Enable Single Sign On Printing in OS X

Hi all.

I’ve been to a fair few of our clients’ sites now that run a managed print server for their network printing needs. Almost every time, the print queues need to be SSO / Kerberised to work with Active Directory accounts. Otherwise the users are asked to provide authentication for these AD accounts every time they print.

This is easy enough to fix from the command line, but what if you have a number of printer queues of which most or even all need to be kerberised?

Enter the Script

For ease of use, we utilise a script at Amsys for a while now. It simply loops through all installed printers, configuring them to use SSO first, and then fall back if this isn’t compatible. This allows home or local printers that may get caught up in the script, to still work fine, even with the setting configured. This would also allow us to potentially leave the script running repeatedly on a schedule (say, once a week or once a month) without any harm.

Well, enough waffling on. Here’s the script we use:

#!/bin/bash
#######################################################
#declare -x BUILD=2011022409
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
declare -x MYNAME="configureCUPSKerb.sh"

## Executable vars
declare -x awk="/usr/bin/awk"
declare -x grep="/usr/bin/grep"
declare -x logger="/usr/bin/logger"
declare -x lpadmin="/usr/sbin/lpadmin"
declare -x lpstat="/usr/bin/lpstat"
declare -x mkdir="/bin/mkdir"
declare -x perl="/usr/bin/perl"

## Get a list of our SMB printers

declare -x SMBPRINTERS="$("$lpstat" -v | "$grep" smb | "$perl" -p -e 's/device for (.*): smb.*/$1/g')"
OLDIFS="$IFS"
IFS=$'n'
for SMBPRINTER in $SMBPRINTERS; do
	"$lpadmin" -p "$SMBPRINTER" -o auth-info-required=negotiate
done

Summary

There you go, a nice easy one that hopefully helps people out! As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

Bootnote

After some digging around, I think I found where we originally discovered the script, or at least another copy of it.

Massive thanks to Beau Hunter and JAMF Nation!


Disclaimer

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

2 Replies to "Enable Single Sign On Printing in OS X"

  • Hi Graham,

    To be honest, I’ve not really looked at the script in too much detail. It’s done the job and so I’ve left it!

    My understanding is that any custom separators should only apply during the script run, but if I’m wrong I’d love to know!

    Darren

Leave a Reply

Your email address will not be published. Required fields are marked *