SMB vs HTTP vs HTTPS

So… more on printing. Alongside documenting the service (and cobbling a nice new stylesheet together to replace the old, somewhat kludgy one) I’ve been doing some work with a stopwatch on the relative speeds of SMB vs IPP/HTTP and IPP/HTTPS. The results are slightly unusual.

  • SMB – Printing from Ubuntu and OS X is under 10 seconds for most jobs.
  • IPP/HTTP – Very fast from Windows, but Ubuntu and OS X normally around the region of 30-40 seconds.
  • IPP/HTTPS – Very fast from Windows, but Ubuntu and OS X normally in the region of 15 minutes. Yes, minutes.

I really need to convince people that SMB is a viable solution and isn’t the massive security risk they seem to think it is. It’s faster, easier and more efficient, at least until I can work out how to make a *nix CUPS server talk to SafeCom.

IPP over HTTPS, the acronyms continue!

Following our massive success of printing using SMB, and being told it was a security hole we then evaluated IPP. IPP works fine, as long as we clobber it so that it works over HTTP.

Trouble is, of course, that HTTP isn’t secure. So we need to use HTTPS, which brings with it a whole new and exciting swathe of problems to deal with. Put simply – it doesn’t work at the moment.

I’m currently trying to break in to the server at the other end so that I can see what’s going on other than the cryptic messages which get dumped to the client. I strongly suspect that somebody has forgotten to tick a box, or that HTTP authentication is disabled or using the wrong realm.

It will work, I really mean it! Even if I have to rip apart CUPS and Kerberos and slam them together in a Frankenstein’s Monster of a print system with authentication to the AD (although I’d really rather not – CUPS is a mess internally and Kerberos would involve Yet Another Server).

Update: I managed to break into the server, admittedly by getting myself set as an admin. Once inside I discovered that as I suspected HTTP authentication was disabled entirely. A quick click to turn it on, set the default domain and realm, and force clients to use HTTPS. Job done.

Next up, documentation and implementation.

It’s coming…

Yes, it’s true. Printing from your own PCs – the #2 item on student surveys about IT for quite a while now – is just around the corner and should be open for use by Week 6 (just in time for all those lovely assignments), with a few caveats.

The University's SafeCom printers, working from my laptop.
The University's SafeCom printers, on my laptop.

Firstly, the initial offering will be ‘Windows only’. As in, Windows (XP, Vista and 7) will work properly and everything else will work after a fashion but be unsupported. This is because of a curious implementation of the protocol at Microsoft’s end which means that clients using CUPS (OS X and Linux, this is you) will print fine, but not know when printing has been done. Some systems such as Ubuntu will then helpfully try to print again, so if you don’t remember to manually clear your print queue then you’ll end up with 100 copies of those lecture slides and no credit. This is very much a work in progress, and I’m actively working on some alternatives to solve this problem. In the meantime, when this is released all OS X and Linux users make sure you follow the guides very, very carefully.

Continue reading “It’s coming…”

Magic Print Gateway

We’ve finally come up with a working print solution for use on-campus, with support for off-campus users not far behind! Yes, coming soon (as soon as we’ve gone through a meeting, approved it and built some nice tidy servers without all our development detritus on them) you’ll be able to use your own Windows, OS X or Linux laptop from anywhere within the Campus WiFi to print using the University printers!

“But how?” I hear you cry. “We thought it was impossible because Windows Server 2003 has such a ridiculous implementation of the IPP standard!”.

Continue reading “Magic Print Gateway”

The Students are Back!

Hooray, it’s Freshers’ Week! Today involves having to negotiate the swarms of scared looking freshers as they look in a confused manner at maps of campus. It’s also the day when ICT is watching the servers nervously, as 10,000 students all try to retrieve their (still not published, so don’t bother) newly published timetables. Here’s an important message: don’t panic. If you get lost or confused just grab a helpful looking person and 9 times out of 10 they’ll be happy to point you in the right direction.

In the slower-paced world of Online Services R&D my task for today (in between the mind-numbing tedium of SU induction workshops) is to iron out the last few kinks in the printing implementation, more specifically those to do with user rights. Once that is done I can get cracking with test servers and get a functional SafeCom system working. Despite needing to dip in and out of the office this week to attend inductions, welcome backs and Freshers’ Fayre (come visit Drama Society, we’re awesome!) I realistically hope to have a workable solution in place by the start of term next Monday.

Continue reading “The Students are Back!”

Almost There…

Following a break from routine yesterday (I went to Sheffield to attend TEDx, where I learnt that I should listen to the Beatles, build cool things with Arduino, use my right brain more, disrupt things, adopt a workflow with no incentives and finally think inside and outside the box at the same time) I am back today and looking at the final pieces of the remote printing puzzle before I get back to revolutionising the way we deal with support queries.

It turns out that Windows Server since 2000 has included IIS components for doing IP Printing (IPP for short) as standard, and all you need to do is share a printer and tick a box. Even better, it comes with support for Windows Integrated Login (the amazingly annoying one which means you need to put “NETWORK\” before your username) and HTTP authentication for those of us who enjoy the *NIX approach to life (Mac guys, that includes you as well). The icing on the cake is that this authentication information is still passed all the way to the spooler in the same way as when you print locally or over the domain (as Lincoln’s printing works at the moment).

So in summary: we already have a fully featured, standards compliant (although admittedly I still need to work out exactly which ports need punching on the firewall for it to work without the HTTP transport) printing solution for non-domain machines of all OS flavours which supports authentication against our existing Active Directory with no additional hardware, software or expenditure and only a short afternoon’s work to implement it

I’ll let you know when we’re ready to let you play around.