SMB Printers 10.8, Prompt for Authentication

tijones
New Contributor II

Hey Guys,

We have a product called Uniflow.

To add a printer on a Mac if we add the printer by searching for the printer by bonjour it adds the correct printer smb://uniflow/Printername however it prompts for authentication before printing

So we get around this by adding the printer by enabling the advanced tab and adding a windows printer via spoolss and using the url smb://uniflow/Printername we choose the driver then add this way of doing it does not require the user to input credentials.

However when we capture this printer using casper admin and deploy it to other machines the printer installs correctly however like the bonjour lookup it requires the user to put in their username and password to be able to print.

How is the advanced add different to how casper is deploying the printers to the machine even if we captured them off a working Advanced Add......

15 REPLIES 15

jarednichols
Honored Contributor

Add the printer in both ways on a single system. Then use the cups interface (http://localhost:631) to see if they're configured differently. That *should* get you on the right track. You may need to add the printers via shell script with the lpadmin command instead of through Casper Admin.

franton
Valued Contributor III

Oh you're dealing with that abomination of a print service as well?

*cough* anyway ...

First thing I did was to make a first image policy that executes the following command:

cupsctl DefaultAuthType=Negotiate

Then I manually added the printer to my test mac, then in the CUPS interface as detailed in the previous post I changed the authentication option to "kerberos" on the printer object. I added that via Casper Admin to the JSS.

That's pretty much all you need for AD authenticated printing via Uniflow.

franton
Valued Contributor III

@jarednichols :

OS X printing is messed up. I've been dealing with a known good set of server address and queue details. Adding via the GUI worked every time. Adding via lpadmin resulted in constant failure and i've never found any differences to explain why.

jarednichols
Honored Contributor

@franton
Interesting. In my experience it's been the other way round. :) Via GUI would be fubar'd but via lpadmin it'd be good to go.

franton
Valued Contributor III

Exactly! It's horrifically inconsistent in all the ways that matter!

donmontalvo
Esteemed Contributor III

We're wrestling with PaperCut, where users are prompted for their credentials. Macs are all joined to the domain, so we were expecting not to have to deal with this. During troubleshooting we determined the Print Server is not Kerberized (they're looking into flicking that switch). It sounds like the other half of the fix is to run the command that Jared posted:

cupsctl DefaultAuthType=Negotiate

I guess we'll be testing both...Kerberizing the Print Servers, and setting the cupsctl option on the Macs, will post results.

Don

--
https://donmontalvo.com

franton
Valued Contributor III

Use the printer GUI to create the printer object(s) to import into Casper. If you create things via the localhost:631 page, the authentication doesn't work. It does with the GUI. No idea why.

donmontalvo
Esteemed Contributor III

Like @jarednichols we use lpadmin for this kind of stuff. I like Casper but I don't want to use it as a crutch when the underlying OS X tools are at your fingertips. :) We put a query in to our infrastructure team to Kerberize the PaperCut print server queues. Once that's done we'll test again and we'll post results. I'll keep fingers crossed that we can get this fixed...

--
https://donmontalvo.com

franton
Valued Contributor III

Fingers crossed it works for you. It's nuts that printer objects created with identical settings behave differently depending on if it was created via the gui, the cups webpage or the lpadmin command. Or at least that's been my experience, and not just with Casper either.

I had to implement uniflow printing on our 10.8 Casper macs as well as our 10.5-10.7 Filewave (sorry for swearing) macs. I came to the conclusion that CUPS is messed up after all the difficulties.

n8felton
New Contributor

@donmontalvo Did you ever come up with a solution for this? I've tried running ```
cupsctl DefaultAuthType=Negotiate
``` on the client while using a printer on our Kerberized print server, but we're still being prompted for creds.

donmontalvo
Esteemed Contributor III

Kumarasinghe
Valued Contributor

@n8felton][/url
This has been fixed on OS X 10.8.5 for us.
https://jamfnation.jamfsoftware.com/discussion.html?id=6403

McNeil
New Contributor

I see so many references to people using lpadmin with the JSS to add/remove printers. We attempted to deploy Papercut last spring at our school and have been halted for over half a year while trying to devise a plan to add/remove queues with the JSS that uses Kerberos authentication. The easiest way seems to be using lpadmin to add the queues with the Operation Policy Authenticated (-o printer-op-policy=Authenticated) and tell the CUPS server to authenticate to our Windows print queues with Kerberos using "cupsctl DefaultAuthType=Negotiate". I can make it work when entering the commands through Terminal as root on each machine individually, but for the life of me, I can't get the commands to run without needing to pass the root password with the JSS. It's not consistent, but I almost always get "Unauthorized" when running cupsctl or lpadmin through the JSS. Can anyone please explain how you're running lpadmin commands through the JSS?

n8felton
New Contributor

I just wanted to circle back to this topic and post some findings I've had with 10.9 and 10.10 clients. It appears that the correct way to get the authentication prompt to go away for AD bound machines is simply adding the option

-o auth-info-required=negotiate

to your lpadmin command.

For example (and to quote @rhysforrester at https://jamfnation.jamfsoftware.com/discussion.html?id=4075#responseChild19303)

For printers you've already installed on the system run the following command;
lpadmin -p PRINTERNAME -o auth-info-required=negotiate
To setup a new printer you would use:
lpadmin -p PRINTERNAME -E -v smb://PRINTSERVER/PRINTQUEUE -m Generic.ppd -L "LOCATION" -o auth-info-required=negotiate

I have added this one option to the lpadmin command and had great success. It appears that the ```
(-o printer-op-policy=Authenticated
and
cupsctl DefaultAuthType=Negotiate
```are not needed.

jcwoll
New Contributor III

Is there a way to make it prompt every time? I'm living in a two domain situation where I need the credential prompt to come up every time.