collapse 1 ...

Table of contents

Short instructions for all Linux users
Required credentials Printing without installationInstalling the printerPrint job processingAuthInfoRequired username,password Kerberos ticket procedures
Table of contents...
Vincent Huijgen
2014-12-16

Short instructions for all Linux users @tue.nl

In a shell-session, type (or copy-paste):

wget -q -O- https://www.win.tue.nl/bcf/linux/printing/install_printers.sh | /bin/sh
and select
(Re-)install queue MFP-CAMPUS-PS

In more detail:

This should work on all Linux systems or at least show a message that makes sense.

If it does not work for you:

, whatever you prefer.
Below follows the whole story.
Just a summary, despite its size, of the background information that led to install_printer.sh .

Required credentials

Access to the Konica Minolta printers requires :

Printing without installation

If you want to print without installation,

Webbased

using smbclient

You may know smbclient as a browser for file shares, but it can also "browse" printer-queues, which are also shares in Windows parlance. And it can "write" into such shares which is another word for printing.

Without kerberos ticket:

With kerberos ticket: If the default tueprinter finishing options cater your needs, this command is all you need for printing. You could wrap one of these procedures into a shortcut which you could wrap into a customized desktop menu-item.

Installing the printer

To be precise, we are going to install:

Required packages

Since packaging depends on your Linux distribution, here are just the names of the executables that you need to install: Use your package manager to find out which packages provide them.

Required configuration - cups server

Using the print configuration wizard

The printer wizzard is system-config-printer . You can start that from the commandline or try to find a printer icon in the desktop menu structure.

The print configuration wizzard has no option to do it right so that IMHO it should NOT be used.

In more detail, it only provides options:

  • to install your plain password in /etc/cups/printers.conf .
    Moreover, it does not warn therefore.
  • to forget to install the trigger for the password dialogue so that you cannot authenticate at all for printing
    (unless you happen to have a Kerberos ticket ready)
which is both not what we want.

Select Device(URI)

The DeviceURI has these components:
cups-backend-protocol :// printserver / printerqueue
which you need to enter as follows:

Authentication settings

Option 1: for a single plain password

If you choose to Set authentication details now:
  • Prompt user if authentication is required
  • Set authentication details now
    Username: john
    Password: ......
the password will be included correctly in /etc/cups/printers.conf

That is, in plain form, for which you get no warning from the printer wizzard.

Option 2: for credentials by dialogue

You may try to check
  • Prompt user if authentication is required
  • Set authentication details now
    Username:  
    Password:  
but no prompt will appear, in a later stage of the printer wizard and not when starting a printjob, because the printer wizard forgets to insert the necessary directives into the configuration to trigger the necessary credential dialogues.

This happens to be the correct preparation for kerberos authentication.

Option 3: prepare for kerberos

The printer configuration wizard has no direct support to configure kerberos authentication You could however:

Choose driver

After loading the database of known printers, the Driver dialogue will appear.

Actually, the driver for most printertypes is already known to be the cups filter but it needs to be pointed yet to a printer-specific set of PostScript instructions to insert for finishing options such as double-sided and orientation.

These PostScript instructions are published by suppliers as PPD files, one of which you need to select.

At the time of writing, no PPD-file for the printer Konica Minolta C364 is available from the database, so click the option to Provide a PPD file...

... from mfpps.ppd, after downloading it for "uploading", using the indicated file-browser button, to /etc/cups/ppd/printername. The desired printername can be entered later.

This mfpps.ppd is provided with the local papersize (A4) and installable options that are really options for the models that can be ordered at our site.


Installable Options

Update the installable options with those available on the printer that you mostly use

Describe Printer

These are just descriptive fields. Here are the suggested updates:
Describe Printer

Printer Name

KONICA-MINOLTA-C554SeriesPS-P

Description

KONICA MINOLTA C554SeriesPS/P

Location

 
Describe Printer

Printer Name - actually, the queue name

mfpps

Description - model C364 @ TU/e

KONICA MINOLTA C364

Location - any printer @ tueprint.campus.tue.nl

Follow You

Apply
(end of wizard)

Configure using a text editor

For those who prefer text editing, here follow the necessary files and contents.

Have your cups server stopped while editing by one of:

service cupsd stop
systemctl stop cupsd

All of the 3 authentication options need only 2 lines of configuration in /etc/printers.conf
next to the necessary printer section delimitors
<Printer mfpps>
...
</Printer>
and the very recommended
ErrorPolicy abort-job
That is, abort that job only but proceed with following jobs instead of aborting any service.

You may see much more lines for printers that are already installed, but these lines are added automatically by the cups server.

Here follow the options for printers.conf for the authentication methods.

The script install_printers.sh does not necessarily include all of them in the same sequence.

/etc/cups/printers.conf Option 1: plain password
<Printer mfpps>
DeviceURI smb://username:plainpasswd@TUE/tueprint.campus.tue.nl/MFP-CAMPUS-PS AuthInfoRequired none
ErrorPolicy abort-job </Printer>
Show details

This option has:

  • DeviceURI smb://username:plainpasswd@TUE/tueprint....
    including the credentials to be used by the smb backend
    for authentication on the printserver.

    This plainpasswd:
    • should not be exposed to other users.
      Access settings of printers.conf usually prohibit this but they may have changed implicitly by file operations.
    • may not contain the separators :@.
      Enter your password into this small encoder to replace these separators or replace manually

      %,:,@, ,/ by %25,%3A,%40,%20,%2F

      including / to replace as well, for better readability of the whole DeviceURI.

  • AuthInfoRequired=none which just suppresses credentials dialogues, not the authentication

/etc/cups/printers.conf Option 2: prompt for password later, hopefully store in keyring
<Printer mfpps>
DeviceURI smb://TUE/tueprint.campus.tue.nl/MFP-CAMPUS-PS AuthInfoRequired username,password
ErrorPolicy abort-job </Printer>

When prompted later for credentials, you can omit the prefix TUE\ for your username because it is already included in the DeviceURI

Show details

AuthInfoRequired username,password is a hint for applications, such as document viewers and browsers, to prompt the user for credentials when a printjob is started. and then pass these credentials to the cups server.

The credentials dialogue may supply an option to remember your password, that is, to store it in your keyring. And if you confirm that option, the next and following jobs should not trigger the credentials dialogue anymore. If it does not work that way, you may want to read the chapter AuthInfoRequired username,password


/etc/cups/printers.conf Option 3: prepare for kerberos
<Printer mfpps>
DeviceURI smb://TUE/tueprint.campus.tue.nl/MFP-CAMPUS-PS AuthInfoRequired none
ErrorPolicy abort-job </Printer>
Show details

These settings are composed to support kerberos authentication.
They include:

  • DeviceURI smb://tueprint...: no credentials in the DeviceURI
  • AuthInfoRequired none : no trigger for dialogues for credentials

forcing the smb backend to use your kerberos ticket to get access to the printserver.

On Linux systems that are not in the TU/e domain, you need to create a kerberos ticket.


/etc/krb5.conf
Only for kerberos, see Kerberos configuration

/etc/cups/cups-files.conf
User=your_local_username
Only for kerberos, see Applying a kerberos ticket by the smb backend

/etc/cups/cupsd.conf
There are many options to support many policies. For now, just make sure that it contains:
Listen localhost:631

Most distributions provide a default configuration with access rules that allows at least printing now.

Using GUI tools for printer settings may require other access rules.

Required configuration - finishing options

/etc/cups/ppd/mfpps.ppd
This ppd-file already reflects most of the options on our printers.
There are a few options that can be ordered separately at our site,
  • stapler
  • punch
so that they are really installable options which you may need to post-edit.
That can be done using one of the ppd-editors:
  • gnome-control-center, Printers, a printer, Options
  • system-config-printer, a printer, Properties
Depending on desktop policies, you may need to "unlock" access to the printer settings.

Required configuration - cups clients

/etc/cups/client.conf
This is for all printer clients and GUI tools for printer settings. Make sure that cupsd is Listening to the ServerName that you point the clients to.
ServerName localhost:631

Print job processing

Print jobs are usually initiated by document applications and held in a local queue by the cups server.

Document application print backends

Most document applications (viewers, editors, browsers) have an option to print the document. That option is implemented by a print backend. Unfortunately, there is no common print backend that is shared by all document applications. So if printing, especially authentication, does not work as expected, this message may help you to find a solution or workaround.

A few examples follow below:

The gtk3 libraries provide a cups print backend which is used by

and maybe more.

The okular document application provides its own print backend which starts the commandline lpr for printjobs.

Queue manager clients

As long as the jobs reside in the queue, on purpose or waiting for some error to be fixed, they can be managed by one of these queue managers: If your job is not submitted to the tueprinter queue, start one of these queue managers and inspect the local queue. Maybe your job is waiting for authentication.

AuthInfoRequired username,password

The entry in /etc/cups/printers.conf
AuthInfoRequired username,password
is a hint for both document application print backends and queue managers to prompt the user for credentials and pass them to the cups server.

After changing your password...

in the Active Directory, it is NOT automatically changed in your keyring. To force a keyring update, start the keyring manager (seahorse) and delete entry
username@tueprint.campus.tue.nl...

Missing option to remember password

There was a flaw in gtk3 versions < 3.13.8 in the credentials (username, password) dialogue, documented as bug 674264:
Credentials from gnome-keyring is not used while printing
so that you would need to enter credentials for each printjob. On most Linux distributions, an indirect effect was that credentials dialogues could appear both without and with option to remember password.

In more detail, when starting a print job from evince:

All these indirect effects of the gtk3 bug and the mixture of different credentials dialogues, with and without option to save password, were very confusing.

The gtk3 bug was solved in August 2014. But the solution may not have propagated yet to your distribution or your update thereof in December 2014, when this document with instructions for authenticated printing needed to be available for Linux users. Especially for the Fedora distribution, the solution was included in Fedora 21, for which the test stage was finished December 2014.

If you cannot easily upgrade gtk3 to version 3.13.8 or higher, here is how to avoid repeatedly entering credentials, unfortunately not completely avoiding the appearance of credential dialogues:

Now the next and following printjobs can proceed as follows:

Present but failing option to remember password

In case you're still with me: The previous procedure to fallback to system-config-printer as (client of) the queuemanager unfortunately fails if its version is less then 1.3.13 . I do not have a direct bug reference at hand, but my own small test reported a Cancelled error after checking the box to remember password, in update_job_keyring_attrs, as reported by bug 905618

If your version of system-config-printer has this bug, you can still print and authenticate but not have your password remembered.

Kerberos ticket procedures

What is kerberos and why should I care ?

Kerberos tickets provide authentication to the Active Directory. That provides access to services such as printing, mail, address lists, calendar and network drives.

Using kerberos authentication obviate the need:

Kerberos configuration /etc/krb5.conf

Before you create a kerberos ticket, you need to make sure that which can be done in two ways:
Explicit settings in /etc/krb5.conf

If you choose to have explicit settings, you need to include or update these entries:

default_realm = CAMPUS.TUE.NL dns_lookup_realm = false dns_lookup_kdc = true # That is, for campus.tue.nl apply dns-lookup for: _ldap._tcp.campus.tue.nl

Especially, make sure that the default_realm is not EXAMPLE.COM , as shipped with older kerberos versions.
With newer kerberos versions, this is already included as comment so that it is really an example.
Except for the realm, these settings are the default settings.

With dns_lookup_kdc enabled, domain controllers for campus.tue.nl are queried in DNS, as you can replay by the query:

host -t srv _ldap._tcp.campus.tue.nl
Empty and default configuration
Since the necessary settings, especially dns_lookup_kdc=true, are default, you could as well setup an empty kerberos configuration.

This can be done by one of:

  • missing /etc/krb5.conf
  • empty /etc/krb5.conf
  • KRB5_CONFIG=/dev/null in process environment.

    This may be useful if you just want to run kinit followed by a few smblient -k -c print commands with minimal configuration changes.

    For the smb backend, you would need to make sure that it also has this entry in its process environment.

Creating a kerberos ticket

on Linux systems in the TU/e domain
Such as the Fedora 18 systems at the department of Mathematics and Computer Science.

You already have a valid kerberos ticket since you logged in.


on Linux systems outside the TU/e domain
Setup the necessary kerberos configuration and:
kinit username@CAMPUS.TUE.NL
with the realm CAMPUS.TUE.NL in capitals.
You need to repeat this procedure every few days, so that you may not like this option.

Applying a kerberos ticket

Kerberos tickets are applied by smbclients:

Appendix

URL-encoder for plain passwords

for python 2
python -c 'import urllib; print urllib.quote(raw_input("%-encode: "),"")'

for python 3
python -c 'import urllib.parse; print(urllib.parse.quote(input("%-encode: "),""))'