Subject: Re: Does Netatalk allow printer accounting ...
From: Miles Nordin (carton@Ivy.NET)
Date: Mon Jun 23 1997 - 19:59:51 EDT
my email tends to piss people off, so please send hatemail to me directly
at carton@Ivy.NET. thanks.
> netatalk 1.4b2 (or any early version) can neither do print job accounting
> nor file copy protection.
Perhaps what you need to do is stop expecting netatalk to solve all your
problems for you. Printer accouting and license managing are common
legitimate goals that have been solved and re-solved many times at many
Mac-centric Universities, with varying degrees of success. A diverse
network requires diverse solutions.
While I don't know much about these things myself, I can give you some
places to start that will probably lead to your eventually solving your
problem. If, however, your goal is to hammer craig and make him do more
work, work specific to the needs of your institution, don't bother reading
the rest of this message because none of my ideas are Netatalk-specific.
"well, CAP can ......" fine, go use CAP.
I believe the fascist sysadmins at Penn State have devised a way to
accomplish both of these goals. Their license-accounting thing is done
with a control panel whose name i forget--it looks like a "key" though.
It is a fairly common program that I've seen at many universities. If you
can't find it I can probably track down the name for you in a few
days--please post a followup if you discover where someone can buy this
program. Anyway this is how it works: You specify a keyserver, which i
think is another Mac. Before deploying your applications on the net
share, you mangle them using a resedit-ish mechanism to merge a bit of
startup code into each app binary. This startup code does license
management. If you copy the binary to a local disk, it still contains the
startup code and thus still is license-protected. To defeat the mechanism
you would have to use resedit to remove their code, which may well be
trivial to the experienced KeyServer hacker but not to the average user.
I believe Haverford College and several other universities also use this
program in their labs. I believe it is a commercial program.
It is, however, a well-written commercial program, unlike stopgap hacks
like MacPrefect that cause more trouble to legitimate users than they're
worth. MacPrefect in my experience tends to encourage sysadmins to enact
fascist restrictive policies that encumber the most benign unforseen uses
and problem diagnosis, and any power user who isn't too stupid to live can
disable it within fifteen minutes, even if he's never seen it before. the
key-server license manager works very smoothly, and is a very targeted
solution that does not interfere with things besides license management.
It is also harder to disable than MacPrefect, if you happen to be one of
these hatchet-weilding evil power-freak sysadmins who cares about having
your work trampled and reverse-engineered.
Penn State has written custom in-house code to do printer accounting.
Their scheme is a shameless hack, using server code that runs on Windows
NT, and all jobs are eventually funneled through a Mac SE before going to
the printer. Ugly, _but_ it works, reliably. I don't know if you would
want to use it, because of the icky WinNT dependency and the unpolished
nature of the product--you would probably have to do some of your own
coding to get it working, and in my experience most sysadmins are too
stupid or too lazy to write their own code (myself included). Also I do
not know if they would release it. because the people at Penn State are
assholes who do not believe in the concept that universities should be
collaborative institutions striving to attain more knowledge and resources
for the whole world--rather they view themselves as an independent
nationalistic entity that has to protect their own "security" above all
else, and prevent outsiders from draining their precious state-funded
resources, which are meant to be applied to the churning out of identical
alcoholic imbecilic graduates ready to enter the work force and submit to
piss tests and do exactly what they're told, rather than to the attainment
of greater general knowledge and accomplishment for the betterment of
society.
Also, Penn State is the sort of place that would try to preserve the
security of their system by hiding source code and protocol information,
relying on the limitations of their attackers' intelligence rather than
the inherent security of their system. Naturally this sort of strategy
does not work at places like MIT, CMU, Berkeley, u.s.w., but at a
decidedly mediocre institution like Penn State it makes sense.
The Penn State system works by using an init that forces users to login
with a Kerberos userid and password at system startup. Kerberos is used
for authentication only, and the TGT is not retained throughout the
session. When you shut down the Mac, the NT machine is somehow informed
of this logout. Note that the TGT is _not_ retained throughout the
session, and is _not_ used for any subsequent authentication. The mac
merely checks in with the NT server at login and logout, and the NT server
keeps track of who is where. This defeats the beauty of Kerberos, but it
permits the system to function without any mods or patches to MacOS (or
the freeware mac utilites that I am about to discuss).
Print jobs are spooled using a drag-and-drop lpr client for the Mac, and
sent to a UNIX machine. This means the user has to print-to-file, grab
the Postscript file, and drag it onto the "print me" icon. This sounds
difficult, but believe it or not the drooling drunken idiots at Penn State
have no problem with this procedure. netatalk could intervene at this
stage to make things simpler. In their system, the drag-and-drop lpr
client does no accounting or authentication--it merely pushes the files
onto the UNIX server--so netatalk wouldn't need to do PAP authentication
either. papd would, however, have to establish a clear and foolproof
notion of which Mac was making the request, and since PAP does not run
over IP, it would be hard to match papd's idea of identity with the idea
held by the Kerberos-based login tracker.
Once the jobs are on the UNIX machine, the UNIX machine queries the NT
machine to see who is logged in at that perticular Mac, and uses
that username to do the accounting. The job is accepted or denied based
on the status of the user's account, and the user gets an account-balance
summary on the banner page.
The nice thing about the Penn State system is that they can use it for
both their PC's and their Mac's. The non-reusable pieces are only the
custom Kerberos app and the freeware lpr client.
Write to:
John Kalbach <jbk@psu.edu>
tell him Miles Nordin sent you, and that you're trying to get ahold of the
guy who wrote the printing accounting software for the public
microcomputer labs. John Kalbach did not write it himself, but he will
know who did. He is very busy, and unlike most of Penn State he is (at
least superficially, as far as I know him) a competent and free-thinking
individual, so please be polite and generally more respectful than I am.
or, browse the web pages starting at http://cac.psu.edu/. You may be able
to find a link to the author's page that way.
Better yet, write to the guys at Stanford University. I believe they have
a far superior accounting mechanism, and they are not assholes like the
people at Penn State so you are more likely to get a helpful response from
them. Unfortunately I know less about their system because I never
attended there--just have a friend who does.
-- Miles Nordin home 1-888-857-2723 555 Bryant Street #182 or +1 510 608-1813 Palo Alto, CA 94301 http://www.ivy.net/~carton
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:25:09 EST