Windows hosted print queues

PaperCut NG is a multi-user application designed to integrate with an authenticated network. The Mac system has a long history. It's grown up from a single-user desktop heritage and is now based on a full multi-user Unix kernel. However, some "single-user-isms" remain, and these can pose challenges for Administrators. One area in particular is remote printer configuration and credential management.

PaperCut Client on Mac OS X

Figure 27.6. PaperCut Client on Mac OS X

When a network printer, for example a shared Windows printer, is added to a Mac system, the Printer Setup Utility requests printer access credentials in the form of username and password. Any user that prints to this printer uses these supplied credentials. This means that on the print server, all jobs originating from this Mac system list with supplied username irrespective of who's actually using the Mac.

This chapter discussed some of the multi-user challenges and their solutions.

Macs can be set up to work with PaperCut NG in a number of configurations or scenarios. There is no "one best" set up. The ideal solutions will vary from network to network and will depend on factors like:

The following sections outline common set up scenarios and their pros and cons. Your solution may fit one of these scenarios or may be composed of a combination.

Scenario One: My Own Mac (Single User)

Many networks, particularly those in a business environment, have a dedicated desktop system for each user. This allows the desktop system's global settings to be customized for the user. Common examples include:

  • Dedicated computers used in a business

  • Staff laptops or desktops used in education

Requirements

  • Printers hosted and shared from a Windows or Linux server.

  • Mac systems used by a single user (or small group of known users).

  • Each user has a domain account and password.

  • The username associated with the account on the Mac matches the domain username (either the account used to login, or the account set up as the automatic log in account).

  • Running Mac OS X 10.4 or higher.

Installation

Check the user account information:

  1. Start up the Mac and ensure the system is connected to the network.

  2. From the Apple Menu select System Preferences...

  3. Select Accounts

  4. Click MyAccount.

  5. Ensure that the Short name associated with the account matches the user's domain account username. If not, create a new working account as appropriate.

Set up the printers that the user requires access to:

  1. Open the Printer Setup Utility from Applications -> Utilities.

  2. Click the Add/+ button to add a new printer.

    Add a printer

    Figure 27.7. Add a printer

  3. 10.6 & 10.5: Control-Click on the Toolbar and select Customize Toolbar.... Drag the Advanced icon onto the bar. Click the newly added Advanced button.

    10.4: Option-Click More Printers... (Important: Hold the Option key down) and select Advanced from the top drop-down list.

    Option-click for advanced printer addition types

    Figure 27.8. Option-click for advanced printer addition types

  4. Select the Windows device type (called Windows Printing via Samba on 10.4).

  5. In Name field, enter a friendly and informative printer name.

  6. Enter a Device URL in the form:

            smb://username:password@server_name/printer_name
                                    

    Tip

    If you are running Mac OS 10.7, you may need to include the port in the DeviceURL: smb://username:password@server_name:139/printer_name If you need to specify the domain, you may need to format the DeviceURL like: smb://domain;username:password@server_name:139/printer_name

    Where username and password are the user's domain account login details. server_name is the name of the server hosting the printer, and printer_name is the printer's share name. On recent fully patched versions of 10.6 and 10.5 the username:password@ component can be skipped as the OS will instead prompt for the username and password on first print. Note that OS X can struggle with printer share names containing spaces. If there are problems try a share name without spaces.

    Windows printer via Samba

    Figure 27.9. Windows printer via Samba

  7. Select the Print Model to install and configure drivers.

  8. Click the Add button.

  9. Test print and ensure jobs are logged in PaperCut NG under the user's network identity.

Tip

Some OS X systems (depending on release and patch level) may display an authentication dialog when printing. The results of this dialog are ignored, because the credentials are already defined in the device URI. Administrators with knowledge of UNIX configuration file management may suppress this dialog by editing the CUPS /etc/cups/printers.conf file by removing the AuthInfoRequired directive under the Printer entry.

To install the PaperCut NG client software:

  1. Open the Finder and select Go -> Connect to Server....

    Connecting to a Windows server

    Figure 27.10. Connecting to a Windows server

  2. Enter smb://servername/pcclient where servername is the name of the server hosting PaperCut NG.

    The PCClient share's connection string

    Figure 27.11. The PCClient share's connection string

  3. Drag the PCClient application across to the local Applications directory.

  4. Open System Preferences... from the Apple menu.

  5. Select Accounts.

  6. Click the Login items tab.

  7. Click the + button and select the newly installed PCClient application.

    Add PCClient as a Login Item

    Figure 27.12. Add PCClient as a Login Item

  8. Restart the system and ensure the client starts upon login.

Scenario Two: The Multi-User Mac with Popup Authentication

Schools and universities often have Macs available for student use in dedicated computer labs. In these environments the Macs are shared by many users and Scenario One is not appropriate. Larger Mac networks already using LDAP or Active Directory authentication, or planning on doing so, may wish to consider Scenario Three explained in the next section.

Mac popup authentication dialog requesting username and password

Figure 27.13. Mac popup authentication dialog requesting username and password

Scenario Two uses a popup authentication model. This is discussed in detail in the section called “Popup Authentication” and discussed further below:

The end-user's perspective:

  1. The user sees the client tool (PCClient) running.

  2. When the user prints a job, the client pops up a window requesting the user to enter a username and password. See the section called “Popup Authentication”.

  3. The user enters a domain username and password.

  4. If the credentials are valid, the job is charged to the user account.

The explanation:

  1. The print event is performed as a generic user - for example "macuser", "student", etc.

  2. In PaperCut NG, the "macuser" account is set up to use popup authentication by enabling the option Unauthenticated user. See the section called “Popup Authentication” for further details.

  3. The popup requests the user to enter a username and password.

  4. The password is authenticated and printing is charged against the supplied account.

Requirements

  • Printers hosted and shared off a Windows, Mac or Linux server.

  • Mac systems set up to login under a generic account name. (e.g. macuser, student, etc.)

  • The domain contains a user account matching the generic account.

Installation

Domain account set up:

  1. Log onto the print server or the domain controller.

  2. Open Active Directory Users and Computers (or equivalent user management tool) from Start -> Administrative Tools.

  3. Add a new domain user called macuser.

  4. Define a password for macuser and set the password to never expire.

Mac account set up:

  1. Start up the Mac and ensure the system is connected to the network.

  2. From the Apple menu select System Preferences...

  3. Select Accounts.

  4. Create an account called macuser. Ensure the account's short name is macuser.

  5. Set this account as the automatic login account, or alternatively make the password known to all users.

Set up the printers that the user requires access to:

  1. Open the Printer Setup Utility from Applications -> Utilities.

  2. Click the Add button to add a new printer.

    Add a printer

    Figure 27.14. Add a printer

  3. Option-Click More Printers... (Important: Hold the Option key down).

  4. 10.6 & 10.5: Control-Click on the Toolbar and select Customize Toolbar.... Drag the Advanced icon onto the bar. Click the newly added Advanced button.

    10.4: Option-Click More Printers... (important: hold the Option key down) and select Advanced from the top drop-down list.

    Option-click for advanced printer addition types

    Figure 27.15. Option-click for advanced printer addition types

  5. Select the Windows device type (called Windows Printing via Samba on 10.4).

  6. In Name field, enter a friendly and informative printer name.

  7. Enter a Device URL in the form:

            smb://macuser:password@server_name/printer_name
                                    

    Tip

    If you are running Mac OS 10.7, you may need to include the port in the DeviceURL: smb://macuser:password@server_name:139/printer_name

    Where password is the password for the macuser domain account, server_name is the name of the server hosting the printer, and printer_name is the printer's share name. On recent fully patched versions of 10.6 and 10.5, the username:password@ component can be skipped as the OS will instead prompt the user for their username and password on first print.

    Windows printer via SAMBA

    Figure 27.16. Windows printer via SAMBA

  8. Select the Print Model to install and configure drivers.

  9. Click the Add button.

  10. Test print and ensure jobs are listing in the print queue under the macuser identity.

To install the PaperCut NG client software:

  1. Start and Log into the Mac computer. Ensure it's connected to the network.

  2. Open the Finder.

  3. From the Go menu, select Connect to Server...

    Connecting to a Windows server

    Figure 27.17. Connecting to a Windows server

  4. Enter the pcclient share's connection details like:

            smb://server_name/pcclient
                                    

    Where server_name is the name of the server hosting the PaperCut NG server software.

    The PCClient share's connection string

    Figure 27.18. The PCClient share's connection string

  5. Enter password information if requested.

  6. Drag the PCClient package over to the local hard disk's global Applications folder. The copy process will commence.

    Command-click and open the package

    Figure 27.19. Command-click and open the package

  7. Command-click on the newly copied PCClient application in the Applications directory. Select Open Package Contents.

  8. Navigate to Contents/Resources/.

  9. Double-click on the install-login-hook.command script.

    Double-click to install the login hook

    Figure 27.20. Double-click to install the login hook

  10. Restart the system and verify the client starts on login.

Configure the popup settings:

  1. Log on to PaperCut NG's administration interface as built-in admin user.

  2. Select the macuser account from Users.

  3. On the macuser's details screen, set the account balance to zero.

  4. Ensure the user is set to Restricted.

  5. Check the Unauthenticated option and save the changes.

    Turning on popup authentication at the user level

    Figure 27.21. Turning on popup authentication at the user level

  6. Click the Apply button to save the changes.

Tip

If users login to the Mac using their AD/LDAP username then it's possible to eliminate the authentication popup by configuring the client as described in the section called “Eliminating PopUp Authentication via Mac Login Hook”.

Testing:

  1. Log on to a Mac. Verify that the PCClient program starts automatically.

  2. Print to the newly set up printer. On the server's print queue the job appears under the user identity of macuser.

  3. The popup should display on the Mac. Enter a valid domain username and password.

    PaperCut NG client requesting for authentication (Sorry: Windows screen-shot!)

    Figure 27.22. PaperCut NG client requesting for authentication (Sorry: Windows screen-shot!)

  4. The corresponding user should be charged for the job.

Scenario Three: Multi-user Macs using LDAP or Active Directory authentication

Larger networks often run the Macs in a domain environment either authenticating with an Active Directory or an LDAP network. In an authenticated domain environment, the identity of the user (the user's username) is known and verified at the time of login. With the help of the TCP/IP Printing Services for Microsoft Windows, and the LPR/LPD support on the Mac, print jobs can be identified on the server and associated with the user's login name. This avoids the need for the popup authentication used in Scenario Two.

Using the LPR and IPP printing protocols on Windows print servers

LPR is a legacy protocol developed for UNIX that clients use to send print jobs to print servers. Microsoft has supported this protocol for a number of years via an add-on module called Print Services for UNIX. Under certain conditions Windows LPD printers can cause issues when using PaperCut hold/release pint queues. The information included here is to help customers understand the issue and document suggested workarounds.

The mechanism used by the Windows PSFU subsystem to accept LPR and IPP print jobs is different from other implementations in Windows such native SMB based printers. In SMB the event notification to applications such as PaperCut is well behaved and reliable. Event notification for LPR and IPP based printing does not use the same set of underlying APIs and under some conditions the PaperCut print monitoring layer receives notification after the print job has started. This means that some print jobs may start to print before the hold instruction is issued. This job is then suspended in a Paused Printing state (i.e. both paused and printing) and this results in all other jobs on that queue being held up by the paused job.

The information we have from customers who have experienced this problem shows that the symptoms are generally not consistent, suggesting an underlying race condition bug in Windows. Things that can affect the problem include:

  • Running the print server on a virtual machine

  • The number of processors/cores

  • The current load on the print server

  • The version and patch level of Windows

Because the issue is in the underlying Windows print subsystem it not possible for PaperCut to quickly implement a reliable solution and we do not expect Microsoft to implement a fix to this legacy subsystem. If a site does experience this issue there are some steps that can help alleviate or fix the issue.

  1. Use the SMB protocol for Windows based print server queues. Note that using SMB may place some constraints on how users authenticate and how anonymous users are able to print at your site. This is the recommended approach.

  2. Use two print queues. Queue "A" is virtual and queue "B" is the real queue attached to the physical printer. Users print to "A" using LPR and PaperCut can always place a hold on the print job. PaperCut then redirects the job to "B" on release. Managing virtual print queues is documented in section Chapter 11, Find Me Printing and Printer Load Balancing. Queue "A" should be configured to use a port with no printer (e.g. LPT1:), it should be permanently paused (PrinterPause Printing), and the virtual queue configuration for "A" in PaperCut should forward jobs to "B" (setting "Jobs may be forwarded to these queues").

    If queue "A" is un-paused then the job will error, however it can still be re-directed as needed.

In the long term PaperCut are looking to implement a complete solution to this issue, however it will take some time to do this as we will need to implement a complete LPR print monitor for Windows and this work needs to be scheduled into a future release.

Requirements

  • Macs set up in multi-user mode authenticating off a domain. Either Active Directory or LDAP.

  • Printers hosted on a Windows print server.

  • The server needs the TCP Printing Services installed (also known as Print Services for Unix).

Installation

On the server hosting the printers, setup TCP/IP Printing:

  1. Log into the server as a system administrator.

  2. Select Control PanelAdd Remove Programs.

  3. Click on Add/Remove Windows Components.

  4. Select Other Network File and Print Services

    Windows Component: Other Network File and Print Service

    Figure 27.23. Windows Component: Other Network File and Print Service

  5. Click Details... and ensure Print Services for Unix is selected.

  6. Click Next to complete the installation.

Tip

Some systems running firewall software may block LPD printing. On systems running firewall software, ensure that incoming connections from the local network are allowed on port 515.

On each Mac, add the required printers:

  1. Open the Printer Setup Utility from Applications -> Utilities.

  2. Click the Add button to add a new printer.

    Add a printer

    Figure 27.24. Add a printer

  3. Click the IP Printing button at the top toolbar.

  4. From the Protocol dropdown, select Line Printer Daemon - LPD.

  5. Enter the IP address of the server hosting the printers in the Address field.

  6. Enter the printer's share name in the Queue field.

    Adding an LPR/LPD printer

    Figure 27.25. Adding an LPR/LPD printer

  7. Define a user friendly name in the Name field and select the printer type.

  8. Click the Add button.

  9. Repeat for other printers as necessary.

To install the PaperCut NG client software:

  1. Open the Finder.

  2. From the Go menu, select Connect to Server...

    Connecting to a Windows server

    Figure 27.26. Connecting to a Windows server

  3. Enter the pcclient share's connection details like:

            smb://server_name/pcclient
                                    

    Where server_name is the name of the server hosting the PaperCut NG server software.

    The PCClient share's connection string

    Figure 27.27. The PCClient share's connection string

  4. Enter password information if requested.

  5. Drag the PCClient package over to the local hard disk's global Applications folder. The copy process will commence.

  6. Control-click on the newly copied PCClient application in the Applications directory. Select Show Package Contents.

  7. Browse to Contents/Resources/.

  8. Double-click on the install-login-hook.command script.

    Double-click to install the login hook

    Figure 27.28. Double-click to install the login hook

  9. Restart the system and verify the client starts on login.

Testing:

  1. Restart the system and ensure the client starts on login and lists the user's account balance.

  2. Ensure print jobs correctly account under the user's PaperCut NG account.

Scenario Four: Mac OS X Server

If the printers used by Mac clients are hosted/shared from a Mac server system (or Mac workstation system acting as a server), then the preferred solution is to install PaperCut NG's Mac server software. The Mac server may either be set up as the primary server or as a secondary server reporting back to an existing primary server.

The Mac server support and initial setup is documented in the section called “Installation on Apple Mac”.

Additional information and tips

The client install process is also covered in the section called “User Client”. After the first Mac is set up and the printing process is tested, the simplified client install notes covered in the section called “Deployment on Mac OS X” may be appropriate to provider to end-users or other system administrators.

The Mac client makes use of Java. Users running Mac OS X 10.4 are advised to install Java 5.0. Java 5.0 is installed by default on Mac OS X 10.4.5 and higher. Java 5.0 for earlier Mac OS versions is available as a dmg from the Apple website. Java 5.0 contains new features that allow the client to display popups in an always-on-top mode above all other application windows.

Mac client can accept command line options as explained at Table A.2, “User Client command-line options”. If the client is started via the login hook, the command-line options can be defined in the file:

        /Applications/PCClient.app/Contents/Resources/login-hook-start
                

Look for the line starting with client_args and the associated comments above.