We’ve finally come up with a working print solution for use on-campus, with support for off-campus users not far behind! Yes, coming soon (as soon as we’ve gone through a meeting, approved it and built some nice tidy servers without all our development detritus on them) you’ll be able to use your own Windows, OS X or Linux laptop from anywhere within the Campus WiFi to print using the University printers!
“But how?” I hear you cry. “We thought it was impossible because Windows Server 2003 has such a ridiculous implementation of the IPP standard!”.
The solution is that we don’t use IPP. SMB works far better, supports tidier authentication, is more secure, and actually bothers to tell the client when the print job is done. Basically, we’ve created a Windows 2003 server with a SafeCom printer on it. We then share this printer entirely as normal, with permissions set so that people need to authenticate against our Active Directory to print to it. Because SafeCom behaves nicely with passing authentication information around, there is no need for any complex pop-ups or client side downloads to integrate with proprietary user databases.
So that’s it – all you need to do to print is point your new print dialog at the correct server (no, I’m not going to tell you which one) and the correct printer name. When you print the OS will prompt you to authenticate (with the exception of OS X, which is a bit awkward for the first print but then seems to get the hang of it), you bung in your normal credentials (unfortunately including the ever-present NETWORK\) and as if by magic your documents will be dropped into the SafeCom queue ready for you to collect at your convenience.
The next stage will involve an IPP to SMB gateway, because IPP behaves better over the internet. I just need to get our gateway box, running Linux, to authenticate users against the AD…
Magic…
Looking forward to giving it a go.
I’ll have some documentation available for you to give it a test whirl, see if you spot any problems and so-on.
Great! Now how about some decent WiFi connection in the Media Building?
It’s on the ‘to do’ list for the infrastructure team. Better wireless (including improved access control, replacing the current BlueSocket system with a much longer device/account association based on MAC address) should hopefully be along relatively shortly (give it a year unless I shout at them louder) after consistently coming out at the top of the list of what students want with regards to ICT.
I am curious, were you ever able to get IPP with TLS or SSL working on Windows server with Linux clients?
I am also curious about your IPP to SMB gateway, because that is looking to be the route that we might have to go for our current printing project given that IPP in Windows 2008 R2 Server seems to absolutely broken. 🙁
Thanks for any advice/tips/documentation that you feel comfortable passing my way!
Short answer: Yes, but not over SMB.
We had to resort to a workaround using the IPP service within IIS on Server 2003. Unfortunately this uses a weird implementation of the IPP 1.0 specification (rather than 1.1) which makes for some interesting behaviour on OS X in particular (where it doesn’t get notified of a completed print job) and some flavours of Linux (our Ubuntu testing machine decided it was going to keep retrying print jobs every 30 seconds until we told it to stop).
The reason we didn’t use SMB in the end was primarily down to security concerns from our Network guys. Your mileage may vary on this one however, since I couldn’t see any problem with the standard providing that the print server is configured properly (ie don’t enable file sharing).
Regarding SSL, this is an option in IIS Manager once you have enabled print sharing. However, again due to a strange implementation you must then print using IPP over HTTP on port 443, otherwise IIS ignores the incoming print requests.
I’ll bundle up the various settings we’re running on and email them to you.
Hi Nick,
I never thanked you for the reply. I think that August 31st was my last day of work before I went on parental leave. Just got back, and it seems that there is still a lot left to be done on the Linux client side of things.
SMB is to be used here only as a “last resort” because it does not seem to encrypt the payload, only the authentication. So far, we have a CUPS server that connects to our Windows print queues over LPR (the LPR is at the moment restricted via ACL rules on a restricted VLAN, but we might tunnel it via stunnel as well, depends on what the security folks say). The CUPS server shares out queues over IPP w/ TLS and Basic Auth (with PAM_LDAP authenticating against AD). Works wonderfully for /some/ clients, and is beginning to fail with the newer distros.
Ubuntu 11.10 no longer prompts the user for authentication on these queues, nor it seems does Fedora 15 or 16. I haven’t gotten my fingers on Lion yet to try OS X.
I have a bug report open with the Ubuntu folks, but I am literally tearing my hear out on this one.
Next up on my list of things to try is to configure Kerberos instead of Basic Auth. I didn’t want to go there if I could help it!
On a side note, I don’t think that I received your email. I know that it was over a year ago, so asking you to resend it is a bit of a stretch… but, if you felt so inclined… 😉