Jamf Nation Community

Dr_Macintosh · ‎01-10-2020

Having an issues with a user on site who is using a mac with a local account however wants to be able to print to our network printers. I have added the printer on his machine and the first time typed in his domain credentials in and saved it in the keychain I then tested that all jobs were being sent correctly. However, after a few hours they are having the Hold for Authentication error and when clicking on this to be prompted for their password again get nothing. I have checked in the keychain and all details are correct. The only thing i can think of is that the local accounts username is different to their domain username. Could it be trying to use this username instead after a period of time?

Any Help would be greatly appreciated.

Dr_Macintosh · ‎01-31-2020

In the end just changed the name of the local account to match the users LDAP account. Now it jsut goes striaght through but will definitely be pushing the use of network accounts more for teacher devices. luckily this is the only teacher that does use a local account.

many thanks for all assistance.

View solution in original post

tjhall · ‎01-10-2020

Can you connect to the queues via SMB?

Open “System Preference/Printers and Scanners”
Add printer by clicking the + sign
Alt click on printer menubar, select “Customise Menubar” and drag “Advanced” to menu bar.

Click “Advanced”
Type: Windows printer via spools
Device: Another Device
URL: smb://(queue Name)
Name: "Printer Name" Location: Use: select software;
Click “Add”

In Terminal:
sudo lpadmin -p "printername from above" -o auth-info-required=username,password
sudo lpadmin -p "printername from above" -o auth-info-required=username,password

Dr_Macintosh · ‎01-10-2020

I have added the printer through the Advanced tab and connected to the queue through smb:// however still getting the issue. This was done manually on the machine. however, in our through JAMF the script we use ends with "auth-info-required=negotiate" but this would not be going out to this particular machine as its not in the correct department.

tjhall · ‎01-10-2020

Hmm...maybe reset the print system first (system prefs/Printers (alt click and reset print system)?
I've only used: sudo lpadmin -p "printername from above" -o auth-info-required=username,password sucessfully.
So is the printer added sucessfully and prints but then starts asking? You said it happens after a couple of hours?

r___ · ‎01-10-2020

Try the following:

Remove any entries for the the printer or print server in the keychain then try again since it worked the first time. If not then delete the keychain entries, remove the printer and modify and run the following. If you're using Jamf Connect/NoMAD/Enterprise Connect - sign into that first for best results.

/usr/sbin/lpadmin -p "Exact Print Queue Name" -o printer-is-shared="False" -E -v smb://"FQDN.Print.Server/Printer" /Library/Printers/PPDs/Contents/Resources/"PrinterDriver" -D "Printer Display Name" -o auth-info-required=negotiate

Pay mind to anything in quotes since those require specificity.

Dr_Macintosh · ‎01-10-2020

Hi Both,

I have tired both commands above which add the printer successfully like it has done originally. This printed as expected for a couple hours then i get the "Hold For Authentication" in the Print Queue again and this will not ask for the credentials again. This all works for Users who actually use their network accounts with no issues it just seems to occur when users are using a local account on the Mac

tjhall · ‎01-10-2020

Did the user click remeber login details for keychain? Could it be that the local account details differ from the AD and therefore fails when it tries to print again (since you said local account and not mobile).

Dr_Macintosh · ‎01-10-2020

The User has clicked to remember credentials and i have checked that these are stored in the keychain. The Local accounts username does differ from their AD Username. I believe this is where the issue may be.

tjhall · ‎01-10-2020

Have a look at this one; https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_local_user_to_AD_domain

r___ · ‎01-10-2020

I'd say take a look at your Ticket Viewer app and see if you have a Kerberos ticket and when it is expiring. This may be why its only lasting a few hours.

galionschools · ‎01-10-2020

If the printer is kerberized as @r... is alluding to above then the job should be sending as the AD user. If your kerberos ticket checks out and it still doesn't work then I just would install & configure NoMAD.

Dr_Macintosh · ‎01-31-2020

In the end just changed the name of the local account to match the users LDAP account. Now it jsut goes striaght through but will definitely be pushing the use of network accounts more for teacher devices. luckily this is the only teacher that does use a local account.

many thanks for all assistance.

Jamf Nation Community

Printer Hold for Authentication