Tuesday, 6 December 2011

Active Directory authenticated AirPrint across subnets

44792-64AirPrint is a component of the Apple iOS operating system allowing users to print to supported printers wirelessly from their Apple mobile devices.  iPads and iPhones have become especially popular with the user community and there is a need for users to be able to print from the wireless network to managed network printers.  In an enterprise environment we wish to restrict access to these printers to authenticated users.  Active Directory is the authentication source of choice in many enterprises.

I have implemented a proof-of-concept setup that allows this.

Solution outline

  1. Install and configure a Linux server on your network.  I chose Centos 6.  Packages mentioned below should be easily installable using your distribution’s package manager.
  2. Configure the Linux server to authenticate against Active Directory.  I used Kerberos for authentication and winbind for user and group naming.There are various guides around to help you with this.
  3. Setup and configure the Common Unix Printing System (CUPS) on the Linux server.  I found that version 1.4.6 worked well with Linux’s Pluggable Authentication Module (PAM) to allow authenticated printing.  Other versions of CUPS seemed to have issues.
  4. Configure a printer queue in CUPS and share it using the Internet Printing Protocol (IPP).  Ensure the queue is restricted to authenticated users (use the “authenticated” rather than the “default” policy).
  5. Implement DNS-SD to advertise the CUPS print queue to iOS wireless clients.  This allows AirPrint to work across subnets without relying on broadcast transmission of packets.  Make sure your DHCP server is giving out the right DNS search path to wireless clients.

Now when you print from an iOS device on the wireless network, the IPP printer advertised via DNS-SD should appear in the printers list.  When you attempt to print, you should be asked for your AD username and password.  Once supplied, the job will be accepted by CUPS and sent to the network printer.

Taking things further

If you have configured winbind to correctly resolve AD groups, you can restrict certain print queues to certain groups using the CUPS admin web interface.

If you use a print charging system such as PaperCut, you can install the Linux print provider on the server and account for any print jobs sent from iOS devices.  PaperCut 11.6 has introduced an iOS solution, but this depends on the user completing a two-stage process to print.  I believe the above solution is more elegant from a user perspective.

12 comments:

  1. Really nice work! The use of winbind for authentication is great, and as you said, does eliminate the need to use the PaperCut App for authentication. It's one less step for the user. The PaperCut App may still be useful some situations as it provides feedback on the job's status (e.g. was it cancelled because of low print quota), and account selection.

    Have you come across any print quality issues using your CUPS queues? Are all your printers PostScript?

    ReplyDelete
  2. Thanks for the kind words Chris. We upgraded to PaperCut 11.6 yesterday, so we'll certainly check-out the app soon.

    ReplyDelete
  3. Chris,

    Could you please elaborate or show the output for "Ensure the queue is restricted to authenticated users (use the “authenticated” rather than the “default” policy)."

    Thanks!

    ReplyDelete
  4. Tux

    In /etc/cups/cupsd.conf you will see the following policies defined:

    <Policy default>

    and

    <Policy authenticated>

    You need to make sure you printers are using the second of these. In /etc/cups/printers.conf make sure each printer has the line:

    OpPolicy authenticated

    Regards
    Richard

    ReplyDelete
  5. Thanks Richard,

    Quick question, does both your client and print server need to be configured for kerb authentication for this to work? Also, what does your /etc/cups/cupsd.conf have for 'DefaultAuthType'?

    Thanks again!

    ReplyDelete
  6. Tux

    The Linux print server is configured for Kerberos authentication against Active Directory. Not sure what you mean by the "client" in this case.

    cupsd.conf:

    DefaultAuthType Basic

    ReplyDelete
  7. Hi,
    Is the linux server sitting on your wifi network or corporate network?

    ReplyDelete
  8. The linux server is on the corporate network. You need to use DNS-SD so that clients can see the linux server without relying on broadcast transmission.

    ReplyDelete
  9. Richard,
    Have you ever used the PaperCut iOS printing with any other print tracking packages already installed on a network? Right now I have my users printing from their computers and then they either swipe their badge or type in their pin at any printer when they choose to retreive their prints.

    Justin

    ReplyDelete
  10. That's called "Find me printing". PaperCut supports this so it should work with iOS. Drop them a line and they can tell you for certain.

    ReplyDelete
  11. Is there a way to do this using LDAP on a Mac server? I would much prefer the user being prompted for their password than having to go to the Papercut app first.

    ReplyDelete
  12. Is there a way to do this using LDAP on a Mac server? I would much prefer the user being prompted for their password than having to go to the Papercut app first.

    ReplyDelete