Posted on 11-15-2012 03:22 PM
Hey Guys,
We have a product called Uniflow.
To add a printer on a Mac if we add the printer by searching for the printer by bonjour it adds the correct printer smb://uniflow/Printername however it prompts for authentication before printing
So we get around this by adding the printer by enabling the advanced tab and adding a windows printer via spoolss and using the url smb://uniflow/Printername we choose the driver then add this way of doing it does not require the user to input credentials.
However when we capture this printer using casper admin and deploy it to other machines the printer installs correctly however like the bonjour lookup it requires the user to put in their username and password to be able to print.
How is the advanced add different to how casper is deploying the printers to the machine even if we captured them off a working Advanced Add......
Posted on 11-16-2012 06:23 AM
Add the printer in both ways on a single system. Then use the cups interface (http://localhost:631) to see if they're configured differently. That *should* get you on the right track. You may need to add the printers via shell script with the lpadmin command instead of through Casper Admin.
Posted on 11-16-2012 10:15 AM
Oh you're dealing with that abomination of a print service as well?
*cough* anyway ...
First thing I did was to make a first image policy that executes the following command:
cupsctl DefaultAuthType=Negotiate
Then I manually added the printer to my test mac, then in the CUPS interface as detailed in the previous post I changed the authentication option to "kerberos" on the printer object. I added that via Casper Admin to the JSS.
That's pretty much all you need for AD authenticated printing via Uniflow.
Posted on 11-16-2012 10:18 AM
@jarednichols :
OS X printing is messed up. I've been dealing with a known good set of server address and queue details. Adding via the GUI worked every time. Adding via lpadmin resulted in constant failure and i've never found any differences to explain why.
Posted on 11-16-2012 11:17 AM
@franton
Interesting. In my experience it's been the other way round. :) Via GUI would be fubar'd but via lpadmin it'd be good to go.
Posted on 11-16-2012 11:20 AM
Exactly! It's horrifically inconsistent in all the ways that matter!
Posted on 03-31-2013 11:09 AM
We're wrestling with PaperCut, where users are prompted for their credentials. Macs are all joined to the domain, so we were expecting not to have to deal with this. During troubleshooting we determined the Print Server is not Kerberized (they're looking into flicking that switch). It sounds like the other half of the fix is to run the command that Jared posted:
cupsctl DefaultAuthType=Negotiate
I guess we'll be testing both...Kerberizing the Print Servers, and setting the cupsctl option on the Macs, will post results.
Don
Posted on 03-31-2013 12:56 PM
Use the printer GUI to create the printer object(s) to import into Casper. If you create things via the localhost:631 page, the authentication doesn't work. It does with the GUI. No idea why.
Posted on 03-31-2013 01:34 PM
Like @jarednichols we use lpadmin for this kind of stuff. I like Casper but I don't want to use it as a crutch when the underlying OS X tools are at your fingertips. :) We put a query in to our infrastructure team to Kerberize the PaperCut print server queues. Once that's done we'll test again and we'll post results. I'll keep fingers crossed that we can get this fixed...
Posted on 03-31-2013 01:40 PM
Fingers crossed it works for you. It's nuts that printer objects created with identical settings behave differently depending on if it was created via the gui, the cups webpage or the lpadmin command. Or at least that's been my experience, and not just with Casper either.
I had to implement uniflow printing on our 10.8 Casper macs as well as our 10.5-10.7 Filewave (sorry for swearing) macs. I came to the conclusion that CUPS is messed up after all the difficulties.
Posted on 03-20-2014 02:27 PM
@donmontalvo Did you ever come up with a solution for this? I've tried running ```
cupsctl DefaultAuthType=Negotiate
``` on the client while using a printer on our Kerberized print server, but we're still being prompted for creds.
Posted on 03-20-2014 03:51 PM
https://jamfnation.jamfsoftware.com/discussion.html?id=7082
Posted on 03-23-2014 03:38 PM
@n8felton][/url
This has been fixed on OS X 10.8.5 for us.
https://jamfnation.jamfsoftware.com/discussion.html?id=6403
Posted on 09-30-2014 06:18 AM
I see so many references to people using lpadmin with the JSS to add/remove printers. We attempted to deploy Papercut last spring at our school and have been halted for over half a year while trying to devise a plan to add/remove queues with the JSS that uses Kerberos authentication. The easiest way seems to be using lpadmin to add the queues with the Operation Policy Authenticated (-o printer-op-policy=Authenticated) and tell the CUPS server to authenticate to our Windows print queues with Kerberos using "cupsctl DefaultAuthType=Negotiate". I can make it work when entering the commands through Terminal as root on each machine individually, but for the life of me, I can't get the commands to run without needing to pass the root password with the JSS. It's not consistent, but I almost always get "Unauthorized" when running cupsctl or lpadmin through the JSS. Can anyone please explain how you're running lpadmin commands through the JSS?
Posted on 02-16-2015 03:41 PM
I just wanted to circle back to this topic and post some findings I've had with 10.9 and 10.10 clients. It appears that the correct way to get the authentication prompt to go away for AD bound machines is simply adding the option
-o auth-info-required=negotiate
to your lpadmin command.
For example (and to quote @rhysforrester at https://jamfnation.jamfsoftware.com/discussion.html?id=4075#responseChild19303)
For printers you've already installed on the system run the following command;To setup a new printer you would use:lpadmin -p PRINTERNAME -o auth-info-required=negotiate
lpadmin -p PRINTERNAME -E -v smb://PRINTSERVER/PRINTQUEUE -m Generic.ppd -L "LOCATION" -o auth-info-required=negotiate
I have added this one option to the lpadmin command and had great success. It appears that the ```
(-o printer-op-policy=Authenticatedand
cupsctl DefaultAuthType=Negotiate
```are not needed.
Posted on 11-21-2017 09:50 AM
Is there a way to make it prompt every time? I'm living in a two domain situation where I need the credential prompt to come up every time.