Centrify DirectControl 5.2.1 / 5.2.2 for Mac OS X 10.10 (Yosemite)Problem:
Print jobs are failing to print when "Windows Printer via Centrify DirectControl" is chosen for the printer interface type on Yosemite:
- System Preferences > Printers & Scanners > Add a printer > Printer interface > Windows Printer via CentrifyDirectControl
The printer simply pauses and can't be used.
This issue doesn't exist when other options are chosen (e.g. Windows printer via spoolss
This didn't happen with older versions of OS X.Cause:
10.10 uses CUPS 2.0.0.
There was a change in network socket privileges in this version of CUPS which limits sockets to be only written under certain directories.
The issue didn't happen with earlier versions of OS X because the earlier versions of CUPS allowed sockets to be written into any directory.Workaround: Option 1:
- Print using other protocols.
- If using cdcsmb (Windows Printer via Centrify DirectControl) is the only option, then the following steps could be used to force-change the socket file using group policy:
- Download the attached cdcsmb and adprintd executables (Which will be used to replace the existing ones)
- Enable the "Copy files" group policy to deploy the executables:
- Computer Configuration > Centrify Settings > Common UNIX Settings > "Copy files"
- Place the downloaded executables in the SYSVOL directory (or a network share that can be accessed by the target computers).
- Follow the screenshots below to configure the group policy for both files:
For "cdcsmb" the destination is: /usr/libexec/cups/backend
For "adprintd" the destination is: /usr/share/centrifydc/sbin
- Enable the "Specify commands to run" group policy, this will be used to create a legal directory for the socket file:
- Computer Configuration > Centrify Settings > Common UNIX Settings > Specify commands to run.
- Follow the screenshot below to add the below commands into the group policy:
sudo chmod 1777 /private/var/tmp/adprint
sudo chown root:_lp /private/var/tmp/adprint
- Wait for 90-120mins for the group policy to be applied onto the Mac.
- (If the workaround needs to be applied immediately, either use the KB-2977: How to use the new Mac Diagnostic Tool (2013) "GP Update" button, or run adgpupdate in Terminal on each Mac system.
- Check whether the group policies have been applied properly on all machines. The commands below can be used for this purpose:
- grep -i adprint_dir /usr/libexec/cups/backend/cdcsmb
- grep -i adprint_dir /usr/share/centrifydc/sbin/adprintd
(The value for the variable ADPRINT_DIR, it should be set to: /private/var/tmp/adprint)
- ls -la /private/var/tmp | grep -i adprint
(The location /private/var/tmp/adprint should exist with the required permissions)
If either of the ADPRINT_DIR variables still return as "/var/centrifydc/adprint", or the /private/var/tmp/adprint location does not return any output, then the changes were not successful. Double-check the two group policies above and try again.
- Once the change is confirmed on all machines, disable the "Copy Files" and "Specify Commands to run" policies by setting them back to "Not Configured"
- Clean up the print queue then re-login with Normal AD User to test.
This is fixed in Centrify Suite 2015.1 (Agent version 5.2.3)