Windows hosted print queues

This section discusses printer configuration on Mac OS X workstation in environments systems where the print queues are hosted on a Windows operating system. See the section called “Mac hosted print queues for OS 10.8 and 10.9” if your print queues are hosted on Mac OS 10.8 or 10.9. Alternatively, the section called “Mac hosted print queues for OS 10.7” if you have Mac OS 10.7 hosted print queues.

When a printer from a Windows environment is shared and added to a Mac system, Print and Scan requests printer access credentials in the form of username and password. Any user that prints to this printer uses these supplied credentials. This means that the administrator that added the printer to the workstation will be the owner of all documents printed from the workstation irrespective of the current logged in user.

The ideal solutions will vary from network to network and will depend on factors including:

  1. Your existing network configuration

  2. The mix and makeup of operating systems used on the network

  3. The underlying directory technologies (Active Directory, LDAP, etc.) if used

  4. Whether Macs are used by a single owner or multiple users

The following sections outline common set up scenarios and their pros and cons. Your solution may fit one of these scenarios or may be composed of a combination.

Scenario One: My Own Mac (Single User)

Many networks, particularly those in a business environment, have a dedicated desktop system for each user. This allows the desktop system's global settings to be customized for the user. Common examples include:

  • Dedicated computers used in a business

  • Staff laptops or desktops used in education

Requirements

  • Printers hosted and shared from a Windows or Linux server.

  • Mac systems used by a single user (or small group of known users).

  • Each user has a domain account and password.

  • The username associated with the account on the Mac matches the domain username (either the account used to login, or the account set up as the automatic log in account).

  • Running Mac OS X 10.7 or higher.

Installation

Check the user account information:

  1. Start up the Mac, login as the local administrator, and ensure the system is connected to the network.

  2. Select System Preferences...

  3. Depending on your Mac OS version, select Accounts or Users and Groups.

  4. Click MyAccount. (This step can be skipped in Mac OS 10.8 and 10.9)

  5. Ensure that the Short name associated with the account matches the user's domain account username. If not, create a new working account as appropriate.

Setting up the printers:

  1. Navigate to System Preferences -> Print and Scan.

  2. Click the + button to add a new printer.

  3. Control-Click on the Toolbar and select Customize Toolbar....

    Drag the Advanced icon onto the bar, then click the newly added Advanced button

  4. Select the Windows printer via spoolss device type.

  5. Enter a Device URL, such as: smb://username:password@server_name/printer_name

    • Tip: server_name is the name of the server hosting the printer, and printer_name is the printer's share name

    • You may need to include the port in the DeviceURL: smb://server_name:139/printer_name

    • OS X can struggle with printer share names containing spaces. We recommend a share name without spaces

  6. In Name field, enter a friendly and informative printer name.

  7. Choose a driver for this printer by pulling down the drop-down box and selecting Select Software...

  8. Click the Add button.

  9. Test print and ensure jobs are logged in PaperCut MF as the correct user.

Connecting the printers to the Mac OS X server

Figure 28.9. Connecting the printers to the Mac OS X server

Installing the PaperCut MF Client software

  1. Open Finder and select Go -> Connect to Server....

  2. Enter smb://servername/pcclient where servername is the name of the server hosting PaperCut MF. If you are prompted for a username and password, this will be a username that has access to connect to the SMB share on your Windows server.

  3. Drag the PCClient application across to the local Applications directory.

  4. Open System Preferences...

  5. Select Users & Groups.

  6. Slect the Login items tab.

  7. Click the + button and select the newly installed PCClient application. Ensure to tick the PCClient option once it appears.

  8. Restart the system and ensure the client starts upon login.

Installing the PaperCut Client software

Figure 28.10. Installing the PaperCut Client software

Tips and Troubleshooting

  • Get the user to log into the Mac. Verify that the PCClient program starts automatically and shows the user’s balance.

  • Print to the newly set up printer. On the server's print queue, ensure that the job appears under the correct username.

  • Ensure that the print job successfully reaches the printer and that the user gets charged in PaperCut.

  • Check that the balance has changed to reflect the new balance in the PCClient program.

Scenario Two: The Multi-User Mac with Popup Authentication

Schools and universities often have Macs available for student use in dedicated computer labs. In these environments the Macs are shared by many users and Scenario One is not appropriate. Larger Mac networks already using LDAP or Active Directory authentication, or planning on doing so, may wish to consider Scenario Three explained in the next section.

Scenario Two uses a popup authentication model. This is discussed in detail in the section called “Popup Authentication” and discussed further below:

The end-user's perspective:

  1. The user sees the PCClient program running.

  2. When the user prints a job, the client pops up a window requesting the user to enter a username and password. See the section called “Popup Authentication”.

  3. The user enters a domain username and password.

  4. If the credentials are valid, the job is charged to the user account.

The explanation:

  1. The print event is performed as a generic user - for example "macuser", "student", etc.

  2. In PaperCut MF, the "macuser" account is set up to use popup authentication by enabling the option Unauthenticated user. See the section called “Popup Authentication” for further details.

  3. The popup requests the user to enter a username and password.

  4. The password is authenticated and printing is charged against the supplied account.

Requirements

  • Printers are hosted and shared off a Windows, Mac or Linux server.

  • The Mac systems are set up to login under a generic account name. (e.g. macuser, student, etc.)

  • The domain contains a user account matching the generic account.

Installation

Domain account set up:

  1. Log onto the print server or the domain controller as a domain administrator.

  2. Open Active Directory Users and Computers (or equivalent user management tool) from Start -> Administrative Tools.

  3. Add a new domain user called macuser.

  4. Define a password for macuser and set the password to never expire.

Mac account set up

  1. Start up the Mac, login as the local administrator, and ensure the system is connected to the network.

  2. Select System Preferences...

  3. Depending on your Mac OS version, select Accounts or Users and Groups.

  4. Create an account called macuser. Ensure the account's short name is macuser.

  5. Set this account as the automatic login account, or alternatively make the password known to all users.

Set up the printers that the user requires access to:

  1. Navigate to System Preferences -> Print and Scan.

  2. Click the + button to add a new printer.

  3. Control-Click on the Toolbar and select Customize Toolbar....

    Drag the Advanced icon onto the bar, then click the newly added Advanced button.

  4. Select the Windows printer via spoolss device type.

  5. Enter a Device URL, such as: smb://username:password@server_name/printer_name

    • Tip: server_name is the name of the server hosting the printer, and printer_name is the printer's share name

    • You may need to include the port in the DeviceURL: smb://server_name:139/printer_name

    • OS X can struggle with printer share names containing spaces. We recommend a share name without spaces

  6. In Name field, enter a friendly and informative printer name.

  7. Choose a driver for this printer by pulling down the drop-down box and selecting Select Software...

  8. Click the Add button.

  9. Test print and ensure jobs are logged in PaperCut MF as the correct user.

Installing the PaperCut MF Client software

  1. Open Finder and select Go -> Connect to Server....

  2. Enter smb://servername/pcclient where servername is the name of the server hosting PaperCut MF. If you are prompted for a username and password, this will be a username that has access to connect to the SMB share on your Windows server.

  3. Enter account details for an account able to connect to the SMB share if requested

  4. Drag the PCClient application across to the local Applications directory.

  5. Command-click on the newly copied PCClient application in the Applications directory. Select Open Package Contents.

  6. Navigate to Contents/Resources/.

  7. Double-click on the install-login-hook.command script.

  8. Restart the system and ensure the client starts upon login.

Configure the popup settings:

  1. Log on to the PaperCut MF administration interface as built-in admin user.

  2. Select the macuser account from Users.

  3. On the macuser's details screen, set the account balance to zero.

  4. Ensure the user is set to Restricted.

  5. Check the Unauthenticated option and save the changes.

  6. Click the Apply button to save the changes.

If users login to the Mac using their AD/LDAP username then it's possible to eliminate the authentication popup by configuring the client as described in the section called “Popup Authentication”.

Tips and Troubleshooting

  • Get the user to log into the Mac. Verify that the PCClient program starts automatically.

  • Print to the newly set up printer. On the server's print queue, ensure that the job appears under the correct username.

  • An authentication popup should display on the Mac. Enter a valid domain username and password.

  • The corresponding user should be charged for the job. Also check that the balance has changed to reflect the new balance in the PCClient program.

Scenario Three: Multi-user Macs using LDAP or Active Directory authentication

Larger networks often run the Macs in a domain environment either authenticating with an Active Directory or an LDAP network. In an authenticated domain environment, the identity of the user (the user's username) is known and verified at the time of login. With the help of the TCP/IP Printing Services for Microsoft Windows, and the LPR/LPD support on the Mac, print jobs can be identified on the server and associated with the user's login name. This avoids the need for the popup authentication used in Scenario Two.

Using the LPR and IPP printing protocols on Windows print servers

LPR is a legacy protocol developed for UNIX that clients use to send print jobs to print servers. Microsoft has supported this protocol for a number of years via an add-on module called Print Services for UNIX (PSfU). Under certain conditions Windows LPD printers can cause issues when using PaperCut hold/release print queues. The information included here is to help customers understand the issue and document suggested workarounds.

The mechanism used by the Windows PSfU subsystem to accept LPR and IPP print jobs is different from other implementations in Windows such native SMB based printers. In SMB the event notification to applications such as PaperCut is well behaved and reliable. Event notification for LPR and IPP based printing does not use the same set of underlying APIs and under some conditions the PaperCut print monitoring layer receives notification after the print job has started. This means that some print jobs may start to print before the hold instruction is issued. This job is then suspended in a Paused Printing state (i.e. both paused and printing) and this results in all other jobs on that queue being held up by the paused job.

The information we have from customers who have experienced this problem shows that the symptoms are generally not consistent, suggesting an underlying race condition bug in Windows. Things that can affect the problem include:

  • Running the print server on a virtual machine

  • The number of processors/cores

  • The current load on the print server

  • The version and patch level of Windows

Because the issue is in the underlying Windows print subsystem it not possible for PaperCut to quickly implement a reliable solution and we do not expect Microsoft to implement a fix to this legacy subsystem. If a site does experience this issue there are some steps that can help alleviate or fix the issue.

  1. Use the SMB protocol for Windows based print server queues. Note that using SMB may place some constraints on how users authenticate and how anonymous users are able to print at your site. This is the recommended approach.

  2. Use two print queues. Queue A is virtual and queue B is the real queue attached to the physical printer. Users print to A using LPR and PaperCut can always place a hold on the print job. PaperCut then redirects the job to B on release. Managing virtual print queues is documented in section Chapter 12, Find Me Printing and Printer Load Balancing. Queue A should be configured to use a port with no printer (e.g. LPT1:), it should be permanently paused (PrinterPause Printing), and the virtual queue configuration for A in PaperCut should forward jobs to B (setting Jobs may be forwarded to these queues).

    If queue A is un-paused then the job will error, however it can still be re-directed as needed.

Requirements

  • Macs set up in multi-user mode authenticating off a domain. Either Active Directory or LDAP.

  • Printers hosted on a Windows print server.

  • The server needs the TCP Printing Services installed (also known as Print Services for Unix).

Installation

On the server hosting the printers, setup TCP/IP Printing:

  1. Log into the server as a system administrator.

  2. Select Control Panel -> Add Remove Programs.

  3. Click on Add/Remove Windows Components.

  4. Select Other Network File and Print Services.

  5. Click Details... and ensure Print Services for Unix is selected.

  6. Click Next to complete the installation.

Some systems running firewall software may block LPD printing. On systems running firewall software, ensure that incoming connections from the local network are allowed on port 515.

On each Mac, add the required printers:

  1. Open the Printer Setup Utility from Applications -> Utilities.

  2. Click the + button to add a new printer.

  3. Click the IP tab at the top toolbar.

  4. From the Protocol dropdown, select Line Printer Daemon - LPD.

  5. Enter the IP address of the server hosting the printers in the Address field.

  6. Enter the printer's share name in the Queue field.

  7. Define a user friendly name in the Name field and select the printer type.

  8. Click the Add button.

  9. Repeat for other printers as necessary.

Installing the PaperCut MF Client software

  1. Open Finder and select Go -> Connect to Server....

  2. Enter smb://servername/pcclient where servername is the name of the server hosting PaperCut MF. If you are promted for a username and password, this will be a username that has access to connect to the SMB share on your Windows server.

  3. Enter account details for an account able to connect to the SMB share if requested

  4. Drag the PCClient application across to the local Applications directory.

  5. Command-click on the newly copied PCClient application in the Applications directory. Select Open Package Contents.

  6. Navigate to Contents/Resources/.

  7. Double-click on the install-login-hook.command script.

  8. Restart the system and ensure the client starts upon login.

Tips and Troubleshooting

  • Restart the system and ensure the PCClient application starts on login and lists the user's account balance.

  • Ensure print jobs correctly show in the PaperCut job logs under the user's PaperCut account.

  • The corresponding user should be charged for the job. Also check that the balance has changed to reflect the new balance in the PCClient program.

Additional information and tips

The client install process is also covered in the section called “User Client”. After the first Mac is set up and the printing process is tested, the simplified client install notes covered in the section called “Deployment on Mac OS X” may be appropriate to provider to end-users or other system administrators.

The PCClient client can accept command line options as explained at Table A.2, “User Client command-line options” If the client is started via the login hook, the command-line options can be defined in the file:

/Applications/PCClient.app/Contents/Resources/login-hook-start

Look for the line starting with client_args and the associated comments above.