We have found the most excellent program that that will allow our OSX machines to print through our Windows Print servers. (ksmbprint from http://deploystudio.com/)
The program allows for smb printing with to the servers through kerberos authentication - taking away the need to constantly put in the AD username and password for each print job and for us not to have to set up specific printers on the 300 or so machines that will be printing using lpadmin.
The issue is that the kerberos ticket lasts for 10 hours. 10 hour 1 second and the print job goes to the ether - looks like it goes through, but goes to nowhere.
In testing I can go to Keychain Access -> Ticket Viewer then renew the ticket, after entering my AD password. This is fine for the tester, but not for the user.
I've found a script that checks and when a user has less than 30 minutes left on their ticket it will ask them to re-authenticate. Set this up as a launch agent and it works - until asking the user to re-authenticate. This part doesn't happen when running as an agent.
Looking for a way to re-authorize the ticket with as little user intervention as possible. If I can get the launch agent to work as it does when just run, I'm okay with that for first run, but would really like a way to quietly re-authenticate the kerberos ticket.
Spoke with the Domain Admins and they don't suggest upping the ticket time and after discussion we realized that no matter what time we set it to expire there is going to be someone whose ticket is going to expire, so we better find a better solution.
Edit: I've gotten the launch agent to work, but am still looking for a way to do this sans user intervention. The thought of asking users to just trust us when this random box appears and type in their domain password is on the list of things we shouldn't be asking users to do.
