Wednesday, 14 December 2011

MSI repackaging and Microsoft’s Orca tool

orca_transA common task required of those of us who support a large number of managed Windows computers is software repackaging.  The process of repackaging allows you to take a proprietary executable installer provided by a vendor and from this create a Microsoft Installer file (MSI file) suitable for distribution using an enterprise deployment tool such as SCCM. In recent years vendors have become better at supplying MSI files.  This saves you the task of completely repackaging the software, but there are often changes you might wish to make to the default behaviour of the vendor-supplied installer.

This is where Orca comes in.  I’m surprised how unknown this tool is amongst systems administrators.  Although aimed primarily at developers, Orca should be in the armoury of any IT professional with responsibility for Windows application deployment. Orca is a database table editor for MSI files.  It allows you to inspect and amend the underlying structure of an MSI file and to save any changes you wish to make to a separate transform file (MST file).  This means you can keep your original vendor MSI file intact and yet apply organisation-specific changes at install time using the MST file containing your changes.

You can find a basic tutorial here and another here.  Orca can be downloaded here or as part of the  Microsoft Windows SDK here.

Tuesday, 6 December 2011

Active Directory authenticated AirPrint across subnets

44792-64AirPrint is a component of the Apple iOS operating system allowing users to print to supported printers wirelessly from their Apple mobile devices.  iPads and iPhones have become especially popular with the user community and there is a need for users to be able to print from the wireless network to managed network printers.  In an enterprise environment we wish to restrict access to these printers to authenticated users.  Active Directory is the authentication source of choice in many enterprises.

I have implemented a proof-of-concept setup that allows this.

Solution outline

  1. Install and configure a Linux server on your network.  I chose Centos 6.  Packages mentioned below should be easily installable using your distribution’s package manager.
  2. Configure the Linux server to authenticate against Active Directory.  I used Kerberos for authentication and winbind for user and group naming.There are various guides around to help you with this.
  3. Setup and configure the Common Unix Printing System (CUPS) on the Linux server.  I found that version 1.4.6 worked well with Linux’s Pluggable Authentication Module (PAM) to allow authenticated printing.  Other versions of CUPS seemed to have issues.
  4. Configure a printer queue in CUPS and share it using the Internet Printing Protocol (IPP).  Ensure the queue is restricted to authenticated users (use the “authenticated” rather than the “default” policy).
  5. Implement DNS-SD to advertise the CUPS print queue to iOS wireless clients.  This allows AirPrint to work across subnets without relying on broadcast transmission of packets.  Make sure your DHCP server is giving out the right DNS search path to wireless clients.

Now when you print from an iOS device on the wireless network, the IPP printer advertised via DNS-SD should appear in the printers list.  When you attempt to print, you should be asked for your AD username and password.  Once supplied, the job will be accepted by CUPS and sent to the network printer.

Taking things further

If you have configured winbind to correctly resolve AD groups, you can restrict certain print queues to certain groups using the CUPS admin web interface.

If you use a print charging system such as PaperCut, you can install the Linux print provider on the server and account for any print jobs sent from iOS devices.  PaperCut 11.6 has introduced an iOS solution, but this depends on the user completing a two-stage process to print.  I believe the above solution is more elegant from a user perspective.