Quick install: Linux (CUPS and/or Samba)
The following section assumes knowledge of general Unix/Linux system management including using the command-line, creating users, editing configuration files and understanding file permissions.
Step 1: System requirements
Before proceeding with the installation the SysAdmin should take a few moments to verify system requirements.
Is the operating system version supported and are patches up-to-date? (see
PaperCut MF System Requirements).
Are printer(s) installed and hosted on this system and are they exposed to the network either via CUPSCommon User Printing System (CUPS) is a printing system for Unix operating systems that allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer. or SambaSamba is a Windows interoperability suite of programs for Linux and Unix. It is used to integrate Linux/Unix servers and desktops into Active Directory environments. It can function as both a domain controller or as a regular domain member.? Administrators should ensure that the print queues are set up and working as expected before attempting to install PaperCut NG/MF.
In a multi-user environment, printers are often shared with other network users. Other workstations should connect to these printers as "Network Printers". Ensure workstations are configured to print to the shared print queues. For example, a Windows workstation can connect to a samba exposed printer via \\[samba_server]\[printer]. Other Linux or Mac workstations use IPPThe Internet Printing Protocol (IPP) is an Internet protocol for communication between a print server and its clients. It allows clients to send one or more print jobs to the server and perform administration such as querying the status of a printer, obtaining the status of print jobs, or cancelling individual print jobs. IPP can run locally or over the Internet. Unlike other printing protocols, IPP also supports access control, authentication, and encryption, making it a much more capable and secure printing mechanism than older ones. via CUPS.
Ensure that printers are configured correctly and work.
Step 2: Create the host user account and firewall settings
PaperCut NG/MF runs and installs under a non-privileged user account called "papercut". The installation location for the application is the papercut user's home directory. Create a user account on this system called papercut. This is usually done by logging in as root and using a user management GUI tool or at the command prompt entering:
shell> useradd -m -d /home/papercut papercut
The syntax for useradd and groupadd can differ slightly on different versions of Linux. They can also be called adduser and addgroup.
The user's home directory (the -d option) denotes the install location. /home/papercut is the recommended location. Administrators can, however, also consider alternate install locations depending on personal preference. Alternatives include:
These instructions assume the install location is /home/papercut. If an alternate home location is defined, some of the paths listed in subsequent sections will require modification.
Some Linux distributions impose strict resource usage limits on user accounts (ulimit). The papercut account is a special account used for hosting an application and needs to be granted sufficient resource limits, such as the ability to open many files. On systemd Linux distributions, this limit is automatically configured so you do not need to do anything. For other distributions, the methods of setting user-level ulimit levels vary, however, the common solution is to add the following line to /etc/security/limits.conf:
papercut - nofile 65535
Many Linux distributions have strict default firewall policies. PaperCut NG/MF uses TCP Ports 9191 (for HTTP), 9192 (for HTTPS/ SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.), 9193 (for Binary) and 9195 (for HTTPS/ SSL on supported devices) and these ports must be open. Take some time now to ensure these ports are open. Consult your distribution documentation for details on how to open firewall TCP ports.
Step 3: Download and install PaperCut NG/MF
PaperCut NG/MF is supplied as a self-extracting and self-installing archive. The installation is performed as the newly created papercut user and installs to that user's home directory. Temporary root access is required for part of the install. Make sure the root password or sudo password is handy. For more detail about the install process including installing to a different location, see PaperCut NG/MF on Linux.
Log on as the newly created papercut user and download and execute the installer. You can execute the file from any directory.
shell> su - papercut
shell> wget [download url from PaperCut Software website]
shell> sh ./pcmf-setup-*-linux-*.shFollow the installation instructions and enter the root password when requested.
Ensure you login as the user papercut so that the user's environment is sourced so the home directory (install location) is correctly defined.
The installation process takes between two and five minutes depending on the speed of the system. A system restart is not required but administrators are advised to perform installation on live production systems during periods of low activity, for example, not during backup operations or other administration activities.
Step 4: Run the Configuration Wizard
After installation, you are prompted to open a web browser at :
The configuration stages are explained below:
Complete the following fields:
Password—enter the master password for the main in-built admin account. This password is independent of the operating system or domain passwords. The password must be at least six characters.TIP
Keep this password secure. If you forget your password, you can reset it. For more information, see Resetting the Admin Password.
Verify password—re-enter the password.
Location—select the system's physical location and language.
The Organization type screen is displayed.
This selection determines which system defaults are used.
Select your organization type.
Default cost for printing
The Default costs for printing screen is displayed.
For an education implementation, where users are charged for their printing, leave these values as zero during the implementation stage, otherwise, students will not be able to print as they cannot yet add credit to their account.
If required, you can change this setting after installation.
Complete the following fields:
Color (cost per page)—enter the default cost per page for color printing on all printers.
Grayscale (cost per page)—enter the default cost per page for grayscale printing on all printers.
Initial user credit (Education organization type only)
If you selected Education as the organization type, the Initial user credit screen is displayed.
If you selected Small/Medium Enterprise (SME) or Corporate) or Professional (Client Billing) as the organization type, go to step 5.
Complete the following fields:
Initial user credit—enter the amount of credit each/quota each user will receive when the system is first enabled. You can change these settings after setup.
Deny access when users run out of credit/quota—select this check box to prevent users from printing when they run out of credit/quota.TIP
If you are evaluating PaperCut NG/MF it might be appropriate not to disable printing when a users funds run out. This way you can be assured that user printing is not disrupted during the evaluation.
The User/group synchronization screen is displayed.
PaperCut NG/MF extracts user information out of the system or domain.
To speed up the installation, you can click Skip this step and synchronize the users/groups later.
In User source, select the source of user account data:
Unix Standard (PAM, Local NetInfo, etc.)—if the user accounts are set up and defined on the local system as standard Unix accounts or mapped into the system from a central directory service such as LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. via nsswitch.conf and PAM. Most large established networks use this option.
Samba—if the central user directory is a Windows Domain. The Samba option is available only if Samba is installed on the system. The Samba option is appropriate on medium to small networks currently operating in a Windows Domain environment.
Azure AD Secure LDAP—for organizations using Microsoft Azure AD Secure LDAP as a cloud based user directory service.
LDAP (Open Directory)—for large networks with existing Open Directory domains. This includes networks running Open LDAP and Windows domains running Active Directory. PaperCut NG/MF does its best to auto-discover LDAP settings, but some knowledge of LDAP and/or Open Directory is required.
Google Cloud Directory—for organizations using Google Cloud Directory as a cloud based user directory service.
Select one of the following options:
Import all users—import all domain user accounts.
Import users from selected groups—import a subset of users from a given group. This is useful when only a subset of users will use the printers.
For Samba, LDAP, and Azure AD Secure LDAP, the Server Details page is displayed.
For Google Cloud Directory, the Google Cloud Directory Details page is displayed.
Complete the following as required:Samba
Complete the following fields:
Domain Server—The name of the Windows domain server.
Admin username—The username of the user who has permission to connect to and query the domain server. The username/password you specify here is an Admin user on your Windows domain that has permission to add machines to the domain.
Admin password—The password for the above user.
Click Test Samba Settings to test and confirm your settings before continuing.
Azure AD Secure LDAP
Complete the following fields:
LDAP Server Type—Determines which LDAP fields are used to get user and group information. PaperCut NG/MF supports the following server types:
Unix / Open Directory
Microsoft Active Directory
Novell eDirectoryAlso called Netware Directory Services, Novell eDirectory is directory service software that is used to centrally managing access to resources on multiple servers and computers within a network. The eDirectory software is part of the Novell Compliance Management Platform.
However, it is easy to support other server types by adjusting the LDAP fields PaperCut NG/MF searches. For more information, see Advanced LDAP configuration.
LDAP Server Address—The hostname or IP address of the LDAP server.
Use SSL—Indicates if an encrypted SSL connection is used to connect to the LDAP server. The LDAP server requires SSL support to be enabled and should accept connections on the standard LDAPS port 636.
Base DN—The Base DN of the LDAP server. This is the equivalent of the "suffix" config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is "domain.com", then the Base DN might be DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some older Novell eDirectory installations require a blank Base DN to operate. Some examples:
Admin DN—The DN of the user who has permission to connect to and query the LDAP server. This is typically an administrative user, although it can be a user that only has read-only access to the LDAP server. An example of the DN of the Administrator user on a Windows AD domain "domain.com", would be CN=Administrator,CN=Users,DC=domain,DC=com. The exact format of the DN depends on the LDAP server. Some examples:
Windows Active Directory: CN=Administrator,CN=Users,DC=domain,DC=com
Windows Active Directory (in organizational unit):
Mac Open Directory: uid=diradmin,CN=users,DC=domain,DC=com
Unix Open LDAP: uid=root,DC=domain,DC=com, or uid=ldapadmin,DC=domain,DC=com
Novell eDirectory: CN=root,DC=domain,DC=com, or CN=ldapadmin,OU=users,DC=domain,DC=com.
The Admin DN and password is optional if your LDAP server allows anonymous binds for querying.
Admin password—The password for the above user.TIP
Some LDAP servers are configured to allow 'anonymous' LDAP query access. In these situations, you can leave Admin DN and Admin password blank.
Click Test LDAP settings to test and confirm your settings before continuing.
Google Cloud DirectoryNOTE
Complete the following fields as required:
Accept self-signed certificate—Select this check box if you are using a self-signed certificate that does not need to be validated. If you are using a certificate signed by a trusted authority, clear this check box.
Azure LDAP External Address—Your LDAP external address copied above from Azure AD.
Base DN—Your Azure DNS Domain Name. This is the equivalent of the "suffix" config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is "domain.com", then the Base DN might be DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some older Novell eDirectory installations require a blank Base DN to operate. Some examples:
AAD DC Administrator username—The Azure Active Directory DC administrator username. For example, [email protected]
Admin password—The password for the above user.
Click Test Settings to test and confirm your settings before continuing.
Remember, this functionality is available for organizations using G Suite Education, G Suite Enterprise for Education, G Suite Enterprise, and Cloud Identity Premium.IMPORTANT
Before you start, make sure you can log in to Google as a Super Admin.
Log in to admin.google.com using your Super Admin user login details. The Google Admin console is displayed.
Click the Apps tile. The Apps screen is displayed.
Click the LDAP tile. The LDAP screen is displayed.
Click ADD CLIENT.
Type a name for the LDAP client connection you’ll be configuring to use for PaperCut NG/MF (for example, "PaperCut MF"), and optionally type a description; then click CONTINUE. The Access permissions screen is displayed.
In the Verify user credentials section, select either:
Entire domain <domain name>
Selected organizational units; then click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)
In the Read user information section, select either
Entire domain <domain name>
Selected organizational units; then either click Copy from Verify user credentials or click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)
Depending on your organizational policies, tick all boxes for System attributes, Public custom attributes, and Private custom attributes as this will allow PaperCut to sync primary number and secondary number from custom fields of your choice stored under individual users as per your organization's schema on Google Cloud Directory. More details on this in Quick install: Linux (CUPS and/or Samba).
In the Read group information section, click the switch to set it to On; then click ADD LDAP CLIENT. Google displays a confirmation message and information about downloading the certificate.
On the same screen, click Download certificate; then save the downloaded certificate (which is a PDF file) in a secure location.
Click CONTINUE TO CLIENT DETAILS. The Settings for <LDAP client name> screen is displayed.
Click anywhere in the Service Status box. The Service Status screen is displayed.
Select On for everyone. The service status is updated for everyone.
This adds PaperCut NG/MF to the list of permitted LDAP clients. You can find more information about configuring access permissions from Google.NOTE
The service status, displayed at the top right of the screen, is initially set to OFF.NOTE
Depending on the size of your organization, it can take up to 24 hours for Google Cloud Directory changes to apply.
For more information on user/group synchronization on Linux, see PaperCut NG/MF on Linux.
User Client options (Professional Client Billing organization type only)
If you selected Professional (Client Billing), as the organization type, the User client options screen is displayed.
If you selected Education or Small/Medium Enterprise (SME) or Corporate, go to Confirm Setup steps.
Every print job must be charged to an account via the process of Account Selection. This may or not require user interaction and is configured at the user level.
In environments where user interaction for Account Selection is required and the user has both options - User ClientThe User Client tool is an add-on that resides on a user's desktop. It allows users to view their current account balance via a popup window, provides users with the opportunity to confirm what they are about to print, allows users to select shared accounts via a popup, if administrators have granted access to this feature, and displays system messages, such as the "low credit" warning message or print policy popups. and printing device - running the User Client may be optional. Hence, deploying it immediately is also optional. If you choose not to deploy it now, you can still deploy it in the future. However, in environments where user interaction for Account Selection is required and can only be done via the User Client (and cannot be done at the printing device), running the User Client is mandatory. Hence, deploying it immediately is also mandatory. If not, the user is unable to carry out the configured user interaction for Account Selection, and the job remains paused in the print queueA print queue displays information about documents that are waiting to be printed, such as the printing status, document owner, and number of pages to print. You can use the print queue to view, pause, resume, restart, and cancel print jobs. and does not appear on the printing device. The User Client can be deployed directly from a network share (which is automatically configured on Windows). There is also the option to install the software locally on each workstation, however, this is not usually recommended because it makes the process of updating the User Client more complicated. For more information about the Account Selection options with and without user interaction (via the User Client or printing device), see Shared accounts, User Client, and Allocating accounts to print jobs at the device.
Depending on the Account Selection configuration for users (whether or not user interaction is required
and whether or not your environment caters for this on the User Client AND on the printing device), select an appropriate User Client deployment strategy:
Immediate implementation (Enable for all users)—the Account Selection option requiring user interaction is enabled only for all users. If you have configured your users with Account Selection that requires user interaction
, and this can only be done on the User Client (and cannot be done on the printing device), then you must install the User Client on all user desktops immediately to prevent disruption of user printing services. If in doubt, select the minimal impact strategy. This ensures the impact is isolated to only the nominated test account.
Minimal impact (Initial single user testing)—the Account Selection option requiring user interaction is enabled only for a single user for testing purposes. You need to nominate the testing account; this can be an existing system/domain account used for testing purposes or your own user account. The username should be in the format used to log in to the domain/system (usually the short form).
Depending on the environment, you can test the user interaction for Account Selection either on the User Client or on the printing device.The minimal impact strategy allows you to test Account Selection with user interaction using the nominated test system/domain user account, after which you can configure other users with similar Account Selection options.
Confirm setup options
The Confirm setup options screen is displayed.
Check the settings you have entered. If you want to change anything, you can return to any of the configuration screens to alter the options.
Click Confirm. The Initial user import screen is displayed.
After completing the configuration wizard you are presented with a user synchronization status screen, showing the progress and results of the setup.
Click Login to access the Admin web interface and begin familiarizing yourself with the options and features available. Take some time to explore, and refer back to the relevant sections of this manual as required.
Step 5: Check the printer configuration
Unlike Windows and Mac with single print system environments, Linux is a more complex environment with a choice of print system implementations. At this stage some manual printer configuration is required. See Linux print queue integration and follow the steps for integrating with the print queues in your environment before returning to this section and following on with the next step.
Printers hosted on a machine other than the PaperCut NG/MF server, require additional installation steps to be configured as 'secondary' servers. See Configuring secondary print servers and locally attached printers for details.
Step 6: Share the User Client software
The PaperCut NG/MF client software is located in the directory [app-path]/client. It is useful to share this directory over the network so workstations can access/install the client application. Common sharing methods include:
Samba - used to share files to Windows based workstations. Mac OS X Server tools such as the Workgroup Manager or other 3rd party tools such as SharePoint can help with sharing the client directory via Samba. Similar GUI tools exist on Linux.
Advanced SysAdmins can share this directory by hand-editing the /etc/smb.conf file. The following configuration shares the directory in read-only form:
path = /home/papercut/client
comment = PaperCut Client
public = yes
only guest = yes
read only = yes
NFS - a popular sharing method used for Linux/Unix based workstations.
Step 7: Deployment for a Professional (Client Billing) installation
Every print job must be charged to an account via the process of Account Selection. This may or not require user interaction and is configured at the user level. When Account Selection requires user interaction, then depending on your environment, the user can do so either on the User Client or on the printing device.
The User Client
In environments where user interaction for Account Selection is required and the user has both options - User Client and printing device - running the User Client may be optional. Hence, deploying it immediately is also optional. If you choose not to deploy it now, you can still deploy it in the future. However, in environments where user interaction for Account Selection is required and can only be done via the User Client (and cannot be done at the printing device), running the User Client is mandatory. Hence, deploying it immediately is also mandatory. If not, the user is unable to carry out the configured user interaction for Account Selection, and the job remains paused in the print queue and does not appear on the printing device. The User Client can be deployed directly from a network share (which is automatically configured on Windows). There is also the option to install the software locally on each workstation, however, this is not usually recommended because it makes the process of updating the User Client more complicated. For more information about the Account Selection options with and without user interaction (via the User Client or printing device), see Shared accounts, User Client, and Allocating accounts to print jobs at the device.
After deploying the User Client on user workstations (if required), you can configure users with the required Account Selection option (whether or not user interaction is required). For example, in a Professional (Client Billing) installation, users who print jobs for clients are often given the Advanced Account Selection option, however, other Account Selection options might be better suited for some users based on their job function.
You can configure the required Account Selection option on one user at a time or update for all users in bulk.
Use the User Details page to configure the required Account Selection option for a single user.
To configure the required Account Selection option for all users in bulk:
Click the Users tab.
The User List page is displayed.
In the Actions menu, click Bulk user actions.
The Bulk User Operations page is displayed.
In the Change settings area, select the Change account selection setting check box; then select Show advanced account selection from the list.
If you do not want to allow users to charge printing to their personal account (i.e. they must select a shared accountA shared account is an account that is shared by multiple users. For example, in business, shared accounts can be used to track printing costs by business unit, project, or client. Organizations like legal firms, engineering firms, or accounting offices often have long lists of accounts, projects, clients, or matters. In a school or university, shared accounts can be used to track printing by departments, classes, or subjects.) then clear the Allow user to charge to their personal account check box.
Click OK.Once completed, the configured Account Selection option is enabled for the selected users. If you have configured users with an Account Selection option that requires user interaction, then it is recommended that you test this from the User Client on a desktop or on the printing device (if applicable). Ensure that user interaction provided is as per the configured Account Selection option. Once the interaction is completed, ensure that the job is printed, logged and appropriate account charged.
By default the action is applied to all users (the special [All Users] group). To apply the action to a subset of users (a user group), select that group from the list.
A confirmation window is displayed.
Step 8: Testing
Following a fresh installation, it is highly recommended to test core features of the system. For further details, see Testing the installation.
Take some time to explore the features of PaperCut NG/MF before continuing reading at Implementation by example or Tour. Business users might be interested in trying the popup client software as covered in Client software. If desired, the client software should also be deployed to other workstations. This procedure is detailed in User Client.