The Juice Journal

I just ran into a baffling problem with one of my Mac minis. It’s unclear when this error began, but probably after a recent upgrade to Mac OS 10.5.7. I found myself unable to update, add, or remove printers, even with my admin user account, because I mysteriously did not belong to the group “lpadmin”.

If you’re experiencing this problem, then read on. I’ll give the solution first, for you time-constrained, impatient people just trying to fix the problem, then I’ll describe the background.

The problem is that your user account is no longer in the lpadmin group, which is the group of users who can administer printers. When trying to add or change a printer, you get the standard OS X administrator password dialog, but can’t authorize, and get a “client-error-not-authorized” error. To add yourself back to the lpadmin group, open up Terminal (Utilities › Terminal), and type this command:

sudo dscl . -append /Groups/lpadmin GroupMembership yourusername

You’ll need to type your administrator password and hit return, then you should be back in the lpadmin group.

I sincerely hope that solves your problem if you’ve been experiencing this one.

Background

In Mac OS 10.5 Leopard, Apple eliminated Netinfo Manager and its Netinfo database, replacing it with the dslocal database. This is huge for administrators, as that used to be the fundamental tool for managing users and groups at a nitty-gritty, manual-editing level. As far as I know, no single GUI tool exists to directly replace Netinfo Manager (I only use regular Mac OS X, so I have no idea if OS X Server has such a tool).

Instead of a GUI tool, we have dscl, dseditgroup, and a handful of other command line tools I don’t understand and am (probably rightly) afraid to touch. These handle the dslocal database, which is a bunch of XML located in /var/db/dslocal/.

Of course the primary point of interaction with the dslocal database is System Preferences, in the Accounts pane. Adding, changing, and removing users is one aspect of dealing with dslocal. By right-clicking on a user in Accounts, you can choose “Advanced Options…”, where you can change nitty-gritty properties like a short username and UUID.

However, as far as I can find there is no GUI to manage the system’s built-in groups and their memberships. This is important if, for example, you have somehow lost your membership in the “lpadmin” group, the users who can manage printers.

Let’s get into the terminal command I pasted earlier. First is sudo, which lets you run the command as an administrator (it stands for “super-user do”, get it?). dscl is the general dslocal management tool, used for reading and editing any (I think) part of the dslocal database. . represents the domain, in this case local which is equal to . for some reason. -append means we’re appending the value to the XML database row in question, not replacing it. /Groups/lpadmin is the database table, the lpadmin group table. GroupMembership is the row we’re editing (appending, in this case), and yourusername (please insert your own username) is the value we’re appending. Thus we have added “yourusername” to the lpadmin group, and you can manage printers again.

Notes

Although I used to work in IT, I no longer am in charge of large quantities of Macs, and so I’m not the most up-to-date, well-informed, or knowledgeable person on this subject. I experienced this problem and had a difficult time finding a solution online.

If you’ve read this far, you must be at least a little interested in Mac OS X internals, so I recommend you read John C. Welch’s write-up, “Analysis: the end of Netinfo”. Also, for a fun and brief read, have a look at the Wikipedia entry for Netinfo Manager. Please don’t make fun of me for calling that reading fun.

{love},
{ryan}