Text Size: ππππ

CECM Home > About Us > CECM's Printers

Awards Computing Facilities Printers Contact Info Employment Photo Galleries Logo Visitor Information

CECM lab Printers

CECM members have access to the following printers.

On Servers (CentOS Linux 7) and Workstations (Fedora 27):

laserwriter

The old HP LaserJet 2420 next to the photocopier.

two-sided, black & white

laserwriter-single

The same as laserwriter except it's single-sided.

single-sided, black & white

lw

Just an alias for laserwriter.

two-sided, black & white

lw-single

Just an alias for laserwriter-single.

single-sided, black & white

SFU_Print

SFU_Print Queue for 2-sided greyscale printing.
Kerberos authentication required. Job can be released on the Ricoh photocopier.

two-sided, black & white

SFU_Print-single

SFU_Print Queue for 1-sided greyscale printing.
Kerberos authentication required. Job can be released on the Ricoh photocopier.

single-sided, black & white

SFU_Print-colour

SFU_Print Queue for 2-sided colour printing.
Kerberos authentication required. Job can be released on the Ricoh photocopier.

two-sided, colour

SFU_Print-colour-single

SFU_Print Queue for 1-sided colour printing.
Kerberos authentication required. Job can be released on the Ricoh photocopier.

single-sided, colour


How to use the SFU_Print Queues on CECM Linux Computers

The TL;DR

The TL;DR is that you need to kinit before printing.

The FAQ

Q #1: Why do I need to authenticate before printing to the SFU_Print Queues?

This is so the university can track printing and ensure that the service isn't being abused. The CECM uses its own authentication system for its Linux computers, which is independent of the main Campus authentication system. In order for the central bean-counters to know who you are, you need to identify yourself to the Campus authentication system.

Q #2: How do I authenticate before printing to the SFU_Print Queues?

To authenticate, you need to open a Terminal and type kinit in order to acquire a Kerberos ticket. You'll be asked for a password. Use your Campus password here. (The same password you use to read your SFU e-mail.)

Q #3: What is Kerberos?

In Greek mythology, Kerberos is the 3-headed dog that guards the gates of hell.

Kerberos the 3-headed dog guarding the gates of hell

Kerberos is also a widely-used secure cryptographic system.

Q #4: What is a Kerberos Ticket?

A Kerberos Ticket is a chunk of encrypted data. When you kinit, you acquire a Kerberos Ticket-Granting Ticket (TGT) which allows you to acquire other Kerberos Tickets for services such as printing. Your Kerberos Tickets are stored within the Linux kernel keyring. This is kept in RAM and is not written out to disk.

Q #5: How do I acquire a Kerberos Ticket for printing?

After you have a Kerberos TGT (via kinit), just print. If things are working correctly, you'll automatically acquire a Kerberos Ticket for printing.

Q #6: How do I view my Kerberos Tickets?

Just open a Terminal and type klist. You'll see something like this:

  Ticket cache: KEYRING:persistent:5256:5256
  Default principal: hebron@AD.SFU.CA
  
  Valid starting       Expires              Service principal
  2018-10-24 17:34:45  2018-10-25 03:34:45  krbtgt/AD.SFU.CA@AD.SFU.CA
          renew until 2018-10-31 17:34:45

"krbtgt..." is the Kerberos Ticket-Granting Ticket (TGT).

After you successfully print to one of the SFU_Print Queues, then klist will show something like this:

  Ticket cache: KEYRING:persistent:5256:5256
  Default principal: hebron@AD.SFU.CA
  
  Valid starting       Expires              Service principal
  2018-10-24 17:35:41  2018-10-25 03:34:45  cifs/cs-pcut-staff-p.mps.sfu.ca@AD.SFU.CA
          renew until 2018-10-31 17:34:45
  2018-10-24 17:34:45  2018-10-25 03:34:45  krbtgt/AD.SFU.CA@AD.SFU.CA
          renew until 2018-10-31 17:34:45

"cifs..." is the Kerberos Ticket for the printing service.

Q #7: How long does a Kerberos Ticket last?

As illustrated above, SFU Campus Kerberos Tickets have a 10 hour lifetime before they expire, and a maximum renewal period of 1 week.

If you want to renew your Kerberos Ticket before it expires, just type kinit -R. (You could do this from a cron job, for example.) No password required. However, after 1 week, you'll no longer be able to do this and you'll have to kinit and type your password.

Q #8: What happens if I try to print without a valid Kerberos Ticket?

Your print job will be held on the Linux computer awaiting authentication. If you type lpstat -o you'll see your print job(s) just sitting there, not going anywhere, like this:

  SFU_Print-79            hebron          140288   Wed 24 Oct 2018 10:25:24 PM PDT

If you don't do anything, they'll sit there forever. They'll even persist between reboots. It's best that you get rid of them using the cancel command. In the above example, type cancel SFU_Print-79.

An unfortunate side-effect of trying to print without a valid Kerberos Ticket, is that the CUPS printing system on Linux automatically switches the authentication method from Kerberos to "username,password". And then Kerberos printing won't work anymore! Not just for you, but for all users on that particular Linux computer! In order to compensate for this eventuality, all the CECM Linux computers have cron jobs that run every 15 minutes, and restore Kerberos authentication.

So, if you screw-up and try to print without a valid Kerberos Ticket, and break the system, don't worry, everything will be alright after 15 minutes.

But you still need to cancel your stuck jobs!

Q #9: What if Kerberos is broken and I can't wait 15 minutes?

If Kerberos is broken (because somebody tried to print without a valid Kerberos ticket), you'll see your stuck print job as in FAQ #8. You can still do manual authentication via the GUI as follows:

If you're on a Fedora Linux workstation, bring up the "System:Administration:Print Settings" window.

System:Administration:Print Settings menu

And then, in the "Print Settings" window, go to the "Printer" menu and select "View Print Queue".

View Print Queue in the Printer menu

You'll see your stuck job there. Just right-click on it and choose "Authenticate" from the pop-up menu.

Authenticate from pop-up menu

You'll need to use your Campus username and password.

If you're on a CentOS Linux 7 computer, open a Terminal and type system-config-printer &. This will bring up a "Print Settings" window similar to that of Fedora Linux, as illustrated above. Follow the same procedure to authenticate your job.

Q #10: What is PaperCut?

Every Linux GUI in the CECM is set to automatically start the PaperCut Client upon login. It looks like this:

PaperCut Client

Before Kerberos printing was set up on the CECM Linux computers, PaperCut was needed in order to authenticate your printing. This is no longer necessary. In fact, if you have a valid Kerberos Ticket, you can even ssh remotely into a CECM Linux computer and print on the command-line without needing to have the PaperCut client running!

However, the PaperCut client still comes in handy. Even with Kerberos printing, it still lets you know that your job was successful with a notification window that looks like this:

PaperCut Client Notification

Q #11: How do I release my print job?

You need to do this at the printer. Just tap your key fob or access card on the sensor located on the Ricoh photocopier. This will authenticate you to the photocopier. Then you can release or cancel your print job using the LCD screen.

Q #12: Why doesn't printing from acroread work?

If you try to print a pdf file to one of the SFU_Print queues using acroread, it will fail. The job will be stuck in the local queue on your computer. If you View Print Queue as in FAQ #9, you'll see that the problem isn't that the job status is "Held for authentication" but, rather, it will be Stopped. This is due to "filter errors". The bottom line is that acroread is not compatible with the SFU_Print drivers.

The problem is that Adobe stopped supporting acroread on Linux many years ago. One hasn't been able to download it for a long time. The installer that I use to put acroread on Fedora Linux and CentOS Linux is a very old one that I snagged way back before Adobe dropped support. It's surprising that it even runs at all.

I recommend that you use evince or atril instead. evince is the GNOME document viewer and atril is the MATE document viewer. Or if you prefer the KDE desktop environment, then you can use okular. They are all open-source and supported by most Linux distributions.

Advanced FAQ

Q #13: How do I auto-renew my Kerberos Ticket?

You could set up a cron job to auto-renew your kerberos ticket with kinit -R. For example, you could use the following crontab entry:

  30 * * * * /usr/bin/kinit -R

This will renew your Kerberos TGT at 30 minutes past every hour of every day. Note, however, that this will work for at most 1 week, until the renewal period expires, and then you'll have to manually kinit and type your password.

Q #14: What if I want to auto-renew my Kerberos Ticket indefinitely?

You can achieve this via a crontab entry and your own private keytab file.

Suppose you want to keep your keytab within your home directory in /cecm/home/username/myprivatestuff/username.keytab. You can create it as follows

  mkdir myprivatestuff
  chmod 0700 myprivatestuff
  cd myprivatestuff
  ktutil
    addent -password -p username@AD.SFU.CA -k 1 -e RC4-HMAC
    (enter your password here when asked)
    wkt username.keytab
    q

You can call the directory whatever you want; just make sure it's private -- that's what the "chmod 0700" is for. If somebody gains access to your keytab file then they could potentially use it to gain access your stuff!

You can then set up a crontab entry similar to the one above, but instead of using kinit -R, you use the following:

  30 * * * * /usr/bin/kinit username@AD.SFU.CA -k -t /cecm/home/username/myprivatestuff/username.keytab

This will get a new Kerberos Ticket for user "username" at 30 minutes past every hour of every day, without having to type a password, by using the credentials stored in username's private keytab file.

This will work virtually forever (unless one changes one's Campus password, in which case the steps of creating a private keytab need to be redone.)


John Hebron
Research Computing Group
IT Services, SFU
Last modified: Tue Oct 30 13:15:00 PDT 2018