Krbprint with ksmbprintd

From AFP548 Wiki
Jump to: navigation, search

Work in Progress:

On our campus, we like to have single-sign on working where possible. This includes printing. Up until recently, Kerberos printing didn't work well using the OS's built in capabilities, so the DeployStudio team came up with ksmbprintd. While using it is nice, you had to modify the printers.conf file every time you added a printer to the system. This isn't very user friendly, so I came up with the following script that once the printer is added via the GUI, it makes the changes in the config file automatically.

The basic rundown is this:

  • Uses LaunchD to monitor printers.conf for changes
  • Upon changes, it fires off /usr/local/bin/
  • The script double checks the the cups smb backend is actually symlinked to ksmb (/usr/libexec/cups/backends), if it is not, it moved the current smb to smb-orig and then creates the symlink
  • Parses printers.conf for the AuthInfoRequired line, and deletes it, since it isn't needed with ksmbprintd
  • Before making file changes, it stops cups, makes the change, then starts cups again
  • Logs out to /var/log/krbprint.log when it runs (printers.conf is modified)

And now, the files:

The LaunchD plist gets placed in /Library/LaunchDaemons - edu.pct.krbprint.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

And the script gets placed in /usr/local/bin -

# Kerberos printing script for PCT
# Used in combination with LaunchD to monitor the printers.conf
# and when a user adds a printer, this removes the auth requirement
# Created By: Brandon Penglase
# Creation Date: 09/17/09
# Modified On: 10/19/10
# Modified By: Brandon Penglase
# ChangeLog:
#	0.1: Inital Release
#	0.2: Updated to look for the smb symlink, if it's not there, create it. 
#	0.3: Updated to use sed file inline editing, instead of creating a new file
#		and having to move that file back into place. 
DATE=`date "+%m%d%y-%H%M%S"`
# Check to see if /usr/libexec/cups/backend/smb is a symlink, if not, correct it.
if [ ! -L /usr/libexec/cups/backend/smb ]; then
	# It isn't, so fix that
	echo ${DATE} "- Fixed SMB Symlink" >> /var/log/krbprint.log
	mv /usr/libexec/cups/backend/smb /usr/libexec/cups/backend/smb-orig
	ln -s /usr/local/bin/ksmbprintspool /usr/libexec/cups/backend/smb
if grep -q "AuthInfoRequired" /etc/cups/printers.conf; then
        launchctl stop org.cups.cupsd
        sed -i bak -e '/AuthInfoRequired/d' /etc/cups/printers.conf 
        launchctl start org.cups.cupsd
        echo ${DATE} "- Modified printers.conf" >> /var/log/krbprint.log
	echo ${DATE} "- No Modifications made." >> /var/log/krbprint.log

Owner/group should be root:wheel on both files, and permissions should be 644 on the plist and 755 on the script.

Note: If you are putting this on a fresh image, you will need to run the following command to create printers.conf, before loading it into launchd, or it will never work right:

sudo touch /etc/cups/printers.conf

Basically, launchd will latch onto something to monitor, and if the file is not there, once it's created, it won't monitor the correct file, and will never launch when you add a printer.

To load it into launchd: sudo launchcrl load /Library/LaunchDaemons/


  • Update it for built in Kerberos printing, which is working in 10.6.8
  • Verify functionality with Lion (10.7) using built in Kerberos printing