While you can bind OS X computers to a Windows Domain, getting access to single sign on AD services in the process, there remains a weak link in that the CUPS smbspool process does not support Kerberos. So, while you can setup an Active Directory printer (which are even listed in the Printer Setup Utility Browse list) you can’t print to them without getting an Access Denied error.
The Solution… sort of:
Apparently some Apple SE’s working in conjunction with the French Gov’t have put together a solution: a CUPS backend script (ksmb) that intercepts the print job, then transfers it to a daemon (user_kprintd) that runs in the user space (where it can access the user’s Kerberos ticket). The user_kprintd daemon then nicely transfers the print job, with Kerberos ticket info, to the AD Printer share for printing.
There isn’t much documentation for finding the pieces, or putting it all together, so figured I’d say my thanks to the AFP548 community for all the help they’ve given me by providing this ‘guide’ of how to put the whole thing together.
The only downside I’ve found to this is that you still can’t use the nice Printer Setup Utility browse feature to add those AD printers you can see. I mean you can, but they still won’t work. Hopefully in Leopard I guess – then we can skip this whole workaround.
Instead you need to go into Printer Setup Utility (PSU from here on), click on the Add printer button, then Option click the “More Printers….” button at the bottom of the screen. This will take to where you can manually setup your printer. Select “Advanced” from the first popup list, then select “Windows Printer via SAMBA with Kerberos support v1” from the Device popup. From here you can enter a Device Name (whatever you want), and then the Device URI (in the form of ksmb://servername/printershare). Select the Printer Model and click add.
Of course, if you’ve followed the AD-OD Integration v2.1 whitepaper, you already have these AD integrated machines hooked up with OD, so you can actually just setup these printers once on the server and use the Preferences settings in WGM to setup the ksmb printers that you want the users to have. Voila, centrally managed, sso printers for your OS X computers.
Instructions for Setting this up…
1. Download the ‘French solution’ mentioned at http://forums.macosxhints.com/showthread.php?t=64283. The download link is http://homepage.mac.com/szumlins/scripts/KerberizedPrinting.zip.
2. This contains two files, user_kprintd, which I installed in /usr/bin (it can be installed anywhere, just change the kPrintD script to reference it properly). Also, there is a script called ksmb, which needs to be installed into /usr/libexec/cups/backend/
3. Now, create a small script to launch the user_kprintd daemon at login, as the required user (this needs to be running in user land, not as root)…
a. In terminal, type sudo pico /usr/bin/kPrintD
b. Enter the following as your script:
su $1 –c /usr/bin/user_kprintd &
c. Save the file (Ctrl-O, Return) then exit pico (Ctrl-X)
4. Make kPrintD run at login by adding it as a loginhook…
a. Still in terminal, enter the following:
sudo defaults write com.apple.loginwindow LoginHook /usr/bin/kPrintD
5. Now, when you log in, the user_kprintd daemon will fire up. If you print to an AD printer, it will go into the queue, the ksmb shell script will intercept and transfer it to the user_kprintd process, which grabs the Kerberos ticket and sends the job to the printer.