Available in PaperCut NG and PaperCut MF.

The authentication cookbook - recipes by example

This topic discusses various solutions to the "authentication problem". The aim is not to provide detailed step-by-step instructions, but rather guide you to the relevant procedures and sections in other parts of the manual. This topic includes the following recipes:

Windows systems with generic logins

This scenario arises either when users log in to systems using a common username such as user or student, or if the workstations auto-login as a generic user. See introduction for details.

Preferred method:

Other methods:

  1. Use the Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release.

  2. Consider implementing domain level logins.

Windows laptops that do not authenticate against a domain

Portable systems can spend most of their time outside the organization's network so setting up domain authentication might not be required. The laptops/notebooks are often owned by a single individual and are not under the control of a central administrator.

Preferred method:

Use popup authentication or hold/release queues. For more information, see Handling unauthenticated (non-domain) laptops.

Alternate method 1:

If using a version of Windows that can authenticate with a domain (i.e. not the Windows Home editions), then you can configure the laptop to authenticate with the network as follows.

  1. Teach the user how add their domain username and password to their Stored usernames and passwords:

    1. Start > Control Panel > User Accounts

    2. Select the user's laptop login account.

    3. Click Manage my network passwords.

    4. Click Add.

    5. Enter the name of the server and the user's network domain username and password

  2. Teach the user how to add a network printer in the form \\server\printer.

  3. Optional: Locally install client software using the client-local-install.exe install program. This is located on the \\Server\PCClient\win share. At the end of the install process, the client opens asking the user to confirm their network identity. For more information, see User Client.

Alternate method 2:

  1. Add a generic "LaptopUser", or "guest" user account to the domain. Make the password known to all users (e.g. password).

  2. Set the unauthenticated option on this user (enable popup authentication).

  3. Locally install client software using the client-local-install.exe install program. This is located on the \\Server\PCClient\win share. At the end of the install process the client opens asking the user to confirm their network identity. See Configure the User Client using the command-line for details.

  4. Teach the user how to add a network printer pointing to \\server\printer.

  5. See the preceding scenario for more detail.

Windows print server using LDAP or eDirectory authentication

The Microsoft Windows operating system does not play well in non Active Directory domain environments such as LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. or eDirectory. Although it is possible to configure a Windows print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as file serving on any network, Windows does not normally provide the ability to use LDAP as an authentication source. Jobs are listed under either a local Windows user identity or a guest account. Use PaperCut NG/MF's popup authentication, bound to LDAP, to work around this limitation.

Preferred method:

Other methods:

  1. Use Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity.. See Secure print release.

Mac OS X systems with generic user accounts

Mac OS X workstations in a lab environment are often set up so users log in using a common, generic, or standard account. For example, "macuser" or "student".

Preferred method:

  1. Install the User Client software. For more information, see User Client.

  2. Add a domain/network user account that matches the generic login account (i.e. "macuser"). This ensures the account is available in PaperCut NG/MF.

  3. Set the Unauthenticated option on the "macuser" account.

  4. Add the printer(s) so jobs list under the "macuser" account. If the print queues are hosted on Windows, add the printer using SambaSamba is a Windows interoperability suite of programs for Linux and Unix. It is used to integrate Linux/Unix servers and desktops into Active Directory environments. It can function as both a domain controller or as a regular domain member.. (e.g. A DeviceURI such as smb://macuser:password@servername/printer). See Mac printing in detail for an explanation on how to add a printer using this method.

    IMPORTANT

    If you are running Mac OS 10.7, you might need to include the port in the DeviceURL:

    smb://username:password@server_name:139/printer_name

Other methods:

  1. Use the Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release.

  2. Consider setting up domain-level authentication.

Mac OS X systems using domain authentication via Open Directory

You can configure Mac systems to authenticate users via a central Mac OS X server running Open Directory. Each user has their own login account.

Preferred method:

Other methods:

  1. Use the Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release.

  2. Set up print queues on a Windows system and use popup authentication - see next recipe.

Mac OS X systems using domain authentication via Windows Active Directory

You can configure Mac systems so users log in using their Windows Active Directory domain username and password. The Mac Windows printer support using Samba/SMB, however, requires printers to be added using a single username and password and this is shared by all users. For this reason an extra layer of authentication is required.

Preferred method:

  • Host printers and the PaperCut NG/MF system on the Windows server.

  • Ensure the print server is running in Mixed mode or Pre-Windows 2000 Compatibility Mode. Macs currently have problems with Native Mode networks.

  • Add a domain/network user account that matches the generic login account (i.e. "macuser"). This ensures that the macuser account is added to PaperCut NG/MF's user list.

  • In PaperCut NG/MF, turn on the Unauthenticated option on the "macuser" account to enable popup authentication. Also ensure that the account has zero balance and is restricted.

  • Add the printer(s) so jobs list under the "macuser" account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A DeviceURI such as smb://macuser:password@servername/printer). For more information about how to add a printer using this method, see Mac printing in detail.

    IMPORTANT

    If you are running Mac OS 10.7, you might need to include the port in the DeviceURL:

    smb://username:password@server_name:139/printer_name

  • Install client software (see User Client).

Other methods:

  1. Use LPRThe Line Printer Remote protocol (LPR) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPR software is installed on the client device. as a connection method. See Scenario Three: Multi-user Macs using LDAP or Active Directory authentication in detail.

  2. Use the Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release.

  3. Host printers on a Mac Server (see the previous recipe).

Mac OS X laptops (or single user systems) printing to Windows print queues

Mac systems that are owned/used by a single user can benefit from having the printers added in such a way in that they automatically authenticate under their identity.

Preferred method:

Other methods:

  1. Locally install client software using the client-local-install program located in the directory [app-path]/client/mac. The client displays a popup asking them to confirm their network identity (via username/password).

Linux Workstations in a lab environment with printers hosted on a Windows server

Linux workstations typically use the CUPSCommon User Printing System (CUPS) is a printing system for Unix operating systems that allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer. print system. CUPS, through the use of Samba, can print directly to Windows print queues.

Preferred method:

  • Ensure the system is configured to deny remote shell access to standard users - that is, allow only direct screen/console access. This ensures the system's IP address can be associated with a single user providing a suitable environment for popup authentication.

  • Ensure the print server is running in Mixed mode or Pre-Windows 2000 Compatibility Mode. Some Linux distributions currently have problems with Native Mode networks.

  • Add a domain/network user account that matches the generic login account (i.e. "linuxuser"). This ensures the "linuxuser" account is added to PaperCut NG/MF's user list.

  • In PaperCut NG/MF, turn on the Unauthenticated option on the "linuxuser" account to enable popup authentication. Also ensure that the account has zero balance and is restricted.

  • Add the printer(s) so jobs list under the "linuxuser" account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A DeviceURI such as smb://linuxuser:password@servername/printer). Refer to the CUPS or distribution documentation to read more how to add a CUPS printer using an smb backend.

  • Install client software. For more information, see Install the User Client on Linux and Unix. If users log in to the workstations using a username that matches their Active Directory password, no additional client configuration is required. If users log in using a generic or non-matching account, use command-line options or the config.properties file to force the client to display under the user's domain identity. See Configure the User Client using the command-line for more information.

Other methods:

  1. Use the Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. For more information,see Secure print release.

  2. Host printers on a CUPS server running on Linux.

  3. Install PaperCut LPDThe Line Printer Daemon protocol (LPD) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPD software is stored on the printer or print server. Service and use a LPR rather than CUPS (or CUPS with an LPR backend).

Linux Workstations in a lab environment with printers hosted on Linux CUPS server

Network administrators running Linux labs might choose to host the printers on a Linux server running CUPS. For convenience, CUPS is set up without authentication.

Preferred method:

  • Set up CUPS print queues on a Linux server.

  • Ensure each user has an account on this system (or the domain depending on PaperCut NG/MF's selected user list source)

  • Set up PaperCut NG/MF on the server either as a primary server, or as a secondary server reporting to another primary server (either Mac, Linux or a Windows system) (see Installation).

  • Set the Unauthenticated option on each printer (print queue). This enables popup authentication (see Popup authentication).

  • Ensure the system is configured to deny remote shell access to standard users, that is, allow only direct screen/console access. This ensures the system's IP address can be associated with a single user providing a suitable environment for popup authentication.

  • Install client software (see User Client).

Other methods:

  1. Use the Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. For more information, see Secure print release.

  2. Use CUPS Authentication.

Linux laptops (or single user systems)

Modern Linux laptops make use of the CUPS print system. This environment is equivalent to the Mac laptop recipes described above.

Multiuser Unix terminal servers

Unix or Linux systems allowing remote SSH, Telnet, VNC, or X connections differ from the other scenarios discussed above. These systems cannot use the popup authentication as it is not possible to uniquely identify a user from the system's IP address. The only secure option is to use the Release Station.

Preferred method:

Other methods:

  1. No alternate methods.

Further recommendations

  1. Decide on an authentication method and use it consistently throughout the organization and network. For example, using popup authentication on some systems and Release Stations on others might be confusing for users. Try to offer a consistent user experience.

  2. Where possible, configure workstations to communicate with the server using the server's native print protocol. For example, use SMB or standard Windows printing when printing to a Windows server, and Internet Printing Protocol (IPPThe Internet Printing Protocol (IPP) is an Internet protocol for communication between a print server and its clients. It allows clients to send one or more print jobs to the server and perform administration such as querying the status of a printer, obtaining the status of print jobs, or cancelling individual print jobs. IPP can run locally or over the Internet. Unlike other printing protocols, IPP also supports access control, authentication, and encryption, making it a much more capable and secure printing mechanism than older ones.) when printing to a CUPS server. Servers are most reliable when talking their own language!

  3. Consider the scope of any configuration change. For example, enabling popup authentication or Release Station on a print queue affects ALL users of that printer. For example, you might want to ask Linux users to use the Release Station, however, this might be considered an inconvenience for Windows users. In these cases, you might set up two print queues for each physical printer - the first queue without Release Station enabled for Windows users and the other with the Release Station option enabled for Linux users.