We have a network-wide CUPS server that offers authenticated printer access to all our campus users. We've been pretty disappointed with the way Mac clients handle bad printing authentication, though. In any other authentication dialog, when a user types in a bad username or password, the window shakes briefly, allowing the user to re-enter. With printers, this isn't the case. It'll happily accept (and even save to the keychain, if specified) bad credentials. The authentication dialog is dismissed, and the user then has to deal with the print jobs showing up as 'On hold (authentication required)'. To get their job printed, they need to select it in the printer's queue, click 'Resume', then re-enter appropriate credentials. Is there a way to get failed printing authentication to work more intuitively for Mac OS X clients? ![]() Kerberos authentication on a Mac OS X workstation with Chrome. October 21, 2013. Kerberos v5 is baked into Windows and Internet Explorer and works great with many LDAP-enabled services (for example, Drupal's LDAP module allows includes a submodule for SSO support). ![]() We're trying to support a BYOD environment, but our end users have been really confused by this. It's made even worse by the way it pre-populates the user's full login name (e.g. 'Smith, John'), which tends to make them think to use their local machine passwords. @gravyface Server-side, we see repeated failed authentication attempts (about once each second) from any machine sitting in the limbo of 'bad credentials accepted' and 'On hold (authentication required)'. From the logs, I can see their IP address, but that's about it. I understand we can't expect everything to work cleanly and intuitively with BYOD, but in this case it really seems like if authentication failure worked like it does in other areas of OS X (prompts user again), that'd be acceptable. – Sep 5 '12 at 3:17. I don't know of a way to get the Mac to behave/respond differently natively, but you may have better luck writing a printer setup script that uses lpadmin where you can specify the printer/printer path as well as credentials. You could attempt to authenticate with lpadmin (and -o auth-info-required=username,password); not sure if there's any feedback to stdout when that commands executed though, and it also has to be run with sudo. You can disable the pre-population (in OS X 10.5+ I believe) with: defaults write /Library/Preferences/com.apple.NetworkAuthorization UseShortName -bool YES defaults write /Library/Preferences/com.apple.NetworkAuthorization UseDefaultName -bool NO This alone may reduce the number of incorrect authentication attempts along with clear documentation on what credentials to use (I usually phrase it like, 'use the same network username and password you use on your Windows computer at the office').
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2019
Categories |