Jamf Nation Community

Kumarasinghe · ‎01-24-2013

We are on OS X 10.8.2 and we identified an issue with Kerberos single sign-on.
Users get re-authentication prompts after an initial successful print to their SMB print queues.

Kerberos ticket will get created at login but ticket will get destroyed once after an initial successful print and prompts for re-authentication at then next print.

"klist" shows a valid ticket after login but will be empty after I print for the very first time.

Has anyone seen this behavior?

Kumarasinghe · ‎09-16-2013

Fixed on OS X 10.8.5.

View solution in original post

fritz_schlapbac · ‎05-21-2013

We have the same problem and it still exists with 10.8.3 and the actual beta version of 10.8.4.

Unfortunately we didn't find a solution yet except from disabling Kerberos for printing. Did you find out something new about the problem since your post?

I found a new discussion at google groups today regarding the same problem:
https://groups.google.com/forum/?fromgroups#!topic/macenterprise/5f9XSWM70g8

We have log entries similar to the last post in this group.

(copy from the post on google groups)
May 20 17:53:16 mactjwrn2.botolph.cam.ac.uk kcm[8660] <Error>: DESTROY request for cache 312325814:70 by process 3650/uid 312325814

Kumarasinghe · ‎05-22-2013

Not yet. Thanks for the post.

agile · ‎06-04-2013

I am experiencing this identical issue. Running this type of config below:

OS X 10.8.3 Domain Joined
Domain Account logged in.

CUPs printer string:
/usr/sbin/lpadmin -p "Master" -E -v "smb://marmot.blahbalh.com/Master" -P "/Library/Printers/PPDs/Contents/Resources/Kyocera FS-C2626MFP.ppd" -D "Master" -o "Option20=One" -o "ColorModel=Gray" -o PageSize=Letter -o auth-info-required=negotiate -o printer-op-policy=authenticated -o printer-error-policy=retry-job

Generally, user can print one -> three times then receives a hold for authentication and requires a username/password to be typed in.

Hopefully we can find a solution!

Mark

Kumarasinghe · ‎06-04-2013

Known Bug from Apple. The issue is being tracked under the original Bug ID 12150493.

donmontalvo · ‎06-04-2013

@Kumarasinghe Thanks for posting the Bug ID, would you mind posting the details for Bug ID 12150493? The [openradar.appspot.com](openradar.appspot.com) site comes up dry when I search for that Bug ID.

Thanks,
Don

--
https://donmontalvo.com

fritz_schlapbac · ‎06-04-2013

In my bug report I only see:

duplicate of 12150493 Open

No more details.

The problem still exists with the released version of 10.8.4 by the way.

Kumarasinghe · ‎06-05-2013

@Don We have submitted a separate Bug report and has been closed as a duplicate. We can't see the original bug description but it is the same issue we described in this thread.

I can only see the state of the original bug which says "open".

Thanks

fritz_schlapbac · ‎06-12-2013

The problem will be solved with 10.9. I think it's thanks to the better support of the SMB protocol.

Kumarasinghe · ‎09-16-2013

Couldn't replicate the issue on OS X 10.8.5. It seems to be fixed on OS X 10.8.5.

fritz_schlapbac · ‎09-16-2013

Unfortunately 10.8.5 didn't fix the problem in our environment. Did 10.8.5 really fix this issue in your environment?

Kumarasinghe · ‎09-16-2013

Did you kerberise the print queues manually (auth-info-required=negotiate)? if not you have to do it.
https://jamfnation.jamfsoftware.com/discussion.html?id=4075

I have tested on a clean OS X install and worked fine. Going to test few more times tomorrow with different setups and see.

Kumarasinghe · ‎09-16-2013

Fixed on OS X 10.8.5.

n8felton · ‎02-16-2015

I just wanted to circle back to this topic and post some findings I've had with 10.9 and 10.10 clients. It appears that the correct way to get the authentication prompt to go away for AD bound machines is simply adding the option

-o auth-info-required=negotiate

to your lpadmin command.

For example (and to quote @rhysforrester at https://jamfnation.jamfsoftware.com/discussion.html?id=4075#responseChild19303)

For printers you've already installed on the system run the following command;
lpadmin -p PRINTERNAME -o auth-info-required=negotiate
To setup a new printer you would use:
lpadmin -p PRINTERNAME -E -v smb://PRINTSERVER/PRINTQUEUE -m Generic.ppd -L "LOCATION" -o auth-info-required=negotiate

I have added this one option to the lpadmin command and had great success. It appears that the ```
(-o printer-op-policy=Authenticated
and
cupsctl DefaultAuthType=Negotiate
```are not needed.

daz_wallace · ‎02-17-2015

Not sure where I / We got it from but we've been using the below script for a few OS' that will cycle through all configured printer queues and set them to try SSO printing first:

#!/bin/bash

########################################################

#declare -x BUILD=2011022409
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"

## our vars
declare -x MYNAME="configureCUPSKerb.sh"


#declare -x LOGGERTAGS="-s -t "${MYNAME}""

## Executable vars
declare -x awk="/usr/bin/awk"
declare -x grep="/usr/bin/grep"
declare -x logger="/usr/bin/logger"
declare -x lpadmin="/usr/sbin/lpadmin"
declare -x lpstat="/usr/bin/lpstat"
declare -x mkdir="/bin/mkdir"
declare -x perl="/usr/bin/perl"

## Get a list of our SMB printers

declare -x SMBPRINTERS="$("$lpstat" -v | "$grep" smb | "$perl" -p -e 's/device for (.*): smb.*/$1/g')"
OLDIFS="$IFS"
IFS=$'
'
for SMBPRINTER in $SMBPRINTERS; do
    "$lpadmin" -p "$SMBPRINTER" -o auth-info-required=negotiate 
done

Hope it helps!

Darren

Jamf Nation Community

Re-authentication prompts after an initial successful print - OS X 10.8.2