10.5.7 fails to update PPC machines properly
One of the things Leopard changed from Tiger was who could add printers. In Leopard only admins could manage printers - a change made apparently because schools were complaining that non-admins were adding printers they weren't supposed to. But then it turned out that there were just as many cases where this caused a problem. Apple tried to fix this in 10.5.7 - but forgot to apply the fix completely for PPC machines.
First - more background on the change made from Tiger to Leopard:
From [John DeTroyeâ€™s Tips and Tricks document](http://homepage.mac.com/johnd)
--Begin Quote from page 37
>Note that the selection to allow users to modify the printer list applies to
>only 10.4 and below. This is due to a change in the Leopard printer system
>preferences to require local admin access to add/remove printers. Funny
>thing is, this came about because of all the schools screaming at us because
>the students and teachers kept adding printers all the time. Now those of
>you who didnâ€™t care about that then are now screaming. Soâ€¦ if you would like
>your users to be able to add their own printers, you can make a change to a
>ï¬?le on the client system. To ï¬?x this for now, until we get it ï¬?xed in a
>future update, you need to locate the â€œ/etc/cups/cupsd.confâ€? ï¬?le on your
>admin system and open it with TextWrangler (or use terminal and your
>favorite editor). Locate the line:
> All administration operations require an administrator to authenticate...
>Change the following lines to:
# AuthType Default
# Require user @SYSTEM
So the fix was to modify /private/etc/cups/cupsd.conf to allow anyone to add printers.
also documented [here](http://blog.macadmincorner.com/allow-non-admin-users-to-manage-printers/) and [here](http://lists.apple.com/archives/client-management/2007/Dec/msg00065.html) among other places
The 10.5.7 update adds a parental control for non-admin users that controls whether or not they can add printers
Apple also provides [instructions](http://support.apple.com/kb/HT3511) to allow network users to manage printers
However these changes are enabled though modifications to /etc/authorization that are made not when the update is applied, but at the first boot.
the 10.5.7 installer installs:
which calls the installed:
_/private/etc/com.apple.su.startup/su.startup shell script_
which checks for securityd and then runs the tool
which, I'm assuming, is what makes the edits on first boot to _/etc/authorization_
however that tool seems to be intel only...
_bash-3.2# /usr/bin/lipo -info /Volumes/OS-Build-09-05-15/etc/com.apple.su.startup/auth_sys_print_admin
Non-fat file: /Volumes/OS-Build-09-05-15/etc/com.apple.su.startup/auth_sys_print_admin is architecture: i386_
I checked and it is intel only regardless of the architecture of the machine the updater runs on and changes to /etc/authorization are not made on PPC machines.
Not sure how this one get through QA?
The symptom on machines with managed printers is that users are presented with a â€œType an administratorâ€™s name and password to
allow ManagedClient to make changes.â€? screen over the loginwindow. While you can move this window around you canâ€™t click to type into it and you canâ€™t click OK or Cancel. The login is stalled. Restarting does not fix.
Removing managed printers from the user or group will allow users to log in - but the only true fix is to copy a version of /etc/authorization from an updated intel machine to the affected PPC machines.
or make these changes:
From /etc/authorization in 10.5:
To /etc/authorization in 10.5.7: