6

I'm in the process of testing a Windows Server 2008 R2 print server for a mixed OS X/Windows environment.

Any security permissions (AD groups) I set for the printers on the print server are not honoured by the OS X clients. Only if I remove absolutely all permissions for a given printer will an OS X client not print to that printer. The Windows clients honour the permissions as expected.

The PrintService log doesn't record any activity when an unprivileged Windows client attempts to print, and records a typical print job when an unprivileged OS X client attempts to print.

Has anyone encountered this problem before and have a fix? With 600-700 clients, a number of which are dual-booting, restricting by IP address is not viable.

EDIT: The jobs are definitely going through the print server, they show up in the logs with their AD credentials.

Ilumiari
  • 61
  • 4
  • 5
    The problem isn't with the client, it's with the server. How are you submitting the print jobs, exactly ? – Stephane Jun 23 '10 at 09:07
  • 2
    What Stephane said -- The print server is ultimately responsible for enforcing permissions. Is it possible your jobs are getting to the printer through a side-channel (IPP?) – voretaq7 Jun 23 '10 at 15:24
  • The printing tests I've done have been through Word and TextEdit - since the unpermissioned jobs are being logged by the print server, I'm pretty sure that there is no side-channel involvement. – Ilumiari Jun 30 '10 at 01:13
  • 2
    It sounds to me like the Macs are connecting directly to the printer, instead of going through the server, which would also explain the lack of log entries. – John Gardeniers Jul 14 '10 at 10:10
  • There isn't a lack of log entries - the server is logging the unpermissioned Mac print print jobs just as it would log permissioned print jobs. – Ilumiari Jul 30 '10 at 03:20
  • how are the macs connecting to the windows print queues? – edusysadmin Oct 15 '10 at 20:37
  • Are the unpermissioned print jobs actually printing? If they're not, then I'd say your permissions are working. – staticsan Mar 20 '12 at 01:03

1 Answers1

0

what username / account do the Mac OS jobs show as in the print queue, exactly as their AD credentials, or something different? (perhaps anonymous, local account name or similar)

if the users aren't authenticating to AD on the Mac side, then the permissions you expect won't apply.

We have lots of Mac users doing this happily (and then being charged) so definitely possible.

MartinC
  • 21
  • 3