DeployStudio Forum

It can be hard with some printers to get ahold of the PPD. And even when you do, it references other files.
What I have found that works best for us, is to add the printer normally, so it gets the right ppds, programs, etc. Then edit /etc/cups/printers.conf and change smb:// to ksmb://.. and remove the AuthInfoRequired line.
When doing it this way, nothing is missing, and you get printing via kerberos.

Or you can take the more advanced approach we actually do, and just move the smb backend to the side, and symlink smb to ksmbprintspool, this way you can just add a printer as expected, and it'll be kerberised right off the bat (This in combination with a script that parses printers.conf to remove the AuthInfo Required line, which I can post if someone would like it).

Per Request... I have this file - edu.pct.krbprint.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>KeepAlive</key>
    <false/>
    <key>Label</key>
    <string>edu.pct.krbprint</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/krbprint.sh</string>
    </array>
    <key>WatchPaths</key>
    <array>
        <string>/etc/cups/printers.conf</string>
    </array>
</dict>
</plist>

And this file - krbprint.sh:

#!/bin/bash
##################
# Kerberos printing script for PCT
# Used in combination with LaunchD to monitor the printers.conf
# and when a user adds a printer, this removes the auth requirement
# Created By: Brandon Penglase
# Creation Date: 09/17/09
# Modified On:
# Modified By:
# ChangeLog:
#    0.1: Inital Release
##################
DATE=`date "+%m%d%y-%H%M%S"`

if grep -q "AuthInfoRequired" /etc/cups/printers.conf; then
    if [ ! -d /etc/cups/confbaks ]; then
        mkdir /etc/cups/confbaks
    fi
    sed /AuthInfoRequired/d /etc/cups/printers.conf > /tmp/printers.conf
    mv /etc/cups/printers.conf /etc/cups/confbaks/printers.conf-${DATE}
    mv /tmp/printers.conf /etc/cups/printers.conf
    chown root:_lp /etc/cups/printers.conf
    chmod 600 /etc/cups/printers.conf     
    launchctl stop org.cups.cupsd
    launchctl start org.cups.cupsd
    echo ${DATE} "- Modified printers.conf" >> /var/log/krbprint.log
else
    echo ${DATE} "- No Modifications made." >> /var/log/krbprint.log
fi

You will also want to do the following:

cd /usr/libexec/cups/backend
mv smb smb-old
ln -s /usr/local/bin/ksmbprintspool smb

This moves the existing smb backend to smb-old, and causes all smb printing to go through the ksmbprintspool, which is the backend to ksmb. The reason for this is just clicking on a printer adds it as smb.

Basically, the edu.pct.krbprint.plist file gets added to /Library/LaunchDaemons/, and loaded into launchd with "launchctl load /Library/LaunchDaemons/edu.pct.krbprint.plist" as root.
the krbprint.sh file gets put into /usr/local/bin, with owner root:wheel, permissions 755 (user read/write/exec, group read/exec, world read/exec).

So.. what happens is the launch daemon now monitors the /etc/cups/printers.conf file. When it's modified, it runs the krbprint.sh script. This goes through, removed the "AuthInfoRequired" line (on ALL printers), that causes OS X to prompt for credentials, and reloads cups.

It also logs out to /var/log/krbprint.log

Oh, and it backs up the printers.conf file at each modifications, Just in case :)

It's fairly simple, may be a bit crude, but it does the job perfectly for us.

There was just a thread last week on the MacEnterprise list about using the built in kerberos printing in 10.6, but I haven't tried it yet. I got a feeling I may still need a script like this one though.