At DIKU we have a very old print server (vaftrudner), that uses the LPRng project along with some really wierd homemade Postscript2-written stuff encapsulated in Perl, which should have died a long time ago, but didn't. Needless to say - its been on our wish list for quite some time, to set up a new print server based on CUPS (Common UNIX Printing System) and Kerberos for authentication.
Our computing environment has changed drastically over the past few years. Where as a couple of years ago all students would use the Sunray based terminal rooms, now days they all mostly bring their own laptop. So - what is the best way to provide printing services in this environment, where you have zero control over the students laptop? So far our solution has been to provide a CUPS-ssh backend (made by my collegue Martin Parm) which works on both OS X and Linux clients.
But CUPS provides support for Kerberos authentication from version 1.3 and the internet printing protocol (ipp) works on most platforms. Mac OS X, Linux and BSD is easily done, but Windows has for some time posed a problem. For some reason unknown to me Microsoft has only added ipp 1.0 support - but not ipp 1.1 support, and unfortunately the 0.1 version difference holds the authentication additions.
Fortunately a little piece of open source software gave us a solution to this problem: Redmon - A Redirection Monitor. Redmon install a new printer port on the Windows system, which can be redirected to another port and another program. So basically you install a new local printer, and instead of for instance a cable connecting the printer, you choose the redicretion port, which grabs the job and pipes it out through ssh. This is almost the same way our CUPS ssh-backend works today. If you have Kerberos, you can choose to use the Kerberized version of ssh and you can pass your credentials through ssh.
If you are a printer sysadmin, and provide a printing environment which includes a printing solution for Mac OS X, Linux, *BSD and Windows clients, I'd like to know how you set it up and if you have a better solution than the one I described above.
I do authenticated printing for Cornell. I have solutions and ideas for the problems you discuss. Please email me.
-Rick
Posted by Rick Cochran on October 10, 2008 at 08:51 PM CEST #
Can you elaborate more regarding:
"...CUPS provides support for Kerberos authentication from version 1.3 and the internet printing protocol (ipp) works on most platforms. Mac OS X, Linux and BSD is easily done..."
As I understand there are some issues with the need of the local print spooler on each client to have SPN (Service Principal Name)registered?
I'd much appreciate notes/information on your setup for kerberized CUPS for Mac OS X and Linux.
/Anders
Posted by Anders Bäck on January 26, 2009 at 02:16 PM CET #