OS X Lion: How to enable Kerberos authentication for shared printers

Summary

Learn how to enable Kerberos authentication for shared printers for both Active Directory and Open Directory-based systems.

Products Affected

Mac OS Printing/Fax (any version), OS X Lion

Log in as an administrator to follow these steps. The first user account created in OS X Lion is an administrator account.

To configure for Active Directory

  1. Add the Active Directory server to the list of DNS server:
    1. Open System Preferences, choose Apple menu > System Preferences…
    2. Choose View > Network.
    3. If the padlock in the lower left is locked, click it and enter an administrator name and password to unlock.
    4. Enter "DNS" in the search field and press return.
    5. Click "+" under the "DNS servers:" pane, enter IP address of the Active Directory server.
    6. Click "+" under the "Search Domains:" pane, enter Active Directory domain name.  
  2. Bind to Active Directory server through Users & Groups pane:
    1. Open System Preferences, choose Apple menu > System Preferences…
    2. Choose View > Users & Groups.
    3. If the icon in the lower left is locked, click it and enter an administrator name and password to unlock.
    4. Click "Login Options".
    5. Click "Join…" button next to "Network Account Server:".
    6. Enter the hostname of the Active Directory server, then click OK.
    7. Enter credentials for the Active Directory server.  
  3. Execute the following Terminal command to enable the CUPS web interface:
    • cupsctl WebInterface=yes
  4. Open the URL "http://localhost:631/printers" in Safari.
  5. For each printer you wish to share using Kerberos:
    1. Click the printer name in the list.
    2. Choose "Set Default Options" from the "Administration" pop-up menu.
    3. Click "Policies".
    4. Choose "kerberos" from the "Operation Policy:" pop-up menu.
    5. Click "Set Default Options".
  6. Once you have completed this process, run this command in Terminal:
    • cupsctl WebInterface=no

To configure for Open Directory

  1. Bind to Open Directory server through Users & Groups pane.
    1. Open System Preferences, choose Apple menu > System Preferences…
    2. Choose View > Users & Groups.
    3. If the padlock in the lower left is locked, click it and enter an administrator name and password to unlock.
    4. Click "Login Options".
    5. Click the "Join…" button next to "Network Account Server:".
    6. Enter the hostname of the Open Directory server, then click OK.  
  2. Execute the following Terminal command to enable the CUPS web interface:
    • cupsctl WebInterface=yes
  3. Open "http://localhost:631/printers" in Safari.
  4. For each printer you wish to share using Kerberos:
    1. Click the printer name in the list.
    2. Choose "Set Default Options" from the "Administration" pop-up menu.
    3. Click "Policies".
    4. Choose "Kerberos" from the "Operation Policy:" pop-up menu.
    5. Click "Set Default Options".
  5. Once you have completed this process, run this command in Terminal:
    • cupsctl WebInterface=no
Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Ask other users about this article
in Apple Support Communities
See all questions on this article See all questions I have asked