 |
 |
Overview | |
 |
||
|
|
|
|
Athena Printing Technical OverviewOverviewAthena printing is based on LPRng, a set of client/server print utilities developed by Patrick Powell, based on the BSD Line Printer architecture and configured for MIT use. There is a central pool of Unix print servers, managed by the Athena Server Operations group. Printers served by this central pool can be managed by Operations and Help Desk staff. Any private Athena workstation can be configured as a print server to serve a private network or locally attached printers. In addition to the LPRng print clients used by current Athena workstations, the servers are compatible with the stock BSD-style print clients provided with most UNIX-like operating systems, as well as legacy (pre-8.2) Athena print clients. IS&T supports printing from Windows clients (using the WLPRSPL package), and is beta-testing printing from Macintosh clients. Future development in the Athena printing system could include load balancing queues (one virtual queue served by a pool of printers), print quotas, datastream transforms, and better integrated GUI clients for UNIX and Windows. See Patrick Powell's LPRng HOWTO: Print Spooling Overview (and other chapters) for a detailed description of stock LPRng, including custom configuration instructions. LPRng ArchitectureLPRng is based on the BSD Line Printer spooling system architecture, and is mostly backwards-compatible with that system. It is a client-server system, with central queue management servers that can be isolated from clients. Servers can control remote network printers, or local serial and parallel printers. Queues are defined for clients and servers using the Printer Capability (printcap) database. This can either be a plain file that the system reads, or some outside database, that the system searches via a callout program. The client and server printcap can be completely disjoint. Jobs are sent to the server via an extended version of the BSD Line Printer (LPR) protocol. The original protocol is described in RFC 1179. The LPRng extensions to it are described in the "Line Printer Daemon Protocol" section of the LPRng HOWTO document. The protocol supports querying queues and removing a job from a queue before printing. LPRng extensions to the protocol also support remote queue administration (start, stop, moving jobs, etc.). When the server prints a job, it first looks up the printer's location in the server printcap database. Lookups can be by:
The server then looks up the name of a filter program to pass the output through, based on the queue name and flags in the job control information. If a banner is required, an external banner generator is called to prepend a banner to the data stream. The job (possibly preceded by the banner) is passed through the filter, and then sent to the printer. Local ConfigurationThe stock LPRng package has been configured at MIT to meet the Athena requirements of security and centralized administration. The most notable features used to achieve these goals are the Hesiod-based printcap database, and Kerberos-based authentication. Hesiod Printcap Database Security Kerberos authentication, required for Athena cluster printers, is available (although not required) for all queues. Kerberos authentication is initiated by a client printcap entry (auth). The lpr, lprm, and lpc clients do a mutual authentication exchange with the server, and then encrypt and verify traffic between client and server (to prevent sniffing or hijacking). The standard lpr and lpd will try three times to transfer the request when the print server is not responding. In addition, lpr will return an immediate error message to the user if the server is unavailable. If a (private) queue is configured to allow unauthentic jobs, lpd has been configured to disallow non-kerberized spooling or job control from outside MITnet. Even if a queue does not require Kerberos, a user may submit a job from outside MITnet using Kerberos. In the case of queues that do not require Kerberos authentication to submit a job, if a job *is* submitted using Kerberos, the queue will then require the use of Kerberos to remove or control that particular job. Finally, the LPRng version of lpc permits authorized users to administer the queues for their own printers remotely. All queues require Kerberos authentication for management via lpc, even those that do not require it for submitting jobs. Since no commodity network printers currently implement cryptographic encryption or authentication of print data, print jobs are sent across the net to the printer in clear text. Access to submit jobs to network printers is controlled by an ACL of IP addresses. Miscellaneous Features Occasionally, clients that store print server information locally rather than querying Hesiod will become out of date. In order to make it easier to support old clients across reorganizations of print servers, a special printcap callout script has been added to the central Athena print servers. The script redirects misdirected jobs to the correct server, as long as the destination queue is defined in Hesiod. Server UtilitiesHP Input Filter (ifhp) While the first purpose of ifhp was to drive HP Postscript and PCL printers, it can now also drive many other common network Postscript/PCL printers. Use of ifhp is not required; other filters (such as ghostscript or MagicFilter) may be used to drive more esoteric non-Postscript printers; however, all printers officially supported by the Athena print servers are driven by ifhp. ifhp handles a number of printer-specific tasks, including job control headers (such as setting duplex/simplex, input and output bins, etc.), conversion of text to Postscript or PCL, retrieving printer page counts, and rejection of unprintable files. ifhp has its own configuration file, which contains definitions of printer types, specifying what languages and hardware options each supports. textps Banner |
