[TriLUG] HOWTO: Create PDFs using Samba but not CUPS
Matt McGrievy
mcgrievy at email.unc.edu
Tue Feb 28 09:20:40 EST 2006
Hi David,
Following up on Rick's post, seeing "security=share" in your smb.conf
reminded me of this little passage in the samba docs about username
confusion with share-level security:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2527269
In share-level security, the client authenticates itself separately for
each share. It sends a password along with each tree connection request
(share mount), but it does not explicitly send a username with this
operation. The client expects a password to be associated with each
share, independent of the user. This means that Samba has to work out
what username the client probably wants to use, the SMB server is not
explicitly sent the username. Some commercial SMB servers such as NT
actually associate passwords directly with shares in share-level
security, but Samba always uses the UNIX authentication scheme where it
is a username/password pair that is authenticated, not a share/password
pair.
So I guess that means that Samba CAN figure out the username, but maybe
that's biting you in some way. I don't know how it works if you're
going through an AD (maybe Windows passes the right username or maybe it
authenticates as a guest?). That could explain why you're getting the
"nobody" username on the print jobs. It's possible that you'll have to
use user or domain security. The rest of the page above may be able to
shed some light.
-Matt
Rick DeNatale wrote:
> On 2/27/06, David McDowell <turnpike420 at gmail.com> wrote:
>> woah, I changed %U to %u and now I get: nobody-Feb27-164318.pdf for
>> my filename. I don't know if that is considered progress or not! :p
>
> %u is the username of the current service according to man smb.conf in
> your case the print service is running as user nobody.
>
> %U is the session username (the username that the client wanted, not
> necessarily the same as the one they got).
>
> %U is silently ignored for guest users, i.e. those who don't
> authenticate on connect.
>
> I think that you have to set up proper mapping of windows accounts to
> nix accounts to let the print server differentiate between users. How
> you do that, AD, LDAP, whatever is a variable. I've never set that up
> myself. Hopefully someone with more samba chops, or the samba
> documentation will reveal the secrets.
>
> --
> Rick DeNatale
>
> Visit the Project Mercury Wiki Site
> http://www.mercuryspacecraft.com/
More information about the TriLUG
mailing list