Printing to a Windows Print Server using 10.4.3

jtrusse · 01-05-2006, 05:46 PM

Here is the situation. I am running a multi-user lab where users authenticate using Active Directory. No problems there. The problem is with the printer.
No matter what I try, I get the error "Unable to connect to SAMBA host, will retry in 60 seconds...ERROR: Connection failed with error NT_ACCESS_NO_MEMORY".

I have seen several people suggest using windows printing, then select the print server out of the network neighborhood. The problem I have there is the printer not showing up in a list of available printers. Also it requires me to place a userid and password. So unless I sit in the lab all day and map the printers for each user, that is not an option. Any suggestions? Below is all the pertinant information:

Clients: OS 10.4.3 authenticating using Windows Active Directory
Server: Windows 2003 SP1
Printer: HP 1320N

gsahli · 01-05-2006, 08:44 PM

try this in Terminal for troubleshooting:
smbclient -NL {IP address of Win2003 server}

Please post the result here (you can remove WAN IP addresses).

giskard22 · 01-05-2006, 09:32 PM

I don't know anything about AD, so I can't help you there. But you can definitely add a Samba printer queue via the command line (using lpadmin, I believe). For the url, you just use a typical smb://[user

ass]server/queue

You manually specifiy the path to the PPD, and if you need to set any of the options for the printer (like an additional tray) you'll have to examine the PPD to figure out the syntax for each model of printer. I've had to make a script that does this so I can post some examples if you need them.

jtrusse · 01-06-2006, 07:47 AM

smbclient -NL xxx.xxx.xxx.204
Anonymous login successful
Domain=[BC] OS=[Windows Server 2003 3790 Service Pack 1, v.1433] Server=[Windows Server 2003 5.2]

Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
session request to 207.xxx.xxx.204 failed (Called name not present)
session request to 207 failed (Called name not present)
Anonymous login successful
Domain=[BC] OS=[Windows Server 2003 3790 Service Pack 1, v.1433] Server=[Windows Server 2003 5.2]

Server Comment
--------- -------
removed per network admin. A full listing of all the computers in the workgroup BC

Workgroup Master
--------- -------
BC <Domain Controller>
HOME HOLLY
MSHOME BULLWINKLEJMOOS
WORKGROUP BCOTMWS01

jtrusse · 01-08-2006, 02:38 PM

Quote:

Originally Posted by giskard22


	I don't know anything about AD, so I can't help you there. But you can definitely add a Samba printer queue via the command line (using lpadmin, I believe). For the url, you just use a typical smb://[userass]server/queue You manually specifiy the path to the PPD, and if you need to set any of the options for the printer (like an additional tray) you'll have to examine the PPD to figure out the syntax for each model of printer. I've had to make a script that does this so I can post some examples if you need them.

Do any of your scripts collect the user's credentials and pass them to the print server? If so, please post them. I would be very interested in seeing them.

giskard22 · 01-08-2006, 07:50 PM

No, none of them are that fancy. They're all using a preset user/pass combination. However, I believe that most login methods will assume the logged-in username unless otherwise specified (i.e. if your username is john than 'ssh server1' will assume the username 'john'). I don't know how passwords would be supplied (keychain?).

I thought the whole point of AD or OD authentication was that you could use Kerberos (or the Microsoft equivalent) to avoid these issues.

jtrusse · 01-09-2006, 08:29 AM

Thats the thought. It just isnt working. I believe my only other option is to either print through Appletalk, which we are trying to eliminate on the network, or print strait to the printer, bypassing the print server, which defeats to point of having a print server. It also looses our ability to audit print jobs.

giskard22 · 01-09-2006, 11:30 AM

Avoid Appletalk at all costs.

I've never used AD, so I can't really help with the authentication stuff (you could try Apple's Client Management mailing list). But here's a sample of adding the print queue from a script:

Code:

/usr/sbin/lpadmin -p "ServiceB-NoLimit" -E -v "socket://172.18.191.211" -P /Library/Printers/PPDs/Contents/Resources/en.lproj/hp\ LaserJet\ 4200\ Series.gz -o HPOption_Tray3=Tray3_500 -o InstalledMemory=Mem3

The URL could be replaced with "smb://...". The -o strings were pulled from the PPD. Each printer has its own syntax for available options.

sxdxoutlaw · 02-09-2006, 02:30 PM

I have been wrestling with the kerberos printing issue for sometime at the university I work at as well.

We are a cross-platform laptop university whose central directory service is a Micro$oft Active Directory. We manage somewhere in the neighborhood of 750 iBooks and 100 Macintosh workstations in labs and offices.

Due to the insecurity of writing users credentials in the printers.conf file, we were forced to use anonymous printing via LPR as our Macintosh solution for the past two plus years.

I have been in contact with Matthew Sweet, the co-developer of CUPS and have scoured CUPS and Samba forums for a kerberized printing solution for what seems like an eternity. I came up with no viable solution. Now, here's the rub...

I hit gold a month back when I came across a discussion thread where they mentioned a possible solution. I can't remember the URL for that thread, but I did contact that individual who had mentioned it. He said that an supported solution had been created for the French government.

He encouraged me to get in touch with your local SE and ask about some scripts which were put together for the French government to work around this issue in both 10.3 and 10.4. Now, I had contacted our SE regularly pushing for a solution with no luck. I was not holding my breath...

To my surprise, contacting our Apple System Engineer and mentioning the French government solution was the pass phrase needed to get a kerberos printing solution.

I have personally tested the solution and have verified it works. You must setup the printer through the advanced setup options in the Print Center.
But, it prints by intercepting the print job in the spooler and using a kerberos smb print binary to send the job on using the cached kb5 ticket.

In short, it's now possible to get Kerberized SMB printing working but it's completely unsupported from an official point of view.

giskard22 · 02-09-2006, 05:53 PM

Wow, that's crazy. I'm not familiar with the intricacies of CUPS, so I guess I naively figured that since the Samba file services client is kerberized, the print stuff would be too.

etgadsby · 02-10-2006, 03:57 PM

My institution has been dealing with the same issue. What solution did you find? Can you post a link to it or elaborate on the procedure? Thanks!

reid512 · 02-14-2006, 12:15 PM

sxdx,

Please, share the wealth. There are lots of people out there struggling with this issue.
We would be very grateful to get some more info on the French solution.

Could you post the scripts?
What type of configuration was required?

Thanks in advance.

etgadsby · 02-14-2006, 03:04 PM

Of course I second reid512 here. I look forward to seeing what sxdxoutlaw has to share.

That said I did want to mention another place this issue is being looked at:http://www.apple-scripts.com/forums/viewtopic.php?t=26 . They have a solution that works but is less then elegant then what we are ultimatly looking for.

01-06-2006, 07:47 AM	#4
jtrusse Prospect Join Date: Jan 2006 Posts: 4	results of smbclient -nl smbclient -NL xxx.xxx.xxx.204 Anonymous login successful Domain=[BC] OS=[Windows Server 2003 3790 Service Pack 1, v.1433] Server=[Windows Server 2003 5.2] Sharename Type Comment --------- ---- ------- Error returning browse list: NT_STATUS_ACCESS_DENIED session request to 207.xxx.xxx.204 failed (Called name not present) session request to 207 failed (Called name not present) Anonymous login successful Domain=[BC] OS=[Windows Server 2003 3790 Service Pack 1, v.1433] Server=[Windows Server 2003 5.2] Server Comment --------- ------- removed per network admin. A full listing of all the computers in the workgroup BC Workgroup Master --------- ------- BC <Domain Controller> HOME HOLLY MSHOME BULLWINKLEJMOOS WORKGROUP BCOTMWS01 Last edited by jtrusse; 01-06-2006 at 09:52 AM.

01-09-2006, 11:30 AM	#8
giskard22 Moderator Join Date: May 2003 Posts: 4,272	Avoid Appletalk at all costs. I've never used AD, so I can't really help with the authentication stuff (you could try Apple's Client Management mailing list). But here's a sample of adding the print queue from a script: Code: /usr/sbin/lpadmin -p "ServiceB-NoLimit" -E -v "socket://172.18.191.211" -P /Library/Printers/PPDs/Contents/Resources/en.lproj/hp\ LaserJet\ 4200\ Series.gz -o HPOption_Tray3=Tray3_500 -o InstalledMemory=Mem3 The URL could be replaced with "smb://...". The -o strings were pulled from the PPD. Each printer has its own syntax for available options.

02-10-2006, 03:57 PM	#11
etgadsby Prospect Join Date: May 2005 Posts: 24	Great! :) My institution has been dealing with the same issue. What solution did you find? Can you post a link to it or elaborate on the procedure? Thanks!

01-05-2006, 05:46 PM	#1
jtrusse Prospect Join Date: Jan 2006 Posts: 4	Here is the situation. I am running a multi-user lab where users authenticate using Active Directory. No problems there. The problem is with the printer. No matter what I try, I get the error "Unable to connect to SAMBA host, will retry in 60 seconds...ERROR: Connection failed with error NT_ACCESS_NO_MEMORY". I have seen several people suggest using windows printing, then select the print server out of the network neighborhood. The problem I have there is the printer not showing up in a list of available printers. Also it requires me to place a userid and password. So unless I sit in the lab all day and map the printers for each user, that is not an option. Any suggestions? Below is all the pertinant information: Clients: OS 10.4.3 authenticating using Windows Active Directory Server: Windows 2003 SP1 Printer: HP 1320N

01-05-2006, 08:44 PM	#2
gsahli MVP Join Date: Apr 2004 Location: Chicago Posts: 1,264	try this in Terminal for troubleshooting: smbclient -NL {IP address of Win2003 server} Please post the result here (you can remove WAN IP addresses).

01-05-2006, 09:32 PM	#3
giskard22 Moderator Join Date: May 2003 Posts: 4,272	I don't know anything about AD, so I can't help you there. But you can definitely add a Samba printer queue via the command line (using lpadmin, I believe). For the url, you just use a typical smb://[userass]server/queue You manually specifiy the path to the PPD, and if you need to set any of the options for the printer (like an additional tray) you'll have to examine the PPD to figure out the syntax for each model of printer. I've had to make a script that does this so I can post some examples if you need them.

01-08-2006, 07:50 PM	#6
giskard22 Moderator Join Date: May 2003 Posts: 4,272	No, none of them are that fancy. They're all using a preset user/pass combination. However, I believe that most login methods will assume the logged-in username unless otherwise specified (i.e. if your username is john than 'ssh server1' will assume the username 'john'). I don't know how passwords would be supplied (keychain?). I thought the whole point of AD or OD authentication was that you could use Kerberos (or the Microsoft equivalent) to avoid these issues.

01-09-2006, 08:29 AM	#7
jtrusse Prospect Join Date: Jan 2006 Posts: 4	Thats the thought. It just isnt working. I believe my only other option is to either print through Appletalk, which we are trying to eliminate on the network, or print strait to the printer, bypassing the print server, which defeats to point of having a print server. It also looses our ability to audit print jobs.

02-09-2006, 02:30 PM	#9
sxdxoutlaw Registered User Join Date: Feb 2006 Posts: 1	I have been wrestling with the kerberos printing issue for sometime at the university I work at as well. We are a cross-platform laptop university whose central directory service is a Micro$oft Active Directory. We manage somewhere in the neighborhood of 750 iBooks and 100 Macintosh workstations in labs and offices. Due to the insecurity of writing users credentials in the printers.conf file, we were forced to use anonymous printing via LPR as our Macintosh solution for the past two plus years. I have been in contact with Matthew Sweet, the co-developer of CUPS and have scoured CUPS and Samba forums for a kerberized printing solution for what seems like an eternity. I came up with no viable solution. Now, here's the rub... I hit gold a month back when I came across a discussion thread where they mentioned a possible solution. I can't remember the URL for that thread, but I did contact that individual who had mentioned it. He said that an supported solution had been created for the French government. He encouraged me to get in touch with your local SE and ask about some scripts which were put together for the French government to work around this issue in both 10.3 and 10.4. Now, I had contacted our SE regularly pushing for a solution with no luck. I was not holding my breath... To my surprise, contacting our Apple System Engineer and mentioning the French government solution was the pass phrase needed to get a kerberos printing solution. I have personally tested the solution and have verified it works. You must setup the printer through the advanced setup options in the Print Center. But, it prints by intercepting the print job in the spooler and using a kerberos smb print binary to send the job on using the cached kb5 ticket. In short, it's now possible to get Kerberized SMB printing working but it's completely unsupported from an official point of view.

02-09-2006, 05:53 PM	#10
giskard22 Moderator Join Date: May 2003 Posts: 4,272	Wow, that's crazy. I'm not familiar with the intricacies of CUPS, so I guess I naively figured that since the Samba file services client is kerberized, the print stuff would be too.

02-14-2006, 12:15 PM	#12
reid512 Prospect Join Date: Feb 2006 Posts: 2	sxdx, Please, share the wealth. There are lots of people out there struggling with this issue. We would be very grateful to get some more info on the French solution. Could you post the scripts? What type of configuration was required? Thanks in advance.

02-14-2006, 03:04 PM	#13
etgadsby Prospect Join Date: May 2005 Posts: 24	Of course I second reid512 here. I look forward to seeing what sxdxoutlaw has to share. That said I did want to mention another place this issue is being looked at:http://www.apple-scripts.com/forums/viewtopic.php?t=26 . They have a solution that works but is less then elegant then what we are ultimatly looking for.