Prinring via samba in active driectory environment

[EEPS]

Hey guys. Having some issues printing via samba in an active directory environment with kerberos authentication, I wrote some scripts to get around it. We are testing it here on a few macs around the office and so far its seems to be working pretty well. Specifically, these scripts work around the fact that the samba backend for cups does not have kerberos support, and even if it did, does not have access to the users kerberos tickets. These scripts install a user level launchd plist as well as a daemon that gets called by launchd on demand, and a smbspool replacement. The smbspool replacement intercepts the call to smbspool and instead sends the file to be printed to my user daemon where it then uses smbclient (that has kerberos support) to actually issue the print command as the user.

It would be cool if some of you that have this problem (identified as the NT_STATUS_ACCESS DENIED error) could test this a bit and see if this solves the problem for you. The source is of course included, since they are just bash scripts. To install it, just follow the directions in the INSTALL file in the archive.

[url]http://www.ecst.csuchico.edu/~eseifert/ADsamba/index.html[/url]

[jhamner]

[QUOTE]It would be cool if some of you that have this problem (identified as the NT_STATUS_ACCESS DENIED error) could test this a bit and see if this solves the problem for you. The source is of course included, since they are just bash scripts. To install it, just follow the directions in the INSTALL file in the archive.
[/QUOTE]

I’ve seen these errors too. To get around them I found some guys at WWDC 2006 who knew some guys who wrote a kerberos printer daemon. It rocks and works darn near seamlessly. Very easy to set up…just a loginhook. They call it kprintd.

That said, I’m happy to try out the scripts and see.

[s_groening]

I for one would love to get in touch with those guys you met at WWDC 2006… I’d really like to secure our printing solution this way!

[jhamner]

[QUOTE][u]Quote by: MacTroll[/u][p]If the printing solution mentioned at WWDC is the same one I’m familiar with, the scripts mentioned above are almost identical.

The WWDC one was a compiled binary, the ones above are shell scripts. End result is very much the same.[/QUOTE]
Yeah, the pkg I have provides a compiled binary.

[QUOTE]Latest builds of CUPS now have Kerberos authentication in the code, so if Apple picks this up for Leopard, you shouldn’t have to go through these hoops. Until then, the above solution should do you well.[/QUOTE]
In the meantime, I’ve written the person who originally gave me the kprintd installer and asked that he post it somewhere. I haven’t really dug into the shell scripts yet, but I’m intrigued.

[NYCNoodle]

I’ve implemented this solution in my environment, with some tweaks and modifications to give me log output for the calls to various scripts & compiled code. It works well… until… launchd becomes stale, and no longer has access to the user’s kerberos ticket. Ie; If I have a user that logs in, then stays logged in overnight, they can no longer print.

After troubleshooting, I find that if I run the user_kprintd (daemon) as the user, the printing works fine. But not if I kill the existing instance of user_kprintd, which is then respawned by launchd. I figure this is because the launchd is ‘stale’ and no longer has access to the current user’s environment for the kerberos ticket.

Has anyone else run into this issue? Not that it matters with Leopard right around the corner. But just curious.

-Josh

[Author]

Posts