Posted on 11-07-2018 01:51 AM
Firstly; please forgive me for any lack of detail in this post as Macs are not my bread and butter (I'm a Windows Admin through and through).
We've recently upgraded all of our macs to the latest OS and done a complete reinstall of JAMF using a third party provider (effectively starting everything fresh).
The way they've set some things up feels a little backwards to me but as I hinted at above I am no expert with Macs. One of the weird little bugs we're experiencing is a printer is somehow ending up in a paused state and you need admin credentials to unpause. However, entering the admin credentials does unpause the printer but within a few seconds it goes back into a paused state.
The only workaround I've found for now is to log in as an admin and fully reset the printing system and run the script again (I'm actually typing in the script via terminal at this point).
Looking at the JAMF console it appears there was a policy that installed the drivers (and the papercut client) and then ran a script (below but obfuscated);
#!/bin/bash
Name="Follow-Me"
DeviceURI="smb://domain-name/Follow-Me-Mac"
PPD="/Library/Printers/PPDs/Contents/Resources/SHARP MX-4112N.PPD.gz"
#Location=""
#lpadmin -p "$Name" -E -v "$DeviceURI" -P "$PPD" -L "$Location" -o auth-info-required=negotiate
lpadmin -p "$Name" -E -v "$DeviceURI" -P "$PPD" -o auth-info-required=negotiate
This policy is attached to a SMART group called 'No Follow Me Printer'. It's obviously running on enrolment or build and works fine for a while but when it gets into this paused state and I manually remove it the SMART group takes too long to update so I run the lpadmin locally. I've tried doing a policy that just runs the script at logon but that doesn't seem to be helping either.
Could anyone point me in the right direction as to establish what could be causing this?
Posted on 11-07-2018 02:10 AM
I'd suggest you make life a little easier by adding everyone to the lpoperator group, so anyone can unpause the printer. Macs pause printing when waiting for authentication, which is what I'd guess is happening with your queue.
/usr/sbin/dseditgroup -o edit -a everyone -t group _lpoperator
# Might also want...
/usr/bin/security authorizationdb write system.print.operator allow
I'm assuming your Macs are AD bound or getting a Kerberos ticket? If so you can use kerberos to handle the authentication, meaning you don't need to prompt. One issue with kerberos is that when you authenticate as another user it messes up the ticket, so you need to run kdestroy if you do this.
Our code for adding a printer
Our code for configuring kerberos
If your not using kerberos and not reconfiguring the printer each login, then it will have the credentials of the first user to print to it, which will mismatch to the user on the system, again likely causing the printer to pause...
Posted on 11-07-2018 02:46 AM
They are AD bound correct and they are often prompted for their credentials.
I'll have a look through your linked scripts. Thank you for those.
With regards to the lpoperator should I just script that as a once per machine and that'll do it?
Posted on 11-07-2018 02:48 AM
Yes, once per computer will work. Hope the info/scripts helps you get printing working for your users.
Posted on 11-07-2018 02:57 AM
I am giving it a try right now and once it's working I'll test across a few other machines and keep you posted.
Could I ask as to whether I am editing the script correctly as I'm not sure whether to keep in the ${} or not.
# Name of the print queue on the server
queue="Follow-Me-Mac"
# FQDN of the server hosting ${queue}
server="name.domain.internal"
# smb, lpd, ipp etc
protocol="smb"
# Full path to the appropriate PPD on the client
ppd="/Library/Printers/PPDs/Contents/Resources/SHARP MX-4112N.PPD.gz"
I'll continue to edit but just wanted to clarify I'm doing it right sorry.
Posted on 11-07-2018 03:06 AM
The queue name needs to match a queue on your print server, i'm guessing you don't have multiple follow-me queues? I'd guess you just want something like:
# Name of the print queue on the server
queue="Follow-Me"
# FQDN of the server hosting ${queue}
server="name.domain.internal"
# smb, lpd, ipp etc
protocol="smb"
# Full path to the appropriate PPD on the client
ppd="/Library/Printers/PPDs/Contents/Resources/SHARP MX-4112N.PPD.gz"
# Specify an operational policy for this printer.
# Must be a policy defined in cupsd.conf - default or kerberos recommended.
op_policy="kerberos"
# A list of CUPS options, of the form -o name=value -o name=value
options="-o printer-is-shared=false -o Duplex=DuplexNoTumble -o PageSize=A4"
# If this is set to YES then the printer will be deleted and recreated if it exists
reconfigure="YES"
Posted on 11-07-2018 03:10 AM
Thank you again, that's really helpful. I had got most of that down but didn't quite understand the options= line so have modified that now.
Just working through the Kerberos one but need to do some more reading as I'm stumped immediately on the realms part (I have our domain name of course but there are all sorts of subdomains listed that we have nothing like). One step closer atleast thank you.
Posted on 11-07-2018 03:23 AM
This is the command I use in our labs to allow standard users to resume a print queue without having to be an admin or enter credentials.
#!/bin/sh
# This script gives standard users print operator rights to resume a paused print queue without authenticating.
#--------------------------------------------------------
# Add the Everyone Group to Print Operator Group
dseditgroup -o edit -a everyone -t group _lpoperator
#--------------------------------------------------------
exit 0
Posted on 11-07-2018 03:25 AM
We have a complex domain/realm setup (and a trust relationship between a ldap based authentication service and AD) so you might not need to do much of what is in the kerberos script outside of ensuring the ticket renewal etc in the pam files... If you can run klist and have a sensible looking ticket then the printing might just work.
Note you don't want "-o auth-info-required=negotiate" in the options, the queue should just use the kerberos ticket assuming you are getting one on logon...
Posted on 11-07-2018 03:31 AM
This is how I manually set up the queues/printer objects after installing the drivers first.
#!/bin/sh
#-------------------------------------------------
# CAMPUS STUDENT EXAMPLE
# Setup Mono Print Queue
lpadmin -p "MAC_STUDENT_MONO" -o printer-is-shared=false -o printer-op-policy=authenticated -o auth-info-required=negotiate -v "smb://EXAMPLE.AD.DOMAIN.AC.UK/MAC_STUDENTMONO" -E -m /Library/Printers/PPDs/Contents/Resources/CNMCIRA4025S2.ppd.gz -L "Example Campus" -u allow:all
# Set Default Printer
lpadmin -d "MAC_STUDENT_MONO"
# Setup Colour Print Queue
lpadmin -p "MAC_STUDENT_COLOUR" -o printer-is-shared=false -o printer-op-policy=authenticated -o auth-info-required=negotiate -v "smb://EXAMPLE.AD.DOMAIN.AC.UK/MAC_STUDENTCOLOUR" -E -m /Library/Printers/PPDs/Contents/Resources/CNMCIRAC5030S2.ppd.gz -L "Example Campus" -u allow:all
# Sets the error policy to be used when the printer backend is unable to send the job to the printer.
# The name must be one of "abort-job", "retry-job", "retry-current-job", or "stop-printer".
# The default error policy is "stop-printer" for printers and "retry-current-job" for classes.
lpadmin -p MAC_STUDENT_MONO -o printer-error-policy=retry-job
lpadmin -p MAC_STUDENT_COLOUR -o printer-error-policy=retry-job
# Set the Page Media Size to A4
lpadmin -p MAC_STUDENT_MONO -o media=A4
lpadmin -p MAC_STUDENT_COLOUR -o media=A4
#-------------------------------------------------
exit 0
Posted on 11-07-2018 12:04 PM
I don't remember where I got this script from (probably somewhere on here), but for my users who keep having this issue, the best fix has been a script they can call from Self-Service.
#!/bin/sh
sudo cupsenable `lpstat -t | grep disabled | awk '{print $2}'`
This will restart the printer queue without needing to enter the admin password. The main caveat is that the printers have to be reachable (if they are network printers) or plugged in and turned on (if USB attached).
I created it as a policy and have it enabled for all staff computers (non-staff computers should not be printing, but YMMV) and have it as a "Featured" option on the Frontpage of Self-Service.
Posted on 11-08-2018 12:55 PM
I had to do that for a bit last year as we had users entering and saving bad user credentials... it was a bit more complicated than that, but we'll leave it there. I'll throw in a few more things that might help. I used the following line to clear the paused print queue before starting it again with:
sudo cancel -a `lpstat -t | grep disabled | awk '{print $2}'`
I also used the following extension attribute to track the occurrences:
#!/bin/bash
RESULT=$(lpstat -p | grep -w "disabled" | awk '{print$2}')
echo "<result>$RESULT</result>"
Everything I've listed above I'm sure I found here... somewhere.