Solved

SMB Printing to Windows Print Server failing to connect to server suddenly

Forum|Forum|3 years ago
February 2, 2022
57 replies
793 views

VintageMacGuy
Valued Contributor

Just this week, we are noticing that many Macs, but not all of them, are not able to print via our Windows print server. Nothing has changed on our Mac side.
We are printing via PaperCut, so using SMB on a printer installed via JAMF and no changes to the setup.
Macs not joined to the domain and not using the AD Username as the machine or profile name in many cases, but likely in many others.
I can add PaperCut LPD to the print server and print via LPD - but no authentication, so the job gets stuck with no way to get it to print from Papercut, unless the users profile on the Mac is named the same as their AD username.

The issue looks very similar to this one:
https://community.jamf.com/t5/jamf-pro/mac-printing-issue-after-microsoft-windows-print-server-update/m-p/246842
However, we don't have the server updates referenced in the thread or PaperCut advisory.

Affected systems are running Monterey, Big Sur, and Catalina.
One Mac that was able to print, stopped printing immediately after upgrading from 12.1 to 12.2.
One Mac on 11.6.0 was printing yesterday, but stopped printing today. JAMF shows "ProfileList" updated just before it stopped working.
This is happening on both our Prod and Dev instances of JAMF.

Workarounds

I am able to set any Mac up to print straight to the printer using LPD protocol and the printer IP address with the correct driver.

If the user profile on the Mac is named after the AD profile, then I can use LPD to print to Papercut on the print server (after loading the PaperCut LPD service). Address: (IP or FQDN of print server), Queue: (PaperCut Printer Name).

My coworkers think it is JAMF "JAMF-ing up the Macs". But I can't see anything on the JAMF side that has done anything to the Macs, and no changes to printing have happened lately.

Best answer by nstrauss

This is directly related to RPC changes in 12.2, 11.6.3, and Catalina security update 2022-001 (build 19H1713) in response to PrintNightmare. Nothing to do with Jamf or MDM in general. 😀 All of these have the patch Apple describes as...

"Resolves an issue that prevented authenticating to a Windows print server with increased RPC authentication level."

https://support.apple.com/en-us/HT212586

I'm curious to hear if you found it was resolved by switching to FQDN as the print queue URI. What were you using previously? smb://printserver/queuename? The only solution (which I hate) I've found is to turn off encryption with a URI parameter. For example, use smb://printserver.mydomain.com/queuename?encryption=no. Obviously not secure and not a long term solution. There's some anecdotal evidence the problem is with aliased URIs, but I don't have enough first hand knowledge to know if that's true. What version of Windows server are you running? Fully patched?

Apple is fully aware of the issue and collecting impact data from customers. If you have a support contract with them I'd ask you open a case. Feel free my reference my own open case 101616149128. The more customer impact data the better.

Show first post

Forum|pagination.label 2 / 3

VintageMacGuy
Author
Valued Contributor
Forum|Forum|3 years ago
February 16, 2022

are you also using the "?encryption=no" appended to the end of device uri?

Yes - we are using ?encryption=no and this seems to have resolved most of the issues, but we have a subnet that is still not working properly and creating a pause.

MrRoboto
Valued Contributor
Forum|Forum|3 years ago
March 4, 2022

We print to Windows 2016 print queues over SMB, they already have "RpcAuthnLevelPrivacyEnabled" set to 0 from last year's print nightmare. Clients updated to macOS 12.2 can't print, Paused - "rpc_binding_set_auth_info" error. Adding “?encryption=no” to URI resolves the issue, alternatively upgrading to macOS 12.3 beta 5 works.

+11

davidhiggs
Valued Contributor
Forum|Forum|3 years ago
March 10, 2022

For those seeing issues with slow print jobs before or after macOS changes for smb printing, recommend turning off SMB Multichannel on Windows Server: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn610980(v=ws.11)#disable-smb-multichannel

This is a better solution for macOS clients, especially if that server is only hosting smb print queues and it's not being used for smb file shares.

echeveste
New Contributor
Forum|Forum|3 years ago
March 14, 2022

We also started seeing this problem in the past few days. It appears that upgrading to Monterey 12.3 has fixed the issue for us.

abnaau
Contributor
Forum|Forum|3 years ago
March 15, 2022

We're seemingly still seing the issue with 12.3. Error message changed from "rpc_binding_set_auth_info" to "Unable to connect to printer" though.

Any troubleshooting hints appreciated :)

chrisB
Valued Contributor
Forum|Forum|3 years ago
March 15, 2022

Tested macOS 10.15.7 (Catalina) with Security Update 2022-003, macOS 11.6.5 (Big Sur) and macOS 12.3 (Monterey) - all macOS Updates from yesterday resolved this printing issue (you don't need to add "?encryption=no" anymore).

matje84
New Contributor
Forum|Forum|3 years ago
March 15, 2022

It's not resolved on our side, we still need to add the "?encryption=no". I see your machines are not AD bound. How do you authenticate? Username and password or kerberos? If kerberos, how do you get the ticket? Thanks.

chrisB
Valued Contributor
Forum|Forum|3 years ago
March 15, 2022

Our Macs are not AD bound, and we're authenticating with username/password (NTLMv2).

abnaau
Contributor
Forum|Forum|3 years ago
March 15, 2022

We have a strange issue now.
Kerberos needs ?encryption=no
Kerberos without gives "Unable to connect to printer"
UPN + password doesn't work. (username@domain.example.com)
REALM\\username works (example: DOMAIN\\username - This stopped working in january for unknown reasons)
REALM.fqdn\\username doesn't work (DOMAIN.EXAMPLE.COM\\username - But worked until 12.3)

Nothing makes sense. ...

matje84
New Contributor
Forum|Forum|3 years ago
March 15, 2022

The weird thing is it starts working with Kerberos if you enable the Apple SSO plugin. No need to sign in, just have it enabled. With your feedback I tried to edit our NoMad configuration but without luck.

MrRoboto
Valued Contributor
Forum|Forum|3 years ago
March 16, 2022

We're seemingly still seing the issue with 12.3. Error message changed from "rpc_binding_set_auth_info" to "Unable to connect to printer" though.

Any troubleshooting hints appreciated :)

"Unable to connect to printer" means printer offline or defunct printer queue in my environment. Also appears if the security permissions on the printer queue do not allow the user to print.

abnaau
Contributor
Forum|Forum|3 years ago
March 25, 2022

Do you have to deploy with correct domain settings or is a blank configuration profile enough? Any more info on this?
I have a funny feeling that most with this issue don't have Jamf Connect installed in our environment and maybe that's why we only have a few cases.

matje84
New Contributor
Forum|Forum|3 years ago
March 28, 2022

Yes, with the correct domain settings. For what I can see those are required when deploying a profile with the Single Sign-On payload.

abnaau
Contributor
Forum|Forum|3 years ago
April 7, 2022

The 12.3.1 update once again changed things.. This time the sporadic nature of the bug turned to: Everyone has the problem.
Kerberos auth doesn't work - basically everything needs ?encryption=no
Kerberos without gives "Unable to connect to printer"
UPN + password doesn't work. (username@domain.example.com)
REALM\\username works (example: DOMAIN\\username - This stopped working in january for unknown reasons)
REALM.fqdn\\username doesn't work (DOMAIN.EXAMPLE.COM\\username - But worked until 12.3)

Nothing makes sense. ... still... And again... Good news is I can troubleshoot on an arbitrary machine.

chrisB
Valued Contributor
Forum|Forum|3 years ago
April 7, 2022

I’m pretty sure the macOS Update 12.2.1 (Monterey) deleted my /etc/nsmb.conf file … :-(

*** Update: Sorry, checked on a 2nd Mac and the file is still there. ***

Once again: (presumably) after macOS updates the /etc/nsmb.conf file has been deleted - now seen on several (but not all) Macs here.

chrisB
Valued Contributor
Forum|Forum|3 years ago
April 7, 2022

Once again: (presumably) after macOS updates the /etc/nsmb.conf file has been deleted - now seen on several (but not all) Macs here.

I'll try to workaround the removal by expanding my script (as follows):

#!/bin/zsh


# Variable Setting (File Path)

nsmb_conf=/private/etc/nsmb.conf


# Removing (possible) Immutable Flags

sudo chflags nouchg,noschg $nsmb_conf


# Removing /etc/nsmb.conf File (for Debug Purposes)

# sudo rm -f $nsmb_conf


# Disable SMB Multichannel Support

if [[ -f $nsmb_conf ]]; then
echo "mc_on=no" | sudo tee -a $nsmb_conf
echo "nsmb.conf already existed & SMB Multichannel Support successfully disabled."
else
echo "[default]\\nmc_on=no" | sudo tee -a $nsmb_conf
echo "nsmb.conf (newly) created & SMB Multichannel Support successfully disabled."
fi


# Apply Read-Only Permissions (even for root)

sudo chmod 555 $nsmb_conf


# Apply System Immutable Flag

sudo chflags schg $nsmb_conf


exit 0

I tried first to use the users' home folders [~/Library/Preferences/nsmb.conf] to avoid the file removal (presumably after macOS updates) as it was possible earlier, but this didn't work - at least in macOS 12.3.1 (Monterey).

So I made the nsmb.conf file read-only and set the system immutable flag.

(The system immutable flag has to be removed first in order to remove or edit the file itself.)

For now, I'll wait and see what happens after the next (Monterey) update ... :-)

abnaau
Contributor
Forum|Forum|3 years ago
April 8, 2022

Problem "solved".

Add ?encryption=no

Set: AuthInfoRequired negotiate (for Kerberos)
Disable SMB multichannel
Don't use UPN for login (!?)

VintageMacGuy
Author
Valued Contributor
Forum|Forum|3 years ago
April 12, 2022

I am seeing the same as chrisB - Once I get the machines (M1 or Intel) updated to 11.6.5 or 12.3.1 (presumably 12.3.0 also), I can create a new printer with the format:
smb://server.domain.com/PrinterName

And it starts printing again without causing a pause.

Qwheel
Valued Contributor
Forum|Forum|3 years ago
April 20, 2022

After digging into the logs a bit more and seeing that SMB was not able to see the server, I want back and took another look at my notes and it looks like we did not use the fully qualified domain name to set these up originally. I did a quick test on two Macs that were not working and manually set them up with SMB://printserver.domain.com/PapaerCutPrinter and they seem to work now.

Tested my own machine and that's done the trick for me too ;)

bartzach
New Contributor
Forum|Forum|3 years ago
May 4, 2022

Problem "solved".

Add ?encryption=no

Set: AuthInfoRequired negotiate (for Kerberos)
Disable SMB multichannel
Don't use UPN for login (!?)

Hi Abnaau,

Is it still working for you?

I tried just now on my test Mac and I am still getting "Unable to connect to printer".

I don't have access to server with printers so I tried to disable SMB multichannel locally by doing this:

If you want to fully disable SMB Multichannel support in macOS, add the following line to the /etc/nsmb.conf file:

mc_on=no

Source: https://support.apple.com/en-ie/HT212277

Cheers,

Bart

bartzach
New Contributor
Forum|Forum|3 years ago
May 4, 2022

Hi Abnaau,

Is it still working for you?

I tried just now on my test Mac and I am still getting "Unable to connect to printer".

I don't have access to server with printers so I tried to disable SMB multichannel locally by doing this:

If you want to fully disable SMB Multichannel support in macOS, add the following line to the /etc/nsmb.conf file:

mc_on=no

Source: https://support.apple.com/en-ie/HT212277

Cheers,

Bart

Ignore? I found out my customer has different spool that has the same printers installed. They did some maintenance on it last week and the other spool works without encryption=no and just with ad username and password. Happy days!

Qwheel
Valued Contributor
Forum|Forum|3 years ago
May 4, 2022

We're currently going down the encryption=no route.
Due to the naming conventions of user accounts, we can't move to lpd:// so are stuck until Apple fix what they broke.
Our print supplier advised that the password remains obfuscated. It's just the username that isn't.
They suggested that printing had functioned this way for 20 years but platforms have decided to implement higher order encryption - hence why this hasn't been a problem in the past. (Do share if your supplier has told you otherwise :D)

I wrote some janky logic to go into our add printer script. Feel free to use it.

Downsides are - more logic will be required to re-enable encryption when Apple do fix what they broke. Continuing like this means the logic will have to stay until these OS's aren't in use anymore.
You can also write some extension attributes to determine printer status (at the point of device Recon). Just to get an idea of how many devices are affected, or to echo out whether a device is currently affected.

I suspect all our lab devices will be affected by this in a couple of months. This is a big problem.

#!/bin/bash

#Check if Printer is already installed.
echo "Checking list of printers on the device..."
printername=$(lpstat -a | grep PrinterName | awk '{print $1}')
printername=`echo $printername | sed 's/ *$//g'`
ref="NameOfPrinter"

if [[ $printername == $ref ]]
then
	echo "Printer is already installed."
	echo "Skipping installation."
else
	echo "Printer doesn't exist on device."
	echo "installing Printer"

    #Gets the current MacOS version and splits it into variables.
    swVers=$(sw_vers -productVersion)
    swVersMajor=$(sw_vers -productVersion | awk -F '.' '{print $1}')
    swVersMinor=$(sw_vers -productVersion | awk -F '.' '{print $2}')
    swVersPatch=$(sw_vers -productVersion | awk -F '.' '{print $3}')
    swVersBuild1=$(sw_vers -buildVersion | cut -c1-3)
    swVersBuild2=$(sw_vers -buildVersion | cut -c4-8)

    #Fills the third item with a 0 if it's empty
    if [[ "$swVersPatch" == "" ]]; then
    swVersPatch="0"
    fi

    #Removes encryption for devices with MacOS 12.2 or later
    if [[ "$swVersMajor" == "12" ]] && [[ "$swVersMinor" -ge "2" ]] && [[ "$swVersPatch" -ge "0" ]]; then
    echo "$swVersMajor.$swVersMinor.$swVersPatch is greater than or equal to 12.2.0, removing encryption from Printer"
    sudo lpadmin -p PrinterName -E -v smb://PrintServer/PrinterName?encryption=no -m /Library/Printers/PPDs/Contents/Resources/driver.gz -o Option1=True -o "Duplex/2-Sided Printing=DuplexNoTumble" -o printer-is-shared=false -o PageSize=A4 -o auth-info-required=negotiate

    #Removes Encryption for devices with MacOS 11.6.3 or later
    elif [[ "$swVersMajor" == "11" ]] && [[ "$swVersMinor" -ge "6" ]] && [[ "$swVersPatch" -ge "3" ]]; then
    echo "$swVersMajor.$swVersMinor.$swVersPatch is greater than or equal to 11.6.3, removing encryption from Printer"
    sudo lpadmin -p PrinterName -E -v smb://PrintServer/PrinterName?encryption=no -m /Library/Printers/PPDs/Contents/Resources/driver.gz -o Option1=True -o "Duplex/2-Sided Printing=DuplexNoTumble" -o printer-is-shared=false -o PageSize=A4 -o auth-info-required=negotiate

	#Removes Encryption for devices with MacOS 10.15.7 with Security update 2022-001
    elif [[ "$swVersBuild1" == "19H" ]] && [[ "$swVersBuild2" -ge "1713" ]]; then
    echo "$swVersBuild1 $swVersBuild2 is greater than or equal to 19H1713, removing encryption from Printer"
    sudo lpadmin -p PrinterName -E -v smb://PrintServer/PrinterName?encryption=no -m /Library/Printers/PPDs/Contents/Resources/driver.gz -o Option1=True -o "Duplex/2-Sided Printing=DuplexNoTumble" -o printer-is-shared=false -o PageSize=A4 -o auth-info-required=negotiate

    #Enables encryption for everything else
    else
    echo "$swVersMajor.$swVersMinor.$swVersPatch. Leaving encryption enabled."
    sudo lpadmin -p PrinterName -E -v smb://PrintServer/PrinterName -m /Library/Printers/PPDs/Contents/Resources/driver.gz -o Option1=True -o "Duplex/2-Sided Printing=DuplexNoTumble" -o printer-is-shared=false -o PageSize=A4 -o auth-info-required=negotiate

    fi 
fi

exit sausage

homepup
Contributor
Forum|Forum|3 years ago
May 4, 2022

#!/bin/bash

#Check if Printer is already installed.
echo "Checking list of printers on the device..."
printername=$(lpstat -a | grep PrinterName | awk '{print $1}')
printername=`echo $printername | sed 's/ *$//g'`
ref="NameOfPrinter"

if [[ $printername == $ref ]]
then
	echo "Printer is already installed."
	echo "Skipping installation."
else
	echo "Printer doesn't exist on device."
	echo "installing Printer"

    #Gets the current MacOS version and splits it into variables.
    swVers=$(sw_vers -productVersion)
    swVersMajor=$(sw_vers -productVersion | awk -F '.' '{print $1}')
    swVersMinor=$(sw_vers -productVersion | awk -F '.' '{print $2}')
    swVersPatch=$(sw_vers -productVersion | awk -F '.' '{print $3}')
    swVersBuild1=$(sw_vers -buildVersion | cut -c1-3)
    swVersBuild2=$(sw_vers -buildVersion | cut -c4-8)

    #Fills the third item with a 0 if it's empty
    if [[ "$swVersPatch" == "" ]]; then
    swVersPatch="0"
    fi

    #Removes encryption for devices with MacOS 12.2 or later
    if [[ "$swVersMajor" == "12" ]] && [[ "$swVersMinor" -ge "2" ]] && [[ "$swVersPatch" -ge "0" ]]; then
    echo "$swVersMajor.$swVersMinor.$swVersPatch is greater than or equal to 12.2.0, removing encryption from Printer"
    sudo lpadmin -p PrinterName -E -v smb://PrintServer/PrinterName?encryption=no -m /Library/Printers/PPDs/Contents/Resources/driver.gz -o Option1=True -o "Duplex/2-Sided Printing=DuplexNoTumble" -o printer-is-shared=false -o PageSize=A4 -o auth-info-required=negotiate

    #Removes Encryption for devices with MacOS 11.6.3 or later
    elif [[ "$swVersMajor" == "11" ]] && [[ "$swVersMinor" -ge "6" ]] && [[ "$swVersPatch" -ge "3" ]]; then
    echo "$swVersMajor.$swVersMinor.$swVersPatch is greater than or equal to 11.6.3, removing encryption from Printer"
    sudo lpadmin -p PrinterName -E -v smb://PrintServer/PrinterName?encryption=no -m /Library/Printers/PPDs/Contents/Resources/driver.gz -o Option1=True -o "Duplex/2-Sided Printing=DuplexNoTumble" -o printer-is-shared=false -o PageSize=A4 -o auth-info-required=negotiate

	#Removes Encryption for devices with MacOS 10.15.7 with Security update 2022-001
    elif [[ "$swVersBuild1" == "19H" ]] && [[ "$swVersBuild2" -ge "1713" ]]; then
    echo "$swVersBuild1 $swVersBuild2 is greater than or equal to 19H1713, removing encryption from Printer"
    sudo lpadmin -p PrinterName -E -v smb://PrintServer/PrinterName?encryption=no -m /Library/Printers/PPDs/Contents/Resources/driver.gz -o Option1=True -o "Duplex/2-Sided Printing=DuplexNoTumble" -o printer-is-shared=false -o PageSize=A4 -o auth-info-required=negotiate

    #Enables encryption for everything else
    else
    echo "$swVersMajor.$swVersMinor.$swVersPatch. Leaving encryption enabled."
    sudo lpadmin -p PrinterName -E -v smb://PrintServer/PrinterName -m /Library/Printers/PPDs/Contents/Resources/driver.gz -o Option1=True -o "Duplex/2-Sided Printing=DuplexNoTumble" -o printer-is-shared=false -o PageSize=A4 -o auth-info-required=negotiate

    fi 
fi

exit sausage

Are your systems not running the latest updates? The macOS 12.3 and later updates for Big Sur and security update for Catalina resolved the issues we were having using SMB/Windows Print servers (Papercut).

Qwheel
Valued Contributor
Forum|Forum|3 years ago
May 4, 2022

I saw on an Apple Support thread that it was 'fixed', but went and tried it myself on a fully updated device and it was still getting stuck at 'Ready to print'.

Someone chalked it down to devices relying solely on kerberos tickets for authentication. We use NoMAD and local accounts so suspect we're in the same boat.

Bob-UNCC
New Contributor
Forum|Forum|3 years ago
May 18, 2022

I've tried every combination offered up here with no luck. The Print Server is on 2019, the desktops are all on Monterey. Our Macs are not in AD, just using Kerberos for authentication. It fails by asking for authentication. It should not require authentication to the Print Server. That doesn't matter anyhow since entering the information still doesn't allow a print. It will sit there in the local queue with "ready to print" and paused. I've had to move people over to direct printing just so they can kill trees.

Open to more suggestions.

Bob

UNCC

Forum|pagination.label 2 / 3

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded