Skip to main content

Hey,
One of the regular problems that our helpdesk experiences is incorrect usernames/ passwords being used for printing services. I've been trying to write a script to put in self service that will get a user's wifi username and password from the keychain, remove the old entries for the printers, and then add them again with the WiFi password (which we assume is correct at this stage).



Here is what I have so far...



#!/bin/bash
#Check if there is an "acct" in the response - if not then the wifi credentials for SSID can't be found.
wifi=$(security find-generic-password -D '802.1X Password' -l 'SSID' 2>&1 | grep "acct")

if [ ! -z "$wifi" ]; then
echo "I found it!"
#Get the account name used for wifi
username=$(security find-generic-password -D '802.1X Password' -l 'SSID' -g 2>&1 | grep acct | sed -e 's/.*"(.*)"/1/')
#get the password used for wifi
wifipwd=$(security find-generic-password -D '802.1X Password' -l 'SSID' -w)

#Delete the 4 xerox printers
security delete-generic-password -l 'Xerox - B&W (AirPrint)'
security delete-generic-password -l 'Xerox - B&W (Advanced) @ Mac Server 2'
security delete-generic-password -l 'Xerox - Colour (AirPrint)'
security delete-generic-password -l 'Xerox - Colour (Advanced) @ Mac Server 2'
#Recreate the 4 xerox printers
security add-generic-password -a $username -s "Xerox - B&W (AirPrint)" -w $wifipwd -D 'Network Password' -l 'Xerox - B&W (AirPrint)' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
security add-generic-password -a $username -s "Xerox - B&W (Advanced) @ Mac Server 2" -w $wifipwd -D 'Network Password' -l 'Xerox - B&W (Advanced) @ Mac Server 2' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
security add-generic-password -a $username -s "Xerox - Colour (AirPrint)" -w $wifipwd -D 'Network Password' -l 'Xerox - Colour (AirPrint)' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
security add-generic-password -a $username -s "Xerox - Colour (Advanced) @ Mac Server 2" -w $wifipwd -D 'Network Password' -l 'Xerox - Colour (Advanced) @ Mac Server 2' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
else
echo "Its not there!"
fi


Now the problem that I'm having: no matter if I specify an application with the -T option on the security command (give an application permissions to access that keychain item), the user gets a prompt when trying to print for the first time with that same application (NetAuthSysAgent) tries to access the keychain.
If I check my keychain access the application is there in the access control list.
Furthermore I did some testing by dumping the keychain access control list with



 dump-keychain -a login.keychain


Here is the difference between the keychain item that doesn't prompt:



keychain: "/Users/USERNAME/Library/Keychains/login.keychain-db"
version: 512
class: "genp"
attributes:
0x00000007 <blob>="Xerox - B&W (AirPrint)"
0x00000008 <blob>=<NULL>
"acct"<blob>="USERNAME"
"cdat"<timedate>=0x32303136313230313031303533385A00 "20161201010538Z�00"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>="Network Password"
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303136313230313031303533385A00 "20161201010538Z�00"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="Xerox - B&W (AirPrint)"
"type"<uint32>=<NULL>
access: 5 entries
entry 0:
authorizations (1): encrypt
don't-require-password
description: Xerox - B&W (AirPrint)
applications: <null>
entry 1:
authorizations (6): decrypt derive export_clear export_wrapped mac sign
don't-require-password
description: Xerox - B&W (AirPrint)
applications (4):
0: /System/Library/CoreServices/NetAuthAgent.app (OK)
1: /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent (OK)
2: 0x67726F75703A2F2F4E65744175746800 "group://NetAuth�00"
3: /usr/bin/security (OK)
entry 2:
authorizations (1): integrity
don't-require-password
description: e600621541e120ae156b9f5c3e317727b55f61597180255da2e18790eee617b8
applications: <null>
entry 3:
authorizations (1): partition_id
don't-require-password
description: apple-tool:, apple:
applications: <null>
entry 4:
authorizations (1): change_acl
don't-require-password
description: Xerox - B&W (AirPrint)
applications (0):


And the keychain that does prompt (before i clicked always allow on the prompt):



keychain: "/Users/USERNAME/Library/Keychains/login.keychain-db"
version: 512
class: "genp"
attributes:
0x00000007 <blob>="Xerox - B&W (AirPrint)"
0x00000008 <blob>=<NULL>
"acct"<blob>="USERNAME"
"cdat"<timedate>=0x32303136313230313031333330315A00 "20161201013301Z�00"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>="Network Password"
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303136313230313031333330315A00 "20161201013301Z�00"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="Xerox - B&W (AirPrint)"
"type"<uint32>=<NULL>
access: 5 entries
entry 0:
authorizations (6): decrypt derive export_clear export_wrapped mac sign
don't-require-password
description: Xerox - B&W (AirPrint)
applications (4):
0: /System/Library/CoreServices/NetAuthAgent.app (OK)
1: /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent (OK)
2: 0x67726F75703A2F2F4E65744175746800 "group://NetAuth�00"
3: /usr/bin/security (OK)
entry 1:
authorizations (1): encrypt
don't-require-password
description: Xerox - B&W (AirPrint)
applications: <null>
entry 2:
authorizations (1): integrity
don't-require-password
description: e600621541e120ae156b9f5c3e317727b55f61597180255da2e18790eee617b8
applications: <null>
entry 3:
authorizations (1): partition_id
don't-require-password
description: apple-tool:
applications: <null>
entry 4:
authorizations (1): change_acl
don't-require-password
description: Xerox - B&W (AirPrint)
applications (0):


My testing so far seems to suggest that the -T option just doesn't work... has anybody had any experience with this?

Edit: Oops! Never mind. I see that you do have the full path as well. I didn't scroll over far enough before. Have you tried it with just the full path and not the bundle as well? I'm wondering if its only adding in the first one and ignoring the others.



Leaving original post here just for reference:



I may be wrong, but I believe when using the -T option with security, you need to specify the full path to the actual executable in the app bundle, not the app bundle itself.
In your script, you have the following path after -T



/System/Library/CoreServices/NetAuthAgent.app


I believe it should be:



/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent


Meaning, the full path to the executable inside the 'MacOS' directory. I would try it that way and see if it helps.


Hi,
Thanks for the advice.
I'll give it a go. I hadn't tried that because the items are showing up in both Keychain Manager & the dump.


I know this is an old thread, but just in case someone comes across this looking for an answer.



See entry 3: description line in the security dump-keychain above. The keychain entry that does not prompt has "apple-tool:, apple:" while the keychain entry that prompts only has "apple-tool:".



Does not Prompt:



    entry 3:
authorizations (1): partition_id
don't-require-password
--> description: apple-tool:, apple:
applications: <null>


Prompts:



    entry 3:
authorizations (1): partition_id
don't-require-password
--> description: apple-tool:
applications: <null>


You can run the following after creating the keychain entry to set the correct partition_id, so the user doesn't get prompted, but you have to provide the keychain password:



security set-generic-password-partition-list -S "apple-tool:,apple:" -s 'Xerox - B&W (AirPrint)' -k $PASSWORD


See Scripting the Macos Keychain partition-ids for more info.



-Florin


I stumbled up on this article for a similar error. I am trying to push a network password to our computer so that they can connect to an SMB share without prompting.



The only problem I've run into is that when I send the "security set-generic-password-partition-list" command, it returns an error: "security: SecItemCopyMatching: The specified item could not be found in the keychain."



I have double and triple checked that my set-generic-password-partition-list command is using the same -s as the -l in the initial add-generic-password command, and yet no matter what I do, I keep getting that same error. Any thoughts on this?


I figured out the problem, and I feel kind of dumb about it!



I was using "security set-generic-password-partition-list" when I should have been using "security set-internet-password-partition-list".


Reply