[TriLUG] HOWTO: Create PDFs using Samba but not CUPS

Steve Hoffman srhoffman at gmail.com
Tue Feb 28 10:15:25 EST 2006 

Well, I did some playing and can't seem to break it..and I've tried.  This
machine was a domain controller back in the day, but I've since upgraded (or
downgraded depending on your POV) to a 2003 AD because we added our own
exchange server.  Some accounts still exist on the samba server, but many
new ones don't and they're still able to print just fine to the PDF
printer.

what does your smbusers file look like?  Here's mine:
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest

how about your smbpasswd file?  I have a strange entry for the "nobody"
acct:
nobody:99:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DU
]:LCT-00000000:

If I'm reading that right, there's NO password for nobody and perhaps
everyone fails auth as nobody and therefore are forced to send their
username/password from win?(total guess, sort of reached up a deep dark
cavity and pulled that one out)


Anything there shedding light?

Steve

On 2/28/06, David McDowell <turnpike420 at gmail.com> wrote:
>
> Based on Steve's example config, how do we explain why he gets a value
> in %U with security = share and I don't when I set mine up
> identically?  The only difference I see is in our samba versions.  my
> 3.0.10x vs his 3.0.12x
>
> %u is what I used when I got the nobody value, not %U.
>
> If I set security = user, nothing works, the printer nor the share for
> pickup b/c there are no users in my smbpasswd list.  I would suspect
> even if I created a list of my users with blank passwords it would
> still fail b/c the logged in windows user's password wouldn't match
> the smbpasswd list, thus failure to connect.  Thoughts?
>
> thanks folks for all your ideas so far!
> David
>
>
> On 2/28/06, Matt McGrievy <mcgrievy at email.unc.edu> wrote:
> > Hi David,
> >
> > Following up on Rick's post, seeing "security=share" in your smb.conf
> > reminded me of this little passage in the samba docs about username
> > confusion with share-level security:
> >
> >
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2527269
> > In share-level security, the client authenticates itself separately for
> > each share. It sends a password along with each tree connection request
> > (share mount), but it does not explicitly send a username with this
> > operation. The client expects a password to be associated with each
> > share, independent of the user. This means that Samba has to work out
> > what username the client probably wants to use, the SMB server is not
> > explicitly sent the username. Some commercial SMB servers such as NT
> > actually associate passwords directly with shares in share-level
> > security, but Samba always uses the UNIX authentication scheme where it
> > is a username/password pair that is authenticated, not a share/password
> > pair.
> >
> > So I guess that means that Samba CAN figure out the username, but maybe
> > that's biting you in some way.  I don't know how it works if you're
> > going through an AD (maybe Windows passes the right username or maybe it
> > authenticates as a guest?).  That could explain why you're getting the
> > "nobody" username on the print jobs.  It's possible that you'll have to
> > use user or domain security.  The rest of the page above may be able to
> > shed some light.
> >
> > -Matt
> >
> > Rick DeNatale wrote:
> > > On 2/27/06, David McDowell <turnpike420 at gmail.com> wrote:
> > >> woah, I changed %U to %u and now I get:  nobody-Feb27-164318.pdf for
> > >> my filename.  I don't know if that is considered progress or not!  :p
> > >
> > > %u is the username of the current service according to man smb.conf in
> > > your case the print service is running as user nobody.
> > >
> > >  %U  is the session username (the username that the client wanted, not
> > >  necessarily the same as the one they got).
> > >
> > > %U is silently ignored for guest users, i.e. those who don't
> > > authenticate on connect.
> > >
> > > I think that you have to set up proper mapping of windows accounts to
> > > nix accounts to let the print server differentiate between users.  How
> > > you do that, AD, LDAP, whatever is a variable.  I've never set that up
> > > myself. Hopefully someone with more samba chops, or the samba
> > > documentation will reveal the secrets.
> > >
> > > --
> > > Rick DeNatale
> > >
> > > Visit the Project Mercury Wiki Site
> > > http://www.mercuryspacecraft.com/
> > --
> > TriLUG mailing list        :
> http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>

More information about the TriLUG mailing list