One of our customers suggested that I my blog to write about using PaperCut. I’ve decided to write a Tip of the Month article every 4 weeks to highlight some of PaperCut’s “hidden” features.

This month I’ll talk about of the new features in Version 5.0. All existing PaperCut users would be aware of PaperCut’s automatic account creation rules. These helps streamline user management by automatically configurating new user accounts within PaperCut. There is still however a need to synchronize PaperCut’s user list with the users listed in Active Directory or the Domain. This is usually done manually via the “TuneUp” button. Version 5 now introduces a command-line script to automate this task. The script is located under:

C:/Program Files/PaperCut/Scripts/addnewusers.bat

Network administrators can now set this script to run automatically via the Windows Task Scheduler or out of other system maintenance scripts. Many large organizations use scripts to create user accounts. You can now incorporate this command into such scripts so PaperCut is instantly notified of the new users. This new feature brings PaperCut one-step closer to our “zero administration” goal.

We released PaperCut Quota version 5.0 last week. My previous log entry provides a good overview of some of the new features and future development plans.

News on the release spread fast. We received our first upgrade request only 2 hours after the final build was uploaded. We’ve had great feedback from the existing customers, with the enhanced web tools and Internet quota support getting much attention.

We’ve updated the product tour page to include an overview of the new features. This is a good place to start if you’re interested in a visual guide to the changes. Thanks to all the people provided feedback, ideas, and also to those that helped with testing.

Introduction

Samba is a tool most known for it’s ability to provide windows file sharing cababilities to linux/unix platforms. With very little effort you can set up a Samba file server which will cost you very little. If you had to go out and buy one of the Windows server editions you’d be up for at least a couple of thousand dollars in windows licenses.

In addition to basic file server, Samba actually join your Windows Domain, which allows it to authenticate users against your Window security infrastructure. There’s no need to synchronise user databased between systems, because Samba reads all this information directly from your domain controller(s). So restricting access to Samba shares to particular Windows users or groups is simply a matter of a little configuration.

This also opens the door for other applications running in your unix environment to authenticate against a Windows Domain. For example, authenticating users when accessing the internet through a Squid web proxy (but I’ll leave the configuration of that for another day…).

Installation

I’m not going to go into too much detail here, because installation is usually handled pretty well by most linux distributions. We user Debian Linux which automates most of the installation process. If you want to roll it your self grab it from the Samba download page and follow the very good documentation. If like us you use Debian just run:

# apt-get install samba winbind

Winbind is the part of samba that is responsible for for integrating windows authentication and the user database into unix.

NOTE: I’m assuming you’re using Samba 3.0.x, which has been out since Sept 2003, so there’s no good reason not to be running it. I’m using 3.0.7 because it provides the latest and greatest functionality to authenticate to a Windows domain… and fixes a couple of issues.

Configuration

Open up the Samba config file smb.conf, which on Debian is located /etc/samba.

First set the workgroup setting to the name of your windows domain, e.g.

workgroup = MYDOMAIN

To instruct Samba to use the domain for it’s user/group database you need to set the security settting as follows:

security = DOMAIN

To allow winbind to map windows users and groups into the unix world you need to instruct winbind which uid and gid ranges to use. Make sure these don’t overlap with entries in your /etc/passwd and /etc/group files. Add entries like the following:

idmap uid = 10000-20000
idmap gid = 10000-20000

And by setting the following you won’t have to prefix your usernames with the domain (i.e. MYDOMAINuser) from within unix, because the default domain will be assumed by default.

winbind use default domain = Yes

Then save your changes to smb.conf.

Joining the Domain

Before you restart your Samba daemons for the changes to take effect, you need to do the following to join your Samba machine to the windows domain. You’ll probably need to be running as root. The username/password you specify here is a Admin user on your windows domains that has permission to add machines to the domain.

# net rpc join -UAdministrator%'password'
Joined domain MYDOMAIN.

Now you can (re)start your sambe service (smbd, nmbd, winbind). On Debian do:

# /etc/init.d/samba restart
Stopping Samba daemons: nmdb smbd.
Starting Samba daemons: nmdb smbd.
# /etc/init.d/winbind restart
Restarting the Winbind daemon: winbindd.

Now you have to tell your system to use winbind in addition to the standard files (/etc/passwd and /etc/group) as a user/group database. To do this edit /etc/nsswitch.conf as follows:

passwd: files winbind
group:  files winbind
hosts:  files dns winbind

And then we need to tell winbind what user to use when initiating sessions to your domain controller. To do this (using an admin user on your domain):

# wbinfo --set-auth-user=Administrator%password

Testing it all

And finally we should be able to test that all the above works ….

# wbinfo -u
MYDOMAINAdministrator
MYDOMAINGuest
MYDOMAINmatt
... remainder of domain users ...

If you got a list of users from your domain then we’re cooking with gas! wbinfo -g will give you a list of all your domain groups.

To check that winbind is doing it’s job you should be able to query the unix user database and find users from your windows domain, like below:

# getent passwd Administrator
Administrator:x:10000:10000::/home/MYDOMAIN/Administrator:/bin/false

Woohoo … it’s working. Winbind is authenticating to the windows domain. More later on useful ways on how to make use of this.

We’ve recently have a number of customers ask for an update on the planned dates for our next release, and what new features will be included. The developers at PaperCut Software P/L now keep weblogs to help keep everyone informed on what we’re up to, the ideas we have, and what we’re planning next. I’ll give a quick overview now.

We have forked the PaperCut code base and now have two projects under way. One is our “next generation” PaperCut scheduled for release next year. The other project is improving on our existing applications in an incremental fashion. We plan to release our next iteration before the end of September. As yet we have not decided if this will be a 4.3 or 5.0 release, however my personal thoughts are that the new features definitely justify a 5.0 release.

As most existing PaperCut users would know, PaperCut’s Internet Quota support was introduced a few years after the initial PaperCut release. Our Internet quota functionality has hence always lagged our print quota functionality by a year of two. In this release we are driving to bring our Internet charging features up to the same level of maturity as our print quota support. Planned features include:

• Time based charging (in addition to bandwidth based charging)
• Support for other proxy servers including Squid with Winbind support
• Better integration with existing supported proxy servers such as MS ISA Server

On the general development side, we have included a number of features to ease the administration overhead associated with of managing large numbers of users. Most of the suggestions have come from, and been ranked by our larger customers. These include:

• New admin scripts to automate tasks such as syncing user accounts with Active Directory. This allows these tasks to be scheduled overnight or any other defined intervals. (i.e. automated “TuneUp”)
• Tools for creating “TopUp” cards. This concept is similar to the TopUp cards used with pre-paid mobile phones. Organizations can sell these cards (e.g. at the school cafeteria) and users can use the card’s number to top up their own credit. Although a number of schools have been doing this for a while, we include a number of tools and templates to assist with this process.
• Full transaction audit logging so administrators can view a history of money moving in and out of accounts, including when it was moved, by who, and how much.

PaperCut Enterprise is gaining a few new additions to the popup client. Many of our business customers have requested the ability to have different charging levels. Users will now be able to offer discounts or charge print jobs at a draft rate at the time of printing and this will be reflected in invoices issued at the end of each month. We’ve also included an array of other little enhancements in all areas.

If anyone has any ideas, please make sure you email us! Please see here to read why we are keen on new ideas.