[plug] Samba, Active Directory and PDF printing

Benjamin J Keith bjkeith at it.net.au
Sun Apr 17 15:42:34 WST 2005 

On Sat, 16 Apr 2005, Carl Gherardi wrote:

>> To make it easier to manage users and access to the PDF printing service I
>> want to move to authentication against the Active Directory server.
>> After trying security = share and security = domain without any success (I
>> think this is because Active Directory running in native mode, not mixed?
>> mode, it doesn't seem to allow NTLM), I finally went to security = ads and
>> managed to get simple file sharing working.
>
> I believe domain is correct here, though it can be problematic to set up.
>
> I'll guess that the problem you have was being unable to join the AD domain.

Thanks for the help Carl :)

I had managed to join the domain with security = ads.

I retried domain anyway, and got things working, must've done something 
stupid the first time.  Like with security = ads, I can login at a linux 
shell prompt with DOMAIN+<domain username> so the domain authentication is 
working.

The problem occurs when a Windows client prompts for a password 
when it's trying to access a resource on the linux box.  I was under the 
impression that the linux box would pass through the authentication to 
the domain controller - is this correct?

> This be the issue. You users can read and write 'cos they can as
> guest, they never actually authenticate, the PDFprinter share allows
> browsing, but windows immediately tries to write a file (thumbs.db?)
> to the directory - hence the passord prompt.
>
> So you have guest access running but no authentication to ad.

> Once you have that, use "username map = /etc/samba/user.map" in you
> global area, and create a file with
> linuxusername = "windows user"
>
> In your case something like
> pdfprint = "user one"
> pdfprint = "user two"
>
> You may be able to do
> pdfprint = "user one", "user two"
> like the group file but i've never tried.

Gave it a whirl:

/etc/samba/user.map:
smbprint = "DOMAIN\ben.keith"
smbprint = "DOMAIN+ben.keith"
smbprint = "ben.keith"

Samba logs now show:

[2005/04/17 15:35:45, 1] smbd/service.c:make_connection_snum(648)
   ircd0043 (192.168.160.33) connect to service pdf initially as user 
smbprint (u id=106, gid=65534) (pid 1940)

when I browse to \\IS0004 as ben.keith

Still having the same behaviour wrt to connecting to the PDFprinter.

I have also tried connecting directly to the PDFprinter through the 
Windows Add Printer Wizard.  Choosing Add a network printer and entering 
the URI:

http://is0004.domain.com/printer/PDFprinter

I can add the printer to a Windows client.  I can submit a job to the 
printer, then the printer "stops" (Windows says Paused, CUPS says 
stopped).  The print manager for the printer under Windows displays Access 
Denied.  The job sits there until removed.  I have tried entering 
authentication details by choosing Configure Port in the Ports tab of the 
printer Properties - nothing seems to work.

Obviously I'm still missing something.

To me it seems like a PAM issue - something I need to add to do auth pass 
through for cups maybe???

Ideas more than welcome.

cheers,

Ben

More information about the plug mailing list