[plug] Samba, Active Directory and PDF printing

[Carl Gherardi]

Hey Ben,

Lots of snippage.

On 4/16/05, Benjamin J Keith <bjkeith at it.net.au> wrote:
 
> To make it easier to manage users and access to the PDF printing service I
> want to move to authentication against the Active Directory server.
> After trying security = share and security = domain without any success (I
> think this is because Active Directory running in native mode, not mixed?
> mode, it doesn't seem to allow NTLM), I finally went to security = ads and
> managed to get simple file sharing working.

I believe domain is correct here, though it can be problematic to set up.

I'll guess that the problem you have was being unable to join the AD domain.
 
> [pdf]
>          path = /var/tmp/pdf
>          browseable = yes
>          writeable = yes
>          guest ok = yes
>          guest only = yes
> 
> [print$]
>          comment = Printer Driver Download Area
>          path = /var/lib/samba/printers/
>          browseable = yes
>          guest ok = yes
>          read only = yes
>          write list = @ntadmin, root

> With the above setup, Windows users logged into the domain can browse to
> \\is0004 and they see the pdf and PDFprinter shares without having to
> provide additional authentication.  They have read/write permission to the
> pdf share.  When they try to connect to the PDFprinter share, however,
> they are prompted for a username and password.  All of the following fail:


This be the issue. You users can read and write 'cos they can as
guest, they never actually authenticate, the PDFprinter share allows
browsing, but windows immediately tries to write a file (thumbs.db?)
to the directory - hence the passord prompt.

So you have guest access running but no authentication to ad.
 
> Annoyingly, a tail of the samba logs during one of these authenitcation
> sessions shows nothing being added to the log.
>

Yeah...
 
> If anyone can see where I have gone wrong or knows for sure that samba
> printing doesn't work with security = ads, I'd *love* to know

Took me a while to find how to get this working with secuity = domain,
but I imagine this is similar.

To get the linux box to join the domain you need to first create a
machine in AD using new-computer. Then still in active directory you
need to right click the newly created computer and select reset
account. Once thats done: smbpasswd -j DOMAIN (and possibly password
credentials.) to join the machine to the domain.

Once you have that, use "username map = /etc/samba/user.map" in you
global area, and create a file with
linuxusername = "windows user"

In your case something like
pdfprint = "user one"
pdfprint = "user two"

You may be able to do
pdfprint = "user one", "user two"
like the group file but i've never tried.

Hope that helps.

Carl G