Home › Forums › OS X Server and Client Discussion › Active Directory › SMB print with Kerberos
Hi there, I am deploying a printer Via MCX which works fine. however the machines are using an LDAP kerberos authentication setup. If i manually set kerberos on the machine using the following steps it works fine.
[CODE]
Open “http://localhost:631/printers” in Safari.
For each printer you wish to share using Kerberos:
Click the printer name in the list.
Choose “Set Default Options” from the “Administration” pop-up menu.
Click “Policies”.
Choose “Kerberos” from the “Operation Policy:” pop-up menu.
Click “Set Default Options”.[/CODE]
The problem i have is I can’t do this on each machine manually.
This setting is not held in the PPD for that printer. I have set the option, copied the PPD from /etc/cups/ppd and then created a new printer using this PPD but the option is not enabled.
I can see that when you enable this option it is writing to and then deleting the following files
/var/spool/cups/cache/printername.png
/var/spool/cups/cache/printername.data.N
/var/spool/cups/cache/printername.png-psHg
/var/spool/cups/cache/printername.data
I am sure this is what is setting the option but i can’t see anything in lpadmin or lpoptions that would allow this to be set via the command line.
Any Ideas?
Have you tried using cupsctl? [url]http://www.cups.org/documentation.php/kerberos.html[/url]
This changes DefaultAuthType in /etc/cups/cupsd.conf, but it still doesn’t allow Kerberos based printing.
I am going to use opensnoop while following your steps to see what gets changed.
I followed the steps that were laid out above and I still got an authentication window despite having a valid kerberos ticket.
Did you do anything else custom to get it to work? Are you using Windows AD as the KDC or your own LDAP?
The machines are bound to AD and our own ldap
They are using ldap as authentication so that NFS homes will work.
Due to this smb printing will not work by default and needs that Kerberos option enabled.
I found a whitepaper from apple that has the following
lpadmin -p printername -o auth-info-required=negotiate
however it is not enabling the option either.
okay it looks as though the command that i said DOES in fact set kerberos even though it does not show it through the cups page.
I have confirmed printing is working and is authenticating correctly.