Scrawls from Preston...

Powered by Pelican.

Thu 21 May 2009

10.5.7 fails to update PPC machines properly

One of the things Leopard changed from Tiger was who could add printers. In Leopard only admins could manage printers - a change made apparently because schools were complaining that non-admins were adding printers they weren't supposed to. But then it turned out that there were just as many cases where this caused a problem. Apple tried to fix this in 10.5.7 - but forgot to apply the fix completely for PPC machines.

First - more background on the change made from Tiger to Leopard:

From [John DeTroye’s Tips and Tricks document](http://homepage.mac.com/johnd)

--Begin Quote from page 37

>Printing

>

>Note that the selection to allow users to modify the printer list applies to

>only 10.4 and below. This is due to a change in the Leopard printer system

>preferences to require local admin access to add/remove printers. Funny

>thing is, this came about because of all the schools screaming at us because

>the students and teachers kept adding printers all the time. Now those of

>you who didn’t care about that then are now screaming. So… if you would like

>your users to be able to add their own printers, you can make a change to a

>�le on the client system. To �x this for now, until we get it �xed in a

>future update, you need to locate the “/etc/cups/cupsd.conf� �le on your

>admin system and open it with TextWrangler (or use terminal and your

>favorite editor). Locate the line:

>

> All administration operations require an administrator to authenticate...

>

>Change the following lines to:

>

CUPS-Delete-Class CUPS-Set-Default>

# AuthType Default

# Require user @SYSTEM

Require valid-user

Order deny,allow

So the fix was to modify /private/etc/cups/cupsd.conf to allow anyone to add printers.

also documented [here](http://blog.macadmincorner.com/allow-non-admin-users-to-manage-printers/) and [here](http://lists.apple.com/archives/client-management/2007/Dec/msg00065.html) among other places

The 10.5.7 update adds a parental control for non-admin users that controls whether or not they can add printers

![Parental Controls](http://ptone.com/dablog/wp-content/uploads/2009/05/parental-controls.jpg)

Apple also provides [instructions](http://support.apple.com/kb/HT3511) to allow network users to manage printers

However these changes are enabled though modifications to /etc/authorization that are made not when the update is applied, but at the first boot.

the 10.5.7 installer installs:

_/System/Library/LaunchDaemons/com.apple.su.startup.plist_

which calls the installed:

_/private/etc/com.apple.su.startup/su.startup shell script_

which checks for securityd and then runs the tool

_/private/etc/com.apple.su.startup/auth_sys_print_admin_

which, I'm assuming, is what makes the edits on first boot to _/etc/authorization_

however that tool seems to be intel only...

_bash-3.2# /usr/bin/lipo -info /Volumes/OS-Build-09-05-15/etc/com.apple.su.startup/auth_sys_print_admin

Non-fat file: /Volumes/OS-Build-09-05-15/etc/com.apple.su.startup/auth_sys_print_admin is architecture: i386_

I checked and it is intel only regardless of the architecture of the machine the updater runs on and changes to /etc/authorization are not made on PPC machines.

Not sure how this one get through QA?

The symptom on machines with managed printers is that users are presented with a “Type an administrator’s name and password to

allow ManagedClient to make changes.� screen over the loginwindow. While you can move this window around you can’t click to type into it and you can’t click OK or Cancel. The login is stalled. Restarting does not fix.

Removing managed printers from the user or group will allow users to log in - but the only true fix is to copy a version of /etc/authorization from an updated intel machine to the affected PPC machines.

or make these changes:

From /etc/authorization in 10.5:

system.print.admin

class

rule

k-of-n

1

rule

is-lpadmin

is-admin

default

To /etc/authorization in 10.5.7:

system.print.admin

allow-root

class

user

group

lpadmin

shared


http://ptone.com/dablog