Sunday, May 8, 2011

Tech Tip: Soving the need to Authenticate a "Print Operator" to Change Printer Settings on Mac OS X 10.6

On Mac OS X 10.6 (Snow Leopard) a non-administrator user can not change all settings of the installed printers. This is really annoying when a printer error causes the print queue to go on hold: the user can not resume printing when the problem has been solved. Instead, a dialog pops up asking for the user name and password of a member of the "Print Operators" group. Usually, that means a system administrator has to manually enter the credentials before the user can resume working.

The problem is caused by the fact that only members of the group "Print Operators" are allowed to control the printer. Normal users (i.e. members of the group "Staff") are not automatically added to the group "Print Operators". This makes sense in an environment where you don't want Joe Public messing with printer settings. It makes less sense in a lab or production environment where the staff can be trusted with the printers.

Fortunately, I found a simple solution here:

In, type the following:

dseditgroup -o edit -u ADMINUSER -p -a USER -t user _lpadmin

where ADMINUSER is the user name of an administrator and USER is the user name you want controlling the printer.

You will be asked for the password of ADMINUSER and then USER is added to the "_lpadmin" group, solving the problem permanently.

A word of advice to the wise: I do not know if adding a user to the group "_lpadmin" has any side effects. The users of the machines I administer are considered trustworthy. The only reason they do not have administrative privileges is to protect the machines from unintended damage. So giving limited administrative privileges is not a problem. This may be different in your environment.

Consider the implications carefully before making changes!

Background Information
It appears that the problems observed are not uniform: some machines always show the problem, some not at all, and some only for some users.

It looks like Apple changed the defaults some time during the life-cycle of Mac OS X 10.5 (I have been unable to ascertain when exactly). Users created before the change were all members of "_lpadmin", users created later are not members.

The best solution would be to tell CUPS (the printing system used in Mac OS X) to allow members of the group "Staff" to control the printer. To do so, the file /etc/cups/cupsd.conf section

    AuthType Default
    Require user @AUTHKEY(system.print.operator) @admin @lpadmin
    Order deny,allow

needs to be changed to something like

    AuthType Default
    Require user @AUTHKEY(system.print.operator) @admin @lpadmin @staff
    Order deny,allow

I did not try this myself. If you do, you may find cupsd.conf documentation useful. I would appreciate a comment telling about your experiences. Good luck!

No comments:

Post a Comment

I'd love to hear from you! Please remember to keep it civilized.