In an Active Directory environment the most intuitive way for users to add printers is by using the included default printer browser, and to make the process as smooth as possible single-sign on is the way to go. This also makes it easier to manage the printers on your network and use print monitoring software (it works great with PaperCut). The launch daemon watches the /etc/cups/printers.conf file for changes, and once a printer is added the script will enable all local SMB printers for Kerberos authentication. The installer package is available for download at the bottom of the post, and constructive feedback is greatly appreciated!

Fine print – It works in 10.6+ with the exception of 10.6.7, the issue is documented in a Apple KB article here – http://support.apple.com/kb/TS3759

A similar process works for 10.5 clients but it requires the CUPS USER variable to be set to the shortname of the logged in user (`cupsctl USER=$1`) and use authentication type of “none”. A loginhook may be better suited for 10.5 clients because of the need of the USER variable (“$1”) but I’ve had mixed results manipulating the cups.conf file during login because it can corrupt the conf file and cause the login process to hang.

Set the following to use the current user’s short name in the standard authentication dialog when no Kerberos ticket is available – defaults write /Library/Preferences/com.apple.NetworkAuthorization UseShortName -bool YES

And now for something completely different…

/Library/LaunchDaemons/edu.psu.educ.kerbprintd.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>edu.psu.educ.kerbprintd</string>
	<key>Program</key>
	<string>/usr/local/bin/kerbprintd</string>
	<key>WatchPaths</key>
	<array>
		<string>/etc/cups/printers.conf</string>
	</array>
	<key>StandardOutPath</key>
	<string>/Library/Logs/kerbprintd.log</string>
	<key>StandardErrorPath</key>
	<string>/Library/Logs/kerbprintd.log</string>
</dict>
</plist>

/usr/local/bin/kerbprintd

#!/bin/bash
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# launchd daemon to enable Kerberos authentication on local SMB print queues
# Matt Hansen on (7/29/2011) - College of Education, Penn State University
# Use with 10.6.x+, Known Bug in 10.6.7 - http://support.apple.com/kb/TS3759
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Preflight
DATEFORMAT="+%m.%d.%Y-%H:%M:%S"
SCRIPT=`basename $0`

echo "`date "$DATEFORMAT"` - "$SCRIPT" - Running"

## User must be root or a member of '_lpadmin' to use the lpadmin utility
id -un | grep -q 'root' || id -Gn | grep -q '_lpadmin' || exit 1

## Verify printers.conf file exists so at least one printer is installed
if [ -e /etc/cups/printers.conf ];then

	## Enable Kerberos printing on all locally installed SMB printers
	for PRINTER in `lpstat -v | grep 'smb://' | awk '{print $3}' | tr -d :`;do
		if `lpoptions -p "$PRINTER" | grep -q 'auth-info-required=username,password'`;then
			lpadmin -p "$PRINTER" -o auth-info-required=negotiate
			echo "`date "$DATEFORMAT"` - "$SCRIPT" - "$PRINTER" - Enabled"
		fi
	done

else
	echo "`date "$DATEFORMAT"` - "$SCRIPT" - No printers installed"
fi

exit 0

Project available here

Advertisements