+13We are on OS X 10.8.2 and we identified an issue with Kerberos single sign-on.
Users get re-authentication prompts after an initial successful print to their SMB print queues.
Kerberos ticket will get created at login but ticket will get destroyed once after an initial successful print and prompts for re-authentication at then next print.
"klist" shows a valid ticket after login but will be empty after I print for the very first time.
Has anyone seen this behavior?
Best answer by Kumarasinghe
Fixed on OS X 10.8.5.
+7We have the same problem and it still exists with 10.8.3 and the actual beta version of 10.8.4.
Unfortunately we didn't find a solution yet except from disabling Kerberos for printing. Did you find out something new about the problem since your post?
I found a new discussion at google groups today regarding the same problem:
https://groups.google.com/forum/?fromgroups#!topic/macenterprise/5f9XSWM70g8
We have log entries similar to the last post in this group.
(copy from the post on google groups)
May 20 17:53:16 mactjwrn2.botolph.cam.ac.uk kcm[8660] <Error>: DESTROY request for cache 312325814:70 by process 3650/uid 312325814
I am experiencing this identical issue. Running this type of config below:
OS X 10.8.3
Domain Joined
Domain Account logged in.
CUPs printer string:
/usr/sbin/lpadmin -p "Master" -E -v "smb://marmot.blahbalh.com/Master" -P "/Library/Printers/PPDs/Contents/Resources/Kyocera FS-C2626MFP.ppd" -D "Master" -o "Option20=One" -o "ColorModel=Gray" -o PageSize=Letter -o auth-info-required=negotiate -o printer-op-policy=authenticated -o printer-error-policy=retry-job
Generally, user can print one -> three times then receives a hold for authentication and requires a username/password to be typed in.
Hopefully we can find a solution!
Mark
+36@Kumarasinghe Thanks for posting the Bug ID, would you mind posting the details for Bug ID 12150493? The [openradar.appspot.com](openradar.appspot.com) site comes up dry when I search for that Bug ID.
Thanks,
Don
+7In my bug report I only see:
duplicate of 12150493 Open
No more details.
The problem still exists with the released version of 10.8.4 by the way.
+13@Don We have submitted a separate Bug report and has been closed as a duplicate. We can't see the original bug description but it is the same issue we described in this thread.
I can only see the state of the original bug which says "open".
Thanks
+7The problem will be solved with 10.9. I think it's thanks to the better support of the SMB protocol.
+7Unfortunately 10.8.5 didn't fix the problem in our environment. Did 10.8.5 really fix this issue in your environment?
+13Did you kerberise the print queues manually (auth-info-required=negotiate)? if not you have to do it.
https://jamfnation.jamfsoftware.com/discussion.html?id=4075
I have tested on a clean OS X install and worked fine. Going to test few more times tomorrow with different setups and see.
+1I just wanted to circle back to this topic and post some findings I've had with 10.9 and 10.10 clients. It appears that the correct way to get the authentication prompt to go away for AD bound machines is simply adding the option
-o auth-info-required=negotiateto your lpadmin command.
For example (and to quote @rhysforrester at https://jamfnation.jamfsoftware.com/discussion.html?id=4075#responseChild19303)
For printers you've already installed on the system run the following command;To setup a new printer you would use:lpadmin -p PRINTERNAME -o auth-info-required=negotiatelpadmin -p PRINTERNAME -E -v smb://PRINTSERVER/PRINTQUEUE -m Generic.ppd -L "LOCATION" -o auth-info-required=negotiate
I have added this one option to the lpadmin command and had great success. It appears that the ```
(-o printer-op-policy=Authenticatedand
cupsctl DefaultAuthType=Negotiate
```are not needed.
+13Not sure where I / We got it from but we've been using the below script for a few OS' that will cycle through all configured printer queues and set them to try SSO printing first:
#!/bin/bash
########################################################
#declare -x BUILD=2011022409
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
## our vars
declare -x MYNAME="configureCUPSKerb.sh"
#declare -x LOGGERTAGS="-s -t "${MYNAME}""
## Executable vars
declare -x awk="/usr/bin/awk"
declare -x grep="/usr/bin/grep"
declare -x logger="/usr/bin/logger"
declare -x lpadmin="/usr/sbin/lpadmin"
declare -x lpstat="/usr/bin/lpstat"
declare -x mkdir="/bin/mkdir"
declare -x perl="/usr/bin/perl"
## Get a list of our SMB printers
declare -x SMBPRINTERS="$("$lpstat" -v | "$grep" smb | "$perl" -p -e 's/device for (.*): smb.*/$1/g')"
OLDIFS="$IFS"
IFS=$'
'
for SMBPRINTER in $SMBPRINTERS; do
"$lpadmin" -p "$SMBPRINTER" -o auth-info-required=negotiate
doneHope it helps!
Darren
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.