Hey,
One of the regular problems that our helpdesk experiences is incorrect usernames/ passwords being used for printing services. I've been trying to write a script to put in self service that will get a user's wifi username and password from the keychain, remove the old entries for the printers, and then add them again with the WiFi password (which we assume is correct at this stage).
Here is what I have so far...
#!/bin/bash
#Check if there is an "acct" in the response - if not then the wifi credentials for SSID can't be found.
wifi=$(security find-generic-password -D '802.1X Password' -l 'SSID' 2>&1 | grep "acct")
if [ ! -z "$wifi" ]; then
echo "I found it!"
#Get the account name used for wifi
username=$(security find-generic-password -D '802.1X Password' -l 'SSID' -g 2>&1 | grep acct | sed -e 's/.*"(.*)"/1/')
#get the password used for wifi
wifipwd=$(security find-generic-password -D '802.1X Password' -l 'SSID' -w)
#Delete the 4 xerox printers
security delete-generic-password -l 'Xerox - B&W (AirPrint)'
security delete-generic-password -l 'Xerox - B&W (Advanced) @ Mac Server 2'
security delete-generic-password -l 'Xerox - Colour (AirPrint)'
security delete-generic-password -l 'Xerox - Colour (Advanced) @ Mac Server 2'
#Recreate the 4 xerox printers
security add-generic-password -a $username -s "Xerox - B&W (AirPrint)" -w $wifipwd -D 'Network Password' -l 'Xerox - B&W (AirPrint)' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
security add-generic-password -a $username -s "Xerox - B&W (Advanced) @ Mac Server 2" -w $wifipwd -D 'Network Password' -l 'Xerox - B&W (Advanced) @ Mac Server 2' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
security add-generic-password -a $username -s "Xerox - Colour (AirPrint)" -w $wifipwd -D 'Network Password' -l 'Xerox - Colour (AirPrint)' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
security add-generic-password -a $username -s "Xerox - Colour (Advanced) @ Mac Server 2" -w $wifipwd -D 'Network Password' -l 'Xerox - Colour (Advanced) @ Mac Server 2' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
else
echo "Its not there!"
fi
Now the problem that I'm having: no matter if I specify an application with the -T option on the security command (give an application permissions to access that keychain item), the user gets a prompt when trying to print for the first time with that same application (NetAuthSysAgent) tries to access the keychain.
If I check my keychain access the application is there in the access control list.
Furthermore I did some testing by dumping the keychain access control list with
dump-keychain -a login.keychain
Here is the difference between the keychain item that doesn't prompt:
keychain: "/Users/USERNAME/Library/Keychains/login.keychain-db"
version: 512
class: "genp"
attributes:
0x00000007 <blob>="Xerox - B&W (AirPrint)"
0x00000008 <blob>=<NULL>
"acct"<blob>="USERNAME"
"cdat"<timedate>=0x32303136313230313031303533385A00 "20161201010538Z00"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>="Network Password"
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303136313230313031303533385A00 "20161201010538Z00"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="Xerox - B&W (AirPrint)"
"type"<uint32>=<NULL>
access: 5 entries
entry 0:
authorizations (1): encrypt
don't-require-password
description: Xerox - B&W (AirPrint)
applications: <null>
entry 1:
authorizations (6): decrypt derive export_clear export_wrapped mac sign
don't-require-password
description: Xerox - B&W (AirPrint)
applications (4):
0: /System/Library/CoreServices/NetAuthAgent.app (OK)
1: /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent (OK)
2: 0x67726F75703A2F2F4E65744175746800 "group://NetAuth00"
3: /usr/bin/security (OK)
entry 2:
authorizations (1): integrity
don't-require-password
description: e600621541e120ae156b9f5c3e317727b55f61597180255da2e18790eee617b8
applications: <null>
entry 3:
authorizations (1): partition_id
don't-require-password
description: apple-tool:, apple:
applications: <null>
entry 4:
authorizations (1): change_acl
don't-require-password
description: Xerox - B&W (AirPrint)
applications (0):
And the keychain that does prompt (before i clicked always allow on the prompt):
keychain: "/Users/USERNAME/Library/Keychains/login.keychain-db"
version: 512
class: "genp"
attributes:
0x00000007 <blob>="Xerox - B&W (AirPrint)"
0x00000008 <blob>=<NULL>
"acct"<blob>="USERNAME"
"cdat"<timedate>=0x32303136313230313031333330315A00 "20161201013301Z00"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>="Network Password"
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303136313230313031333330315A00 "20161201013301Z00"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="Xerox - B&W (AirPrint)"
"type"<uint32>=<NULL>
access: 5 entries
entry 0:
authorizations (6): decrypt derive export_clear export_wrapped mac sign
don't-require-password
description: Xerox - B&W (AirPrint)
applications (4):
0: /System/Library/CoreServices/NetAuthAgent.app (OK)
1: /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent (OK)
2: 0x67726F75703A2F2F4E65744175746800 "group://NetAuth00"
3: /usr/bin/security (OK)
entry 1:
authorizations (1): encrypt
don't-require-password
description: Xerox - B&W (AirPrint)
applications: <null>
entry 2:
authorizations (1): integrity
don't-require-password
description: e600621541e120ae156b9f5c3e317727b55f61597180255da2e18790eee617b8
applications: <null>
entry 3:
authorizations (1): partition_id
don't-require-password
description: apple-tool:
applications: <null>
entry 4:
authorizations (1): change_acl
don't-require-password
description: Xerox - B&W (AirPrint)
applications (0):
My testing so far seems to suggest that the -T option just doesn't work... has anybody had any experience with this?