperCut hold/release print queues. The information included here is to help customers understand the issue and document suggested workarounds.
The mechanism used by the Windows PSfU subsystem to accept LPR and IPPThe Internet Printing Protocol (IPP) is an Internet protocol for communication between a print server and its clients. It allows clients to send one or more print jobs to the server and perform administration such as querying the status of a printer, obtaining the status of print jobs, or cancelling individual print jobs. IPP can run locally or over the Internet. Unlike other printing protocols, IPP also supports access control, authentication, and encryption, making it a much more capable and secure printing mechanism than older ones. print jobs is different from other implementations in Windows such native SMB based printers. In SMB the event notification to applications such as PaperCut is well behaved and reliable. Event notification for LPR and IPP based printing does not use the same set of underlying APIs and under some conditions the PaperCut print monitoring layer receives notification after the print job has started. This means that some print jobs can start to print before the hold instruction is issued. This job is then suspended in a Paused Printing state (i.e. both paused and printing) and this results in all other jobs on that queue being held up by the paused job.
The symptoms are generally not consistent, suggesting an underlying race condition bug in Windows. Things that can affect the problem include:
The number of processors/cores
The current load on the print server
The version and patch level of Windows
Because the issue is in the underlying Windows print subsystem, it is not possible for PaperCut to quickly implement a reliable solution and Microsoft is unlikely to implement a fix to this legacy subsystem. If a site does experience this issue there are some steps that can help alleviate or fix the issue.
Use the SMB protocol for Windows based print server queues. Note that using SMB can place some constraints on how users authenticate and how anonymous users are able to print at your site. This is the recommended approach.
Use two print queues. Queue A is virtual and queue B is the real queue attached to the physical printer. Users print to A using LPR and PaperCut can always place a hold on the print job. PaperCut then redirects the job to B on release. Managing virtual print queues is documented in section Find-Me printing and printer load balancing. Configure queue A to use a port with no printer (e.g. LPT1:), it should be permanently paused ( Printer > Pause Printing ), and the virtual queue configuration for A in PaperCut should forward jobs to B (setting Jobs may be redirected to these destination queues).
If queue A is un-paused then the job will error, however, it can still be re-directed as needed.
Requirements
-
Macs set up in multi-user mode authenticating off a domain. Either Active Directory or LDAP.
-
Printers hosted on a Windows print server.
-
The server needs the TCP Printing Services installed (also known as Print Services for Unix).
Installation
On the server hosting the printers, set up TCP/IP Printing:
-
Log in to the server as a system administrator.
-
Select Control Panel > Add Remove Programs.
-
Click Add/Remove Windows Components.
-
Select Other Network File and Print Services.
-
Click Details.
- Select Print Services for Unix.
-
Click Next to complete the installation.
Some systems running firewall software can block LPD printing. On systems running firewall software, ensure that incoming connections from the local network are allowed on port 515.
On each Mac, add the required printers:
Select Applications > Utilities.
Open the Printer Setup Utility
Click + to add a new printer.
Click the IP tab in the top toolbar.
From the Protocol list, select Line Printer Daemon - LPD.
In Address, enter the IP address of the server hosting the printers .
In Queue, enter the printer's share name .
In Name, define a user friendly name; then select the printer type.
Click Add.
Repeat for other printers as necessary.
Installing the PaperCut MF User Client software
-
Open Finder; then select Go > Connect to Server.
-
Enter smb://servername/pcclient where servername is the name of the server hosting PaperCut MF. If you are promted for a username and password, this is a username that has access to connect to the SMB share on your Windows server.
-
Enter account details for an account able to connect to the SMB share if requested
-
Drag the PCClient application across to the local Applications directory.
-
Command-click the newly copied PCClient application in the Applications directory.
- Select Open Package Contents.
-
Navigate to Contents/Resources/.
-
Double-click the install-login-hook.command script.
-
Restart the system and ensure the client starts upon login.
Tips and troubleshooting
-
Restart the system and ensure the PCClient application starts on login and lists the user's account balance.
-
Ensure print jobs correctly show in the PaperCut job logs under the user's PaperCut account.
-
Charge the corresponding user for the job. Also check that the balance has changed to reflect the new balance in the PCClient program.
Additional information and tips
The client install process is also covered in User Client. After the first Mac is set up and the printing process is tested, provide the simplified client install notes covered in Deployment on Mac OS X to end users or other SysAdmins.
The PCClient client can accept command line options as explained in Configure the User Client using the command-line. If the client is started via the login hook, you can define the command-line options in the file:
/Applications/PCClient.app/Contents/Resources/login-hook-start
Look for the line starting with client_args and the associated comments above.