Jamf Nation Community

Kumarasinghe · ‎03-19-2012

I'm trying to get kerberos printing working from OS X Lion (10.7.3). I followed the steps describe in this Apple article and it works fine as long as I manually do it on the client machine.
http://support.apple.com/kb/HT4879

For each printer you wish to share using Kerberos:

    Click the printer name in the list.
    Choose "Set Default Options" from the "Administration" pop-up menu.
    Click "Policies".
    Choose "kerberos" from the "Operation Policy:" pop-up menu.
    Click "Set Default Options".

But;

These setting will not be captured when importing the printers to Casper Admin.

Just wondering anyone successfully got Kerberos working automatically for their SMB print queues either via a script or policy?

jhbush · ‎03-20-2012

This is what I use thanks to Beau Hunter.

#!/bin/bash

############################
##
## Script which polls for configured SMB printers.
## For each smb printer found, we will change the authentication
## type to "negotiate" to facilitate SSO/Kerb authentication. 
##
## Written by Beau Hunter 
##
########################################################

declare -x BUILD=2011022409
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"

## our vars
declare -x MYNAME="configureCUPSKerb.sh"


declare -x LOGGERTAGS="-s -t "${MYNAME}""

## Executable vars
declare -x awk="/usr/bin/awk"
declare -x grep="/usr/bin/grep"
declare -x logger="/usr/bin/logger"
declare -x lpadmin="/usr/sbin/lpadmin"
declare -x lpstat="/usr/bin/lpstat"
declare -x mkdir="/bin/mkdir"
declare -x perl="/usr/bin/perl"

## Setup our logging
"$mkdir" /var/log/deployment &> /dev/null
exec >> /var/log/deployment/configureCUPSKerb.log
exec 2>&1

"$logger" $LOGGERTAGS "Started on $(/bin/date).  Build: $BUILD"


## Get a list of our SMB printers

declare -x SMBPRINTERS="$("$lpstat" -v | "$grep" smb | "$perl" -p -e 's/device for (.*): smb.*/$1/g')"
OLDIFS="$IFS"
IFS=$'
'
for SMBPRINTER in $SMBPRINTERS; do
    echo "Configuring printer: $SMBPRINTER for use with Kerberos authentication!"
    "$lpadmin" -p "$SMBPRINTER" -o auth-info-required=negotiate 
done

Script goes in /usr/local/bin

Launch Agent settings:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.318.cupswatcher</string>
    <key>WatchPaths</key>
    <array>
        <string>/etc/cups/ppd/</string>
    </array>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/configureCUPSKerb.sh</string>
    </array>
</dict>
</plist>

View solution in original post

rhysforrester · ‎03-19-2012

For printers you've already installed on the system run the following command;

lpadmin -p PRINTERNAME -o auth-info-required=negotiate

To setup a printer you would use;

lpadmin -p PRINTERNAME -E -v smb://PRINTSERVER/PRINTQUEUE -m Generic.ppd -L "LOCATION" -o auth-info-required=negotiate

Tested and working in our environment.

jhbush · ‎03-20-2012

This is what I use thanks to Beau Hunter.

#!/bin/bash

############################
##
## Script which polls for configured SMB printers.
## For each smb printer found, we will change the authentication
## type to "negotiate" to facilitate SSO/Kerb authentication. 
##
## Written by Beau Hunter 
##
########################################################

declare -x BUILD=2011022409
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"

## our vars
declare -x MYNAME="configureCUPSKerb.sh"


declare -x LOGGERTAGS="-s -t "${MYNAME}""

## Executable vars
declare -x awk="/usr/bin/awk"
declare -x grep="/usr/bin/grep"
declare -x logger="/usr/bin/logger"
declare -x lpadmin="/usr/sbin/lpadmin"
declare -x lpstat="/usr/bin/lpstat"
declare -x mkdir="/bin/mkdir"
declare -x perl="/usr/bin/perl"

## Setup our logging
"$mkdir" /var/log/deployment &> /dev/null
exec >> /var/log/deployment/configureCUPSKerb.log
exec 2>&1

"$logger" $LOGGERTAGS "Started on $(/bin/date).  Build: $BUILD"


## Get a list of our SMB printers

declare -x SMBPRINTERS="$("$lpstat" -v | "$grep" smb | "$perl" -p -e 's/device for (.*): smb.*/$1/g')"
OLDIFS="$IFS"
IFS=$'
'
for SMBPRINTER in $SMBPRINTERS; do
    echo "Configuring printer: $SMBPRINTER for use with Kerberos authentication!"
    "$lpadmin" -p "$SMBPRINTER" -o auth-info-required=negotiate 
done

Script goes in /usr/local/bin

Launch Agent settings:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.318.cupswatcher</string>
    <key>WatchPaths</key>
    <array>
        <string>/etc/cups/ppd/</string>
    </array>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/configureCUPSKerb.sh</string>
    </array>
</dict>
</plist>

Kumarasinghe · ‎03-20-2012

Thanks Jason.

Kumarasinghe · ‎04-23-2012

I've found a minor bug with this script posted by Jason.
If a user mistakenly installs a same printer already on the computer, this script gives errors.

I had to make it delay for 10 seconds to get lpadmin issues fixed.

All good after I put 'sleep 10' at the begining of the script.

lpnicholas · ‎08-08-2012

Can someone help me? I'm trying to learn this kerberos printing thing from the beginning. I have gotten it to work using ksmbprintd, but i can't figure out how to capture all the settings to CUPS that I had to do on one machine to be able to capture those settings in Casper Admin to send it out to my machines. I'd be grateful for the help. Please email me if you can, lpnicholas@moravian.edu thanks so much in advance!

jwojda · ‎04-24-2013

I'm not super familiar with launch agents. I copied Jason's script and put it in the /usr/local/bin folder (file name: configureCUPSKerb.sh) and created/copied the LaunchAgent with the file name com.318.cupswatcher.plist and put in /Library/LaunchAgents via a DMG file that copies the files to their respective locations, but it doesn't seem like it runs.

I pushed the printer definitions down to it, but when I check for the /var/log the deployment folder it looks like it never got created

mm2270 · ‎04-25-2013

@jwojda - Is the LaunchAgent loaded? Just copying a LaunchAgent to a system doesn't activate it. A reboot will or doing it manually at the time its copied down. Otherwise it won't be running at all.

launchctl list | grep com.318.cupswatcher

See what that command above shows. If you get returned to the shell prompt with nothing, then its not loaded. If so, do this:

launchctl load /Library/LaunchAgents/com.318.cupswatcher.plist

Kumarasinghe · ‎04-25-2013

I have put it to the /Library/LaunchDaemons instead of LaunchAgents.

Also try changing the file permissions/modes like this;

$ sudo chown -R root:wheel /Library/LaunchDaemons/com.318.cupswatcher.plist
$ sudo chmod 644 /Library/LaunchDaemons/com.318.cupswatcher.plist

$ sudo chown -R root:wheel /usr/local/bin/configureCUPSKerb.sh
$ sudo chmod a+x /usr/local/bin/configureCUPSKerb.sh

McNeil · ‎09-30-2014

I see so many references to people using lpadmin with the JSS to add/remove printers. We attempted to deploy Papercut last spring at our school and have been halted for over half a year while trying to devise a plan to add/remove queues with the JSS that uses Kerberos authentication. The easiest way seems to be using lpadmin to add the queues with the Operation Policy Authenticated (-o printer-op-policy=Authenticated) and tell the CUPS server to authenticate to our Windows print queues with Kerberos using "cupsctl DefaultAuthType=Negotiate". I can make it work when entering the commands through Terminal as root on each machine individually, but for the life of me, I can't get the commands to run without needing to pass the root password with the JSS. It's not consistent, but I almost always get "Unauthorized" when running cupsctl or lpadmin through the JSS. Can anyone please explain how you're running lpadmin commands through the JSS?

michaelhusar · ‎10-22-2014

@mhmcneilly JSS runs things (eg. files and processes - execute command) as root. You want the user to get the printers. One way is to use LaunchAgents, since they run in the user context. (standard users have to be in the lpdamin group- if its no security concern for you, you could do: dseditgroup -o edit -a everyone -t group _lpadmin) So you make a LaunchAgent like the com.318cupswatcher "calling" the script you want to be executed - here configureCUPSKerb.sh
There are different "triggers" when the agent runs - above WatchPaths. If you want the payload to be run once at user login you can use RunAtLoad:

<key>RunAtLoad</key> <true/> <key>ProgramArguments</key> <array> <string>/Users/Shared/.configureCUPSKerb.sh</string> </array>

Of course can put more payload in the configureCUPSKerb.sh - e.g. if you like the "whole connect command" like
lpadmin -p yourprinter -v smb://printserver/yourprinter -D printerdescription -E -P /Library/Printers/PPDs/Contents/Resources/CNADVC5250X1.PPD.gz -o auth-info-required=negotiate

You can think of making packages with different "payload scripts" and have them distributed by Casper - so that everybody gets the printers he needs. The agent is always the same - always calling the same name of script but the contents of the script varies depending of what printers you want to distribute. (Obviously you would use smart groups for that.)
Hope that helps.

andrew · ‎12-17-2015

jhbush1973 is my hero.

Big thanks for posting this script.

ruschg · ‎01-20-2016

@jhbush1973 and others, does anyone have input as to how the above scripts which jhbush1973 posted get moved to the /usr/local/bin and Library/LaunchAgents folders? Creating the scripts is the easy part. Just curious to know the specifics. I assume everyone, whose had success has run this as a policy.

...we are one of those companies running our printers on windows servers. Thanks!

Jamf Nation Community

Lion Kerberos printing