Posted on 12-24-2014 11:37 AM
I posted this elsewhere here on JAMFNation, but I thought I'd give it its own thread.
After working in two separate engagements where Macs are in an Active Directory environment with mixed results for printer connectivity, I've come up with this solution. It's by no means perfect, but it's a step in some direction...
I have a slight twist on dealing with networked printers in an Active Directory environment where Macs are not bound (or bound in some unique cases).
One might be inclined to just use whatever printers appear in the Bonjour search results but as we all know, Bonjour is a form of multicast, therefore it won't span subnets and you'll only see printers that are on the same subnet that the system is connected to. Furthermore, some of those Bonjour printers might be some user sharing out their printer connection. This no good because when the user closes up shop for the day, they take their printer connection with them and everyone who inadvertently connected to it is now without a printer connection.
For further reading: According to RFC2365 ( http://tools.ietf.org/html/rfc2365 ) and IANA’s multicast assignments ( http://www.iana.org/assignments/multicast-addresses/multicast-addresses.txt ), 224.0.0.0/24 is reserved for link-local multicast. This means that a multicast packet address to anything in the range of 224.0.0.0 – 224.0.0.255 should never cross between IP subnets.
This approach might work for an environment with a flat network, but when you start working with multiple subnets, then things get complicated.
So you might feel inclined to go the route of attaching your unbound Macs directly to the printer's IP address using the LPD protocol.
Again, in some situations, this works fine. But then, some Network Admin decides to change the IP schema and then you're up a creek with an invalid IP address! Ah the wonders of DNS! But I digress (only slightly)...
Now let's throw another curve ball... let's say you have VPN... and your admins don't want to set up the required routes from the Macs in question to the printers, not to mention we're back to the multi-subnet thing. No Bonjour, DNS resolution might be janky, certain protocols and ports might be blocked... blah blah blah...
So what's a poor tech to do???
Well, we could push for policy change within IT... Perhaps we push to bind Macs to AD (GACK! What a horrid thought). That would allow us to see all AD resources being broadcast. But isn't there another way?
Why yes! There is! I thought you'd never ask!
Server Message Block, or SMB for short!
Keep your AD binding tied to your Windows platforms. I'll take my unbound Macs and use SMB, thank you very much!
[code]
#!/bin/sh
echo "######################################################################"
echo "# DELETING OLD PRINTER CONFIGURATIONS"
echo "######################################################################"
lpstat -p | awk '{print $2}' | while read printer
do
echo "Deleting:" $printer
lpadmin -x $printer
done
echo
echo "######################################################################"
echo "# RESETTING CUPS PRINTING SERVICES"
echo "######################################################################"
sudo launchctl stop org.cups.cupsd
sudo rm /etc/cups/cupsd.conf
sudo cp /etc/cups/cupsd.conf.default /etc/cups/cupsd.conf
sudo rm /etc/cups/printers.conf
sudo launchctl start org.cups.cupsd
echo
echo "######################################################################"
echo "# ACQUIRE USER'S ACTIVE DIRECTORY CREDENTIALS"
echo "######################################################################"
read -p "User's Active Directory Username: " ADUserName
# HP LaserJet 4250
# IP Address: xx.xx.xx.xx
echo "HP LaserJet 4250 - 1st Floor"
lpadmin -p "HP-1st-Floor" -L "1st Floor, San Francisco, CA, USA" -E -v smb://"server.com/HP-1st-Floor" -U $ADUserName -P "/Library/Printers/PPDs/Contents/Resources/HP LaserJet 4250.gz" -o printer-is-shared=false
# SHARP MX-3110N
# IP Address: xx.xx.xx.xx
echo "SHARP MX-3110N - 1st Floor"
lpadmin -p "SHARP-1st-Floor" -L "1st Floor, San Francisco, CA, USA" -E -v smb://"server.com/SHARP-1st-Floor" -U $ADUserName -P "/Library/Printers/PPDs/Contents/Resources/SHARP MX-3110N.PPD.gz" -o printer-is-shared=false -o Option5=2TrayDrawer
echo
echo "######################################################################"
echo "# STARTING CUPS WEB INTERFACE"
echo "######################################################################"
echo
sudo cupsctl WebInterface=yes
open http://localhost:631/printers/
exit
[/code]
This will reset the print queue and configure the printers.
WARNING: You'll get errors if the appropriate drivers aren't installed.
When a user goes to print, they will be prompted for their AD credentials. They can save said credentials to the Keychain for future use (this will need to be addressed if the AD password is changed).
This method allows the unbound Mac to print to any printer that the Windows print server is broadcasting, regardless of subnets. VPN may still take some negotiating depending on how much of a Net Nazi the admins are. YMMV!
Best regards!
P.S. If you have an MFP or other printer type that has all kinds of additional options (i.e. finisher, lower paper trays, collators, etc.), you might be hard pressed to determine how to configure the -o flag for your scripts. So here's an AWESOME helper script that I found that does the heavy lifting for you...
Caine Hörr
A reboot a day keeps the admin away!
Posted on 12-26-2014 02:13 AM
Thanks for the script!
In case anyone is using AD as well, you can kerberizing the print queues with:
lpadmin -p printername -o auth-info-required=negotiate
If you're planning a new printer setup I would nearly always go for a pull printing system now. Most of the big printer vendors offer them, I've used Equitrak at quite a few sites and it really takes the pain out of it.