[plug] Samba, Active Directory and PDF printing
Benjamin J Keith
bjkeith at it.net.au
Sat Apr 16 15:17:38 WST 2005
Hi,
I'm hoping some of the list Samba gurus can help with an Ative Directory
integration problem I'm having. I've been tasked with setting up a print
to PDF solution for the company I work for. The staff here work on
Windows 2000/XP Pro workstations with a Windows 2000 Server running Active
Directory in native mode.
I demonstrated a simple samba + cups-pdf solution running on a debian box
that received favorable approval. The demo setup had no integration to
Active Directory, authentication was to a user account on the linux box.
To make it easier to manage users and access to the PDF printing service I
want to move to authentication against the Active Directory server.
After trying security = share and security = domain without any success (I
think this is because Active Directory running in native mode, not mixed?
mode, it doesn't seem to allow NTLM), I finally went to security = ads and
managed to get simple file sharing working.
My problem now is with authentication for the PDF printer I'm trying to
share. The following are the configuration files I have modified to get
this working:
/etc/samba/smb.conf:
[global]
netbios name = IS0004
workgroup = DOMAIN
realm = DOMAIN.COM
password server = is0001.domain.com
security = ads
encrypt passwords = yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
printing = cups
printcap name = cups
load printers = yes
guest account = nobody
log file = /var/log/samba/%m.log
log level = 1
[pdf]
path = /var/tmp/pdf
browseable = yes
writeable = yes
guest ok = yes
guest only = yes
[print$]
comment = Printer Driver Download Area
path = /var/lib/samba/printers/
browseable = yes
guest ok = yes
read only = yes
write list = @ntadmin, root
[printers]
comment = All printers
directory = /tmp
browseable = yes
public = yes
guest ok = yes
guest only = yes
guest account = nobody
writeable = yes
printable = yes
create mode = 0777
/etc/pam.d/login
auth requisite pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth requisite pam_nologin.so
account sufficient pam_winbind.so
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
passwd: files winbind
group: files winbind
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/cups/cupsd.conf
<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
</Location>
<Location /printers>
AuthType None
Order Deny,Allow
Deny From None
Allow From 192.168.160.0/24
</Location>
As you can see I've left access quite open to help rule out
With the above setup, Windows users logged into the domain can browse to
\\is0004 and they see the pdf and PDFprinter shares without having to
provide additional authentication. They have read/write permission to the
pdf share. When they try to connect to the PDFprinter share, however,
they are prompted for a username and password. All of the following fail:
<domain username>
DOMAIN\<domain username>
<domain username>@DOMAIN
<linux username> (where a linux account has been created to test with)
trying DOMAIN+<domain username> gets disallowed by Windows (ie can't OK
and get prompted with a syntax tooltip listing the forms used above).
Annoyingly, a tail of the samba logs during one of these authenitcation
sessions shows nothing being added to the log.
If anyone can see where I have gone wrong or knows for sure that samba
printing doesn't work with security = ads, I'd *love* to know
regards,
Ben
More information about the plug
mailing list