Menu

printqd manual

Dirk Krause
← Previous ↑ Home ↑ Programs → Next

printqd — Print quota daemon for LPRng

Synopsis

printqd [_options_]

Description

Overview

Printqd is a daemon to allow or deny print jobs on LPRng print systems. It can be used to simply allow/deny printing for users based on user name or group membership. If LPRng can retrieve page counter values from printers printqd can be used to enforce page limits or to calculate the amount of pages printed by a user within a given time period.

Printqd was developed specifically for LPRng, it can not be used with other print systems.

The program was developed with schools and universities in mind to stop stupid printing. These institutions can allow every student a page limit of n pages per semester/trimester on all PC classroom printers in summary without having to configure each user individually. On a semester start all used pages numbers records are removed using one administrative command, so all users are reset to "0 pages printed".
Inidividual accounts can be created (i.e. for those doing bachelor/master thesis in-house or for students assisting in projects or for pre-paid printing additional pages). These individual accounts are not affected by the global reset command.

LPRng checks once whether a print job is allowed to be printed before starting processing. So printqd compares the number of pages used within the general limit against the limit value and allows printing if the limit is not yet reached. If the limit is reached printqd checks whether there is a positive number of pages in the personal print account.
This checking is only done once before a print job is sent to a printer, the entire print job is printed if the check succeeds.
So the LPRng/printqd combination probably allows one last print job of every user to exceed the limit, but no further print jobs are allowed for that user.

Requirements

Printqd and friends can be used with the LPRng print system only as they are specifically designed for that print system.

For print quota:
Printers must allow to read the page counter value and some other information (device state, printer state, printer detected error state) using the SNMP protocol. Most printers with integrated ethernet connectors will do. External ethernet print servers attached to the printers parallel or USB port do not have access to the printers page counter.
The ifhp filter (part of LPRng) can retrieve this information by communicating to the printer, see the ifhp.conf file for suitable printers.

Printers must accept print data only from the LPRng print server.
If any host can send print data to the printer, everyone can easily bypass the LPRng system and the quota system.
Most printers today have a web interface or at least some telnet/ssh interface to configure the printer. Typically you can restrict the hosts allowed to send print data here.

Involved programs

Program name Purpose
LPRng The LPRng print system sends requests to printqd and uses the responses from printqd to decide whether or not to print a job. Depending on the configuration LPRng queries printqd directly or the filters run by LPRng contact printqd.
Before handling any print job, LPRng asks printqd whether or not the user is allowed to print in a given queue. Before and after printing a job LPRng reports the printers page counter values to printqd so printqd can calculate the number of pages used by the job.
[printqdc] Printqdc serves two purposes:
  • Pipe mode (default)
    LPRng uses printqdc to contact printqd. Requests are translated from LPRng accounting data format to printqd accounting data format.
    The program writes no output at all but uses the printqd response to set an exit code telling LPRng how to handle a print job.
  • Interactive mode (option -i)
    This mode is used by an administrator to submit commands to printqd manually (i.e. control requests to reset the number of used pages...)
[wxpqdic] Users can run wxpqdic on desktop PCs to view their current print quota status (limit, number of pages used, personal print account and summary: printing allowed?).
[pjsnmp] A data transfer filter for use with LPRng. The pjsnmp program sends requests to printqd directly in the printqd accounting data format.

Communication

The programs listed above can use three methods to contact printqd:

  • Local UNIX domain socket
    The preferred method for all data transfer. An administrator can set permissions in the file system to restrict access to the socket.
     
  • TCP connection (optional)
    Printqd listens on a specified TCP port for incoming connection requests.
    Should be used and allowed for remote LPRng servers serving print queues only, and for the ``info'' protocol level.
     
  • UDP datagrams (optional)
    UDP datagrams are allowed to contain requests. Printqd sends the response to the address the request came from.
    Should be used for the "info" protocol level only.

When enabling TCP and/or UDP you can configure which hosts are allowed to use the "info", "data" or "admin"' protocol levels.

Protocol

The protocol handled by printqd consists of three levels:

  • info
    Users can check their print quota status, the requests do not result in any modification of the database.
     
  • data
    LPRng asks for a users permission to print on a given queue and reports printers internal page counter values to printqd before and after print jobs. This results in modifications of the database (increasing the number of pages used and/or decreasing personal print accounts).
    The "info" protocol level is included.
     
  • admin
    An administrator can reset the number of pages printed by users, increase personal print accounts or initiate a database cleanup.
    The "info" and "data" protocol levels are included.

Options

Option Purpose
-c path Configuration file name.
-d Run in debug mode: Do not run as background process, write all log messages to stderr.

Exit status

0 on success, all other status codes indicate an error.

Configuration

Before you can run printqd you must find the user and group used to run the LPRng software. Check the /etc/lpd/lpd.conf file for lines

default user= ...
default group= ...

In our example we assume the default settings, user "daemon" and group "daemon".

Make sure the directories

  • ${localstatedir}/lib/printqd
  • ${localstatedir}/run/printqd
  • ${localstatedir}/log/printqd

exist and are owned by user "daemon" and group "daemon". Permissions to these directories must be set to 770 (rwxrwx---) or 775 (rwxrwxr-x).
Owner and group must have full access, other users must not be able to write!
The place of the local state directory ${localstatedir} depends on your installation, typically it is the /var or /usr/local/var directory. You can use the dk4info program to find it, use the directory from the "Configured at built time:" section.

Some systems clean the /var/run directory completely on boot or reboot. On such systems the /var/run/printqd directory must be created and set up before printqd is started. A good place to do so is the script used to start up printqd and LPRng, immediately before starting printqd.

Files

Configuration file printqd.conf

The printqd.conf configuration file is placed in the ${sysconfdir}/printqd directory.

It consists of an [options] section, one or multiple [class] sections and one or multiple [printer] sections.

The [options] section contains general program options.

The [class] sections define printer classes. Printers are grouped in classes. A page limit for a class specifies the number of pages a user can print on the class printers in summary.

The options section is started by the

[options]

line.

A class section is started by a

[class _name_]

line.

A printer section is started by a

[printer _name_]

line.

In the sections we have key=value lines.

Section Key Value type Purpose
[options] run as user user Local use account to run the daemon. The user needs access to the name services, the getpwnam() and getgrname() functions and related functions must have access to the full set of users and groups. Optional, no default (process is running as root).
run as group group Local group name to run the daemon. Optional, no default (process is running with root GID).
database type::path Database type and name. Optional, default: ${localstatedir}/var/printqd/printqd.* with best available type and corresponding file name suffix. For NDBM databases ".dir" and ".pag" suffixes are appended automatically.
Note: Type and path are separated by two colons.
local socket path Path name of UNIX domain socket, must have less than 108 characters. Optional, default: ${localstatedir}/run/printqd/printqd.sock. The parent directory must exist and be owned by the group named above und must be writeable for user and group named above.
local socket owner user Owner user name of local socket. Optional, default: "run as user" account, or root. Recommended: If "run as user" is specified, use the same account here. Otherwise use the account running the LPRng print system.
local socket group group Owner group name of local socket. Optional, default: "run as group", or root. Recommended: If "run as group" is specified, use the same group here. Otherwise use the group running the LPRng print system.
local socket backlog number Backlog for the socket configured above (maximum number of pending connection requests). Optional, default: 5. Recommended: at least 1 + number of print queues.
max local connections number Maximum number of connections allowed via local socket at same time. Optional, default: 0 (no limit). Recommended: unlimited (0) or at least 1 + number of print queues.
udp port number Port number for UDP packets. Optional, default: UDP not used. Make sure to configure a port number not yet used by other services on your system. If you use the "run as user" feature, make sure not to use a privileged port below 1024.
tcp port number Port number for TCP connections. Optional, default: TCP not used. Make sure to configure a port number not yet used by other services on your system. If you use the "run as user" feature, make sure not to use a privileged port below 1024.
tcp port backlog Backlog for the TCP socket (maximum number of pending connection requests). Optional, default: 5. Recommended: Number of LPRng print queues on remote print servers + number of all PCs able to submit print jobs to the servers. If clients fail to connect you should attempt to increase the number.
max tcp connections number Maximum number of TCP connections allowed at same time. Optional, default: no limit. Recommended: No limit or summary of print queues number and client hosts number.
info allow address[/mask] Client addresses or networks allowed to connect to use "info" requests. Optional, default: no hosts allowed. Recommended: All hosts which can send print jobs to the print server. Multiple "info allow" entries can be used. You can use one line containing an asterisk as network to accept info requests from everywhere (only recommended if your network is behind a firwall or a router with ACLs restricting inbound traffic).
data allow address/[mask] Client addresses or networks allowed to connect to use "info" and "data" requests. Optional, default: no hosts allowed. Recommended: Only print servers running print queues. Multiple "data allow" entries can be used. You could use one line containing an asterisk as network to accept data requests from everywhere, but this is not recommended.
admin allow address/[mask] Client addresses or networks allowed to connect to use "info", "data" and "admin" requests. Optional, default: no hosts allowed. Recommended: Only administrator PCs. Multiple "admin allow" entries can be used. You could use one line containing an asterisk as network to accept admin requests from everywhere, but this is not recommended.
log file path Name for log file. Optional, ${localstatedir}/log/printqd/printqd.log is the default.
log features string Comma separated list of feature names to write log entries for, may contain:
  • "db"
    to show database modifications,
  • "info"
    to show info requests and responses,
  • "all"
    same as "db,info",
  • "none"
    to produce minimum log only.

Recommended, default: 0.
[class…] default limit limit 0 to deny printing, a positive number of pages (print impressions) or "unlimited".
user limit name limit Limit for a specified user name. Optional. Multiple user limits can be used for different users.
group limit group limit Limit for a named group. Optional. Multiple group limits can be used for different groups.
[printer…] class string Class name for the printer, it must be one of the classes defined above. Required, no default.
alias string Alias name assigned to the printer. Optional. Recommendation: You should list the same alias names as used in the printcap file.

Database structure

The printqd daemon keeps data in a text database. This can be a Berkeley DB, an NDBM database or an in-memory database.

All entries consists of a key and a value, both key and value are saved as text.

Keys can be of different types:

Key Purpose
p:classname:username The entry is the number of pages the user printed in the printer class from a limit (general limit, group limit, or user limit).
Pages are counted upwards when printing until the user reaches or exceeds the page limit.
a:classname:username Number of pages in the personal user account (number of pages still available). The number is counted downwards when printing.
j:printer Information about a print job currently executed by a printer: page counter before job start, user name and print job name. The items are separated by a colon.
o:test Dummy entry. This entry is created when the printqd program is started to make sure there is a database file which can be modified using chmod and chown before the user account is switched to non-root.

Protocol

Three protocol levels are used: admin, data, and info.

Info protocol level

Request Description
info printer user The client asks the server whether or not the specified user is allowed to print jobs on the specified printer.
The response consists of 4 numbers separated by a space:
  • Page limit. 0 means printing is denied, -1 means printing is unlimited.
  • Pages used from the print limit.
  • Number of pages in personal print account.
  • Summary: 1 means printing is allowed, 0 means printing is denied.

Data protocol level

The data protocol level is used by printqdc when connecting to printqd. This protocol level additionally includes the following requests:

Request Description
acct‑check printer user Check whether a user is allowed to print on the current printer. The response is "ACCEPT", "REMOVE", or "HOLD".
jobstart '-nuser' '-Pprinter' Same as above.
jobend '-nuser' '-Pprinter' Ignored, no response.
acct‑charge printer user pagecount [jobname [jobtitle]] Indicate completion of a print job and the number of pages used by the job. No response.
acct‑start printer user pagecount jobname [jobtitle] Indicate the start of a print job and the printers page counter value before the job. No response.
Note: In the default configuration LPRng does not include the -A information in filestart/fileend lines. Either configure LPRng to add -A or use :af=
filestart '-nuser' '-Pprinter' '-Ajobname' '-ppagecount' Same as above.
acct‑end printer user pagecount jobname [jobtitle] Indicate the end of a print job and the printers page counter value after the job. No response.
fileend '-nuser' '-Pprinter' '-Ajobname'-ppagecount' Same as above.

Admin protocol level

The admin protocol level is used by printqdc when connecting to printqd. This protocol level additionally includes the following requests:

Request Description
control reset class=class user=user Number of pages printed within the limit is reset for the specified user(s) in the specified class(es). An asterisk `*' as user or class name or an omitted user or class specification addresses all users/all classes.
So the most simple call
control reset

resets the page number for all users in all classes.
control add class=class user=user pages=number Number of pages in the personal print account is increased for the specified user in the specified class by the specified number.
control database‑cleanup Database cleanup operation is started. All entries referring to users, classes, or printers which do not longer exist are removed from the database.

For the admin protocol level requests there is no response.

Restrictions

Printqdc is not available on the Windows platform.

This is a simple program: All texts are shown in English, the program is not relocatable.

Notes

This program uses DK libraries version 4.

Diagnostics

Printqd writes messages to a log file, important messages (start and end of daemon, start and end of processing) are also written to system log.

Example — Putting the programs together

Software installation and directories

Some directory names differ depending on the installation method.

Installation prefix sysconfdir localstatedir
Binary package /usr /etc /var
Installation from source /usr/local /usr/local/etc /usr/local/var
Customized installation from source /usr/local /etc /var

For the remainder of the example section we assume you did a customized installation from source for dktools running the following commands:

./configure --sysconfdir=/etc --localstatedir=/var
make
make install

Example situation

For our example we assume the following situation: A university faculty owns the following computers and printers:

Host name IP address Purpose
ps 192.0.2.10 The print server, a Linux/UNIX system running the LPRng software.
mfd 192.0.2.20 Multifunctional device, can be used to print, scan, and copy. Usage is allowed for staff members only (fac_m group), not for students (fac_s group). Printing on this device is cheap, so no page counting for cost controlling is needed. Typically we can not do reliable accounting for multifunctional devices as they allow to interrupt a running network print job to copy interactively.
lpcolor 192.0.2.21 A color printer. Usage is allowed for staff members (fac_m group) only, not for students (fac_s group). Printing is more expensive than on the MFD, so page count per user is wanted for cost controlling.
lp1 192.0.2.22 Printer in a computer class room. Printing is allowed for staff members (fac_m group) unlimited, for students (fac_s group) limited to 200 pages per semester by default. Individual print accounts allowing additional pages can be created for students assisting to projects…
lp2 192.0.2.23 Printer in another computer class room. The limit of 200 pages per semester for students applies to both printers in summary.

The four printers have ethernet ports and support the appsocket protocol (this means they are listening on port 9100/TCP for incoming print data).

Configure host name / IP address relationship

Make sure all the printers have a DNS entry. Alternatively you can write the following section to the /etc/hosts file on ps:

192.0.2.20      mfd
192.0.2.21      lpcolor
192.0.2.22      lp1
192.0.2.23      lp2

Create initial printcap entries

Make sure the lpd.conf file contains a line:

lpd_listen_port=515

In the LPRng printcap file create the following entries:

mfd
        :client
        :force_localhost@
        :lp=mfd@ps
lpcolor
        :client
        :force_localhost@
        :lp=lpcolor@ps
lp1
        :client
        :force_localhost@
        :lp=lp1@ps
lp2
        :client
        :force_localhost@
        :lp=lp2@ps
mfd
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :lp=192.0.2.20%9100
lpcolor
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :lp=192.0.2.21%9100
lp1
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :lp=192.0.2.22%9100
lp2
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :lp=192.0.2.23%9100

Restart LPRng and send a test page to each queue. You should be able to print.

The ":client" entries are not of interest in the remainder of this text, they are left untouched. We will change the ":server" entries in the next sections.

Find SNMP version and SNMP community for each printer

For each of the printers run the following four commands (for the other printers replace lpcolor by the printer host name or IP address):

snmpwalk -c public -v 1  lpcolor
snmpwalk -c public -v 2c lpcolor
snmpwalk -c public -v 2p lpcolor
snmpwalk -c public -v 3  lpcolor

You probably need to replace "public" by the SNMP community name your administrator has configured for the printers.

At least one of the four commands should show a large number of lines, structured as key=value. Keep the information which SNMP version (1, 2c, 2p, or 3) is available on which printer, we need it in the next step. Let's assume we have protocol 2c available on mfd and lpcolor and 1 on lp1 and lp2.

Use pjsnmp as output filter

To use pjsnmp we first need to locate it. If dktools are installed from source, pjsnmp is typically installed into the /usr/local/bin directory.

Change the server printcap entries to:

mfd
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :lp=|/usr/local/bin/pjsnmp
        :pjsnmp-host=mfd
        :pjsnmp-port=9100
        :pjsnmp-ordrel@
        :pjsnmp-version=2c
        :pjsnmp-community=public
lpcolor
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :lp=|/usr/local/bin/pjsnmp
        :pjsnmp-host=lpcolor
        :pjsnmp-port=9100
        :pjsnmp-ordrel@
        :pjsnmp-version=2c
        :pjsnmp-community=public
lp1
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :lp=|/usr/local/bin/pjsnmp
        :pjsnmp-host=lp1
        :pjsnmp-port=9100
        :pjsnmp-ordrel@
        :pjsnmp-version=1
        :pjsnmp-community=public
lp2
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :lp=|/usr/local/bin/pjsnmp
        :pjsnmp-host=lp2
        :pjsnmp-port=9100
        :pjsnmp-ordrel@
        :pjsnmp-version=1
        :pjsnmp-community=public

The :pjsnmp-host values are either host names or IPv4 addresses. You can not use IPv6 addresses as they contain colons and colons are used as option separators in the printcap file.

Restart the LPRng print system.

To test the configuration send a 1 page print job to each of the printers.
Run

lpq -Plpcolor -L

to see information for one of the printers. Repeat the command for the other printers. You should see lines started by "Filter_status:", after successfully completing a print job there should be a summary line showing the number of pages used by the print job.

Restrict access to printers

Set up the printers to ensure they accept incoming print data only from host ps. The details depend on the printers, most networked printers have a HTTP server or at least some telnet/ssh server to configure them.

Prepare print classes and limits

A print class is needed for each set of printers sharing a limit in summary and for each different limit configuration.
In our example we will use three classes:

Class Purpose
cl‑lab A print class for lp1 and lp2 as they share the same quota settings and limits are for the summary on both printers.
cl‑mfd A class for the multifunctional device, as the limits differ from cl-lab.
cl‑color A class for the color printer, as quota settings differ from cl-mfd. Remember: For mfd we don't retrieve page numbers, for lpcolor we will do.

Decide which user account and group to use for printqd

Run the commands

getent passwd
getent group

once as root and once as a normal (non-privileged) user. If the programs produce equal output both times you can run printqd as a non-root user.
Use the same user for printqd as used to run the LPRng lpd daemon.
If only root has access to the user database you must run printqd as root.

Prepare directories for printqd

Create the /var/log/printqd directory and make sure the owner is the user running the printqd daemon.

Create a directory /var/printqd to store the database in this directory. This must not be a subdirectory of /var/run because the database must survive a reboot and some UNIX systems create a new empty /var/run directory on each reboot.

Create the /var/run/printqd directory. This directory is used for the UNIX domain socket other programs use to connect to printqd.
On some systems (i.e. Solaris) the /var/run directory is cleaned automatically on each reboot, so you best add commands like

[ -d /var/run/printqd ] || mkdir -p /var/run/printqd
chown -R daemon:daemon /var/run/printqd
chmod 755 /var/run/printqd

to the system startup file used to start and stop LPRng.

Write the printqd.conf file

An example /etc/printqd/printqd.conf file could look like:

[options]
database                =       bdb::/var/printqd/printqd.db
local socket            =       /var/run/printqd/printqd.sock
local socket backlog    =       5
log file                =       /var/log/printqd/printqd.log
log features            =       -
max local connections   =       7
udp port                =       9100
tcp port                =       9100
tcp port backlog        =       5
max tcp connections     =       50
info allow              =       192.0.2.0/24
# data allow            =       127.0.0.1/32
# admin allow           =       127.0.0.1/32

[class cl-mfd]
default limit           =       0
group limit             =       fac_m           unlimited
user limit              =       root            unlimited
user limit              =       Administrator   unlimited
user limit              =       Administ        unlimited
user limit              =       admin           unlimited

[class cl-color]
default limit           =       0
group limit             =       fac_m           unlimited
user limit              =       root            unlimited
user limit              =       Administrator   unlimited
user limit              =       Administ        unlimited
user limit              =       admin           unlimited

[class cl-lab]
default limit           =       200
group limit             =       fac_m           unlimited
user limit              =       root            unlimited
user limit              =       Administrator   unlimited
user limit              =       Administ        unlimited
user limit              =       admin           unlimited


[printer lp1]
alias                   =       lp
class                   =       cl-lab

[printer lp2]
class                   =       cl-lab

[printer lpcolor]
class                   =       cl-color

[printer mfd]
class                   =       cl-mfd

You see user limits for administrative users here. The "Administ" entry is for the Administrator too. On some Windows versions the user name transmitted for LPR print jobs is cutted after 8 characters.

To run the daemons as non-root user (i.e. user daemon, group daemon) add

run as user     =       daemon
run as group    =       daemon

to the [options] section after completing the following steps successfully.

Start printqd together with LPRng

Modify the startup file for LPRng (i.e. /etc/rc2.d/S80lprng on my Solaris system) to start /usr/local/printqd before the LPRng lpd is started.
When stopping LPRng, the printqd daemon must be stopped too.
Do not yet restart LPRng.

Modify the printcap entries

Change the :server printcap entries to:

mfd
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :af=|/usr/local/bin/printqdc
        :achk
        :lp=|/usr/local/bin/pjsnmp
        :pjsnmp-host=mfd
        :pjsnmp-port=9100
        :pjsnmp-ordrel@
        :pjsnmp-version=2c
        :pjsnmp-community=public
lpcolor
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :af=/dev/null
        :lp=|/usr/local/bin/pjsnmp
        :pjsnmp-host=lpcolor
        :pjsnmp-port=9100
        :pjsnmp-ordrel@
        :pjsnmp-version=2c
        :pjsnmp-community=public
        :pjsnmp-accounting-file=/var/run/printqd/printqd.sock
        :pjsnmp-accounting-check
lp1
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :af=/dev/null
        :lp=|/usr/local/bin/pjsnmp
        :pjsnmp-host=lp1
        :pjsnmp-port=9100
        :pjsnmp-ordrel@
        :pjsnmp-version=1
        :pjsnmp-community=public
        :pjsnmp-accounting-file=/var/run/printqd/printqd.sock
        :pjsnmp-accounting-check
lp2
        :server:oh=ps.my-domain.edu
        :sd=/var/spool/lprng/%P
        :sh
        :mx#0
        :af=/dev/null
        :lp=|/usr/local/bin/pjsnmp
        :pjsnmp-host=lp2
        :pjsnmp-port=9100
        :pjsnmp-ordrel@
        :pjsnmp-version=1
        :pjsnmp-community=public
        :pjsnmp-accounting-file=/var/run/printqd/printqd.sock
        :pjsnmp-accounting-check

There is a difference between mfd and the other printers:

No information about the number of printed pages and thus no information about page counter values on the printer is needed for mfd, the decision whether or not printing is allowed is made simply based on user name and group membership.
So the pjsnmp filter does not need to perform accounting-related operations. Accounting is left up to the LPRng system. For accounting LPRng has to run the program /usr/local/bin/printqdc as a pipe (:af entry), it expects a response from that program (:achk entry).

For the other print queues pjsnmp has to do accounting-related work. First it has to check whether or not the user is allowed to use the printer (:pjsnmp-accounting-check entry). For this check and to report the page counter value before and after the job it opens a connection using the UNIX domain socket /var/run/printqd/printqd.sock (:pjsnmp-accounting-file entry). This must be the same file name as used in the "local socket=" entry in printqd.conf.
The :af entry for these printers is set to /dev/null. Without this entry LPRng creates acct files with jobstart/jobend lines although the documentation says it wouldn't.

Restart LPRng, print a small test print job on each queue.

Configure the queues on the print clients in the PC classrooms

On Windows clients, add a printer on a "Standard TCP/IP connection". The connection type is LPR, the queue name is "lp1" or "lp2" (depending on the room). Enable LPR byte count, disable SNMP status requests.

On clients running CUPS (i.e. Linux and Apple computers) configure the device URI "lpd://ps/lp1" or "lpd://ps/lp2".

On other systems use the systems mechanisms to configure a remote LPR/LPD print queue on print host "ps", queue name "lp1" or "lp2".

From one computer of each category above send a small test print job to the queues "lp1" and "lp2".

Information about users print quota status

Create a desktop icon "Print Quota Information" for all users.
The command to run is:

wxpqdic -h ps -p 9100 -q lp1

On Windows systems the command name is wxpqdic.exe instead of wxpqdic.

On one of the client computers log in as a non-privileged user.
Start the quota information program using the desktop icon.
Print a small test print job, the used page number should change at least 15 seconds after finishing the print job.

You can use the additional option

-i _seconds_

to specify the time interval for automatic information update. The default is 15, the minimum is 5.

Administrative tasks

Start of a new teaching period

At the start of a teaching period we reset the number of pages printed within the limit on printers in class cl-lab back to 0 for all users.

Prepare an input file printqd-start-teaching.in:

control reset class=cl-lab user=*
control database-cleanup

and run:

/usr/local/bin/printqdc -i < printqd-start-teaching.in

Additionally we clean up the database, we remove entries referring to non-existing users or printer classes.

Create/modify a personal print account for a user.

To create or modify a personal print account for a user prepare a file printqd-add-pages.in:

control add class=cl-lab user=james pages=300

and run:

/usr/local/bin/printqdc -i < printqd-add-pages.in

Find number of pages printed on a printer

At the end of a business period we want to find the number of pages users printed on lpcolor. After reporting the number we reset it to have 0 at the beginning of the next business period.

Stop the printqd daemon.

Run:

dk-db2t bdb::/var/printqd/printqd.db > database.txt

Restart the printqd daemon.

Run:

grep '^p:cl-color' < database.txt > lpcolor.out

The file lpcolor.out now contains a list with pages printed on lpcolor per user. Send this information to the cost controlling department, probably you want to replace the user names by real names.

Reset used pages
Create a file printqd-business-period.in:

control reset class=cl-color user=*

and run:

/usr/local/bin/printqdc -i < printqd-business-period.in

Cronjob for cleanup

It is a good idea to run a cronjob each night to remove print jobs held in the queue.

#
#  Remove print jobs in "hold" state from all queues
#
QUEUES="lp1 lp2 lpcolor mfd"
for q in $QUEUES
do
  lprm -P$q all
done

FAQ

What is the purpose of printqd?

Printqd was designed for schools and universities to avoid stupid printing.
Page-exact accounting and toner usage is outside of printqd's scope

What is stupid printing?

In PC classrooms in schools and universities there are multiple printers. The PCs are used by both experienced or at least interested users and unexperienced/ignorant users.
Examples of stupid printing include:

  • If a printer is turned off, one could move to the printer and turn it on. Or click the "Print" button again and again…
  • If a printer has a paper jam one could at least remove his own print jobs before leaving the room. Or let them all in the queue, so they get printed when another user solves the problem and inserts his paper.
  • If the printer chooser dialogue comes up one could leave the printer choice at the default (the printer in the current room).
    Or play with the settings, choose the printer in another room and print the document again and again because "the printer does not print".

Which software is required to run printqd?

Printqd was developed for use with the LPRng print system. So if you use another print system, printqd will not be of any use to you.

Are there other requirements?

If you want to set page limits instead of simple deny/allow decisions your LPRng print system must be able to fetch page counter values from the printers. If LPRng fails to retrieve page counter values, it can not report the page counter values to printqd.
General rule: The printer must have a built-in ethernet connection. When using external ethernet print servers LPRng can't retrieve page count values.
Use the commands shown in the Find SNMP version and community for each printer section above to check SNMP support on your printers.

Which user account should I use to run printqd?

Ideally you use the same user and group which is used to run your print system. Run

ps -afe | grep lpd

to see which user account is running the lpd daemon (normally it's "lpr", "lpd" or "daemon"). For "run as group" use the primary group of that user. In the ${sysconfdir}/lpd/lpd.conf file check the

default user= ...
default group= ...

lines.

How can I check whether I can use the "run as user" feature?

Run

getent passwd
getent group

once as root, once as unprivileged user. If program output is the same both times, you can use the feature.

How can I protect printqd against attacks?

Printqd directly on LPRng server
Run printqd directly on the print server running the LPRng print system. Allow data and admin protocol levels only via local socket (do not use "data allow" or "admin allow" in printqd.conf).
In this setup there is no need to use the TCP port, use only UDP for info requests.

Permissions on parent directory of UNIX domain socket
The directory containing the local socket - typically ${localstatedir}/run/printqd - should be owned by user and group running the LPRng print system. Permissions should be 770 (rwxrwx---).

Run as user feature
Use the "run as user" feature if possible.
Unfortunately this feature is not available in some situations (when using a name service refusing to deliver results to getpwnam() and getgrnam() calls from unprivileged users).

Restrict communication
Allow communication using the info protocol level only from hosts needing it (those hosts which are able to send print jobs to the print server).

Packet filter or firewall
Configure a packet filter or firewall software to allow traffic to printqd's TCP and UDP port only from these hosts.

No login for users
Regular users should not be able to log into the print server, only administrators in charge for the print server.

On failed startup, where can I find information?

Printqd writes a ${localstatedir}/log/printqd/printqd.log log file. If printqd failes to write to the log file, it logs to the system log.
As root, run:

grep printqd /var/log/syslog
grep printqd /var/log/messages

How do I prepare directories for printqd?

Let's assume you installed printqd from a binary installation package and you want to use the "daemon" user account and the "daemon" group to run printqd.

Run the following commands at least once. I recommend to use the commands below in the start script used to start printqd before attempting to start printqd. Especially on systems cleaning /var/run on boot you should create the /var/run/printqd directory before starting printqd and set correct ownership and permissions.

# Directory for PID file
[ -d /var/run/printqd ] || mkdir -p /var/run/printqd
chown -R daemon:daemon /var/run/printqd
chmod 770 /var/run/printqd
# Directory for log file
[ -d /var/log/printqd ] || mkdir -p /var/log/printqd
chown -R daemon:daemon /var/log/printqd
chmod 770 /var/log/printqd
[ ! -f /var/log/printqd/printqd.log ] || chmod 660 /var/log/printqd/printqd.log
# Directory for database
[ -d /var/printqd ] || mkdir -p /var/printqd
chown -R daemon:daemon /var/printqd
chmod 770 /var/printqd
chmod 660 /var/printqd/*

How can I edit the database manually?

Stop the printqd daemon.

Run:

dk-db2t bdb::/var/printqd/printqd.db > db.txt

Replace "bdb::/var/printqd/printqd.db" by the database you have configured in your printqd.conf file.

Edit the db.txt file.

Run:

dk-t2db db.txt bdb::/var/printqd/printqd.db

Restart the printqd daemon.

Why shouldn't I use makedbm to modify the database in the task above?

The makedbm program uses just the string length (without finalizing 0x00 byte) when storing and retrieving text.
In contrast the dk4dbi module used by printqd includes the finalizing 0x00 byte when saving strings to the database.

← Previous ↑ Home ↑ Programs → Next

Related

Wiki: pjsnmp
Wiki: printqd
Wiki: printqdc
Wiki: wxpqdic

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.