This topic discusses various solutions to the “authentication problem”. The aim is not to provide detailed step-by-step instructions, but rather guide you to the relevant procedures and sections in other parts of the manual. This topic includes the following recipes:
-
Windows print server using LDAP or eDirectory authentication
-
Mac OS X systems using domain authentication via Open Directory
-
Mac OS X systems using domain authentication via Windows Active Directory
-
Mac OS X laptops (or single user systems) printing to Windows print queues
-
Linux Workstations in a lab environment with printers hosted on a Windows server
-
Linux Workstations in a lab environment with printers hosted on Linux CUPS server
Windows systems with generic logins
This scenario arises either when users log in to systems using a common username such as user
or student
, or if the workstations auto-login as a generic user. See introduction for details.
Preferred method:
-
Ensure all users have an account (username and password) on the server (or domain) hosting the PaperCut NG/MF software.
-
Install the User Client software on all systems. For more information, see User Client .
-
Enable popup authentication by selecting the Unauthenticated option on the corresponding generic user account. For more information, see Popup authentication .
Other methods:
-
Use the Standard Release Station in “Release Any” mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release .
-
Consider implementing domain level logins.
Windows laptops that do not authenticate against a domain
Portable systems can spend most of their time outside the organization’s network so setting up domain authentication might not be required. The laptops/notebooks are often owned by a single individual and are not under the control of a central administrator.
Preferred method:
Use popup authentication or hold/release queues. For more information, see Handling unauthenticated (non-domain) laptops .
Alternate method 1:
If using a version of Windows that can authenticate with a domain (i.e. not the Windows Home editions), then you can configure the laptop to authenticate with the network as follows.
-
Teach the user how add their domain username and password to their Stored usernames and passwords:
-
Start > Control Panel > User Accounts
-
Select the user’s laptop login account.
-
Click Manage my network passwords.
-
Click Add.
-
Enter the name of the server and the user’s network domain username and password
-
-
Teach the user how to add a network printer in the form
\\server\printer
. -
Optional: Locally install client software using the
client-local-install.exe
install program. This is located on the\\Server\PCClient\win
share. At the end of the install process, the client opens asking the user to confirm their network identity. For more information, see User Client .
Alternate method 2:
-
Add a generic “LaptopUser”, or “guest” user account to the domain. Make the password known to all users (e.g.
password
). -
Set the unauthenticated option on this user (enable popup authentication).
-
Locally install client software using the
client-local-install.exe
install program. This is located on the\\Server\PCClient\win
share. At the end of the install process the client opens asking the user to confirm their network identity. See Configure the User Client using the command-line for details. -
Teach the user how to add a network printer pointing to
\\server\printer
. -
See the preceding scenario for more detail.
Windows print server using LDAP or eDirectory authentication
The Microsoft Windows operating system does not play well in non Active Directory domain environments such as LDAP or eDirectory. Although it is possible to configure a Windows print server on any network, Windows does not normally provide the ability to use LDAP as an authentication source. Jobs are listed under either a local Windows user identity or a guest account. Use PaperCut NG/MF’s popup authentication, bound to LDAP, to work around this limitation.
Preferred method:
-
Set up the Windows server and install and share printers.
-
Set printer permission to allow printing from a general “guest” type account. This usually takes the form of the built-in guest account, or a local account with a known username and password (e.g.
printuser
). -
Configure printers on each workstation. Ensure all workstation users can print and jobs list in the print queue under the guest account configured in the previous step.
-
Install the PaperCut NG/MF software. Select the LDAP server as your user/group source. PaperCut NG/MF then uses this source for the user list and authentication. See Synchronize user and group details with LDAP for more information about LDAP.
-
Set the Unauthenticated option on each printer (print queue). This enables popup authentication. For more information, see Popup authentication .
-
Install the User Client software. For more information, see User Client .
Other methods:
- Use Release Station. See Secure print release .
Mac OS X systems with generic user accounts
Mac OS X workstations in a lab environment are often set up so users log in using a common, generic, or standard account. For example, “macuser” or “student”.
Preferred method:
-
Install the User Client software. For more information, see User Client .
-
Add a domain/network user account that matches the generic login account (i.e. “macuser”). This ensures the account is available in PaperCut NG/MF.
-
Set the Unauthenticated option on the “macuser” account.
-
Add the printer(s) so jobs list under the “macuser” account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A
DeviceURI
such assmb://macuser:password@servername/printer
). See Mac printing in detail for an explanation on how to add a printer using this method.
Other methods:
-
Use the Standard Release Station in “Release Any” mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release .
-
Consider setting up domain-level authentication.
Mac OS X systems using domain authentication via Open Directory
You can configure Mac systems to authenticate users via a central Mac OS X server running Open Directory. Each user has their own login account.
Preferred method:
-
Set up print queues on the Mac OS X Server.
-
Set up PaperCut NG/MF on the server either as a primary server, or as a secondary server reporting to another primary server (either Mac, Linux or a Windows system) (see Installation ).
-
Add printers to each Mac workstation. Ensure the local printers point to the shared print queue set up on the server.
-
Optional: Install client software ( User Client ).
Other methods:
-
Use the Standard Release Station in “Release Any” mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release .
-
Set up print queues on a Windows system and use popup authentication - see next recipe.
Mac OS X systems using domain authentication via Windows Active Directory
You can configure Mac systems so users log in using their Windows Active Directory domain username and password. The Mac Windows printer support using Samba/SMB, however, requires printers to be added using a single username and password and this is shared by all users. For this reason an extra layer of authentication is required.
Preferred method:
-
Host printers and the PaperCut NG/MF system on the Windows server.
-
Ensure the print server is running in Mixed mode or Pre-Windows 2000 Compatibility Mode. Macs currently have problems with
Native Mode
networks. -
Add a domain/network user account that matches the generic login account (i.e. “macuser”). This ensures that the
macuser
account is added to PaperCut NG/MF’s user list. -
In PaperCut NG/MF, turn on the Unauthenticated option on the “macuser” account to enable popup authentication. Also ensure that the account has zero balance and is restricted.
-
Add the printer(s) so jobs list under the “macuser” account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A
DeviceURI
such assmb://macuser:password@servername/printer
). For more information about how to add a printer using this method, see Mac printing in detail .
- Install client software see [User Client]( https://www.papercut.com/help/manuals/ng-mf/common/install-mac-printing/) .
Other methods:
-
Use LPR as a connection method. See Scenario Three: Multi-user Macs using LDAP or Active Directory authentication in detail.
-
Use the Standard Release Station in “Release Any” mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release .
-
Host printers on a Mac Server (see the previous recipe).
Mac OS X laptops (or single user systems) printing to Windows print queues
Mac systems that are owned/used by a single user can benefit from having the printers added in such a way in that they automatically authenticate under their identity.
Preferred method:
- Teach users how to add printers using the method described in Scenario One: My Own Mac (Single User) .
- Use popup authentication or hold/release queues. For more information, see Handling unauthenticated (non-domain) laptops .
Other methods:
- Locally install client software using the
client-local-install
program located in the directory[app-path]/client/mac
. The client displays a popup asking them to confirm their network identity (via username/password).
Linux Workstations in a lab environment with printers hosted on a Windows server
Linux workstations typically use the CUPS print system. CUPS, through the use of Samba, can print directly to Windows print queues.
Preferred method:
-
Ensure the system is configured to deny remote shell access to standard users - that is, allow only direct screen/console access. This ensures the system’s IP address can be associated with a single user providing a suitable environment for popup authentication.
-
Ensure the print server is running in Mixed mode or Pre-Windows 2000 Compatibility Mode. Some Linux distributions currently have problems with
Native Mode
networks. -
Add a domain/network user account that matches the generic login account (i.e. “linuxuser”). This ensures the “linuxuser” account is added to PaperCut NG/MF’s user list.
-
In PaperCut NG/MF, turn on the Unauthenticated option on the “linuxuser” account to enable popup authentication. Also ensure that the account has zero balance and is restricted.
-
Add the printer(s) so jobs list under the “linuxuser” account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A
DeviceURI
such assmb://linuxuser:password@servername/printer
). Refer to the CUPS or distribution documentation to read more how to add a CUPS printer using ansmb
backend. -
Install client software. For more information, see Install the User Client on Linux and Unix . If users log in to the workstations using a username that matches their Active Directory password, no additional client configuration is required. If users log in using a generic or non-matching account, use command-line options or the
config.properties
file to force the client to display under the user’s domain identity. See Configure the User Client using the command-line for more information.
Other methods:
-
Use the Standard Release Station in “Release Any” mode, or the User web interface Release Station configured to allow users to release any jobs. For more information,see Secure print release .
-
Host printers on a CUPS server running on Linux.
-
Install PaperCut LPD Service and use a LPR rather than CUPS (or CUPS with an LPR backend).
Linux Workstations in a lab environment with printers hosted on Linux CUPS server
Network administrators running Linux labs might choose to host the printers on a Linux server running CUPS. For convenience, CUPS is set up without authentication.
Preferred method:
-
Set up CUPS print queues on a Linux server.
-
Ensure each user has an account on this system (or the domain depending on PaperCut NG/MF’s selected user list source)
-
Set up PaperCut NG/MF on the server either as a primary server, or as a secondary server reporting to another primary server (either Mac, Linux or a Windows system) (see Installation ).
-
Set the Unauthenticated option on each printer (print queue). This enables popup authentication (see Popup authentication ).
-
Ensure the system is configured to deny remote shell access to standard users, that is, allow only direct screen/console access. This ensures the system’s IP address can be associated with a single user providing a suitable environment for popup authentication.
-
Install client software (see User Client ).
Other methods:
-
Use the Standard Release Station in “Release Any” mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release .
-
Use CUPS Authentication.
Linux laptops (or single user systems)
Modern Linux laptops make use of the CUPS print system. This environment is equivalent to the Mac laptop recipes described above.
Multiuser Unix terminal servers
Unix or Linux systems allowing remote SSH, Telnet, VNC, or X connections differ from the other scenarios discussed above. These systems cannot use the popup authentication as it is not possible to uniquely identify a user from the system’s IP address. The only secure option is to use the Release Station.
Preferred method:
-
Set up PaperCut NG/MF on your preferred server - this does not need to be the multi-user terminal system itself. It could be another Windows or Linux server.
-
Ensure PaperCut NG/MF sources its user list from the same source as that used by the multi-user terminal server - most likely an LDAP server.
-
Enable the Release Station option on all printers that are accessed via users of the multiuser terminal system.
-
Instruct users on how to use the Release Station.
Other methods:
- No alternate methods.
Further recommendations
-
Decide on an authentication method and use it consistently throughout the organization and network. For example, using popup authentication on some systems and Release Stations on others might be confusing for users. Try to offer a consistent user experience.
-
Where possible, configure workstations to communicate with the server using the server’s native print protocol. For example, use SMB or standard Windows printing when printing to a Windows server, and Internet Printing Protocol (IPP) when printing to a CUPS server. Servers are most reliable when talking their own language!
-
Consider the scope of any configuration change. For example, enabling popup authentication or Release Station on a print queue affects ALL users of that printer. For example, you might want to ask Linux users to use the Release Station, however, this might be considered an inconvenience for Windows users. In these cases, you might set up two print queues for each physical printer - the first queue without Release Station enabled for Windows users and the other with the Release Station option enabled for Linux users.
Comments