[TriLUG] HOWTO: Create PDFs using Samba but not CUPS

David McDowell turnpike420 at gmail.com
Tue Feb 28 10:29:05 EST 2006


ah, I think I confused smbpasswd with smbusers.  I have no users setup
in samba at all.  Could this be the difference?  Do I have to maintain
a duplicate list of users in smbusers, even if they don't have
passwords to match the win/AD passwords?


On 2/28/06, Steve Hoffman <srhoffman at gmail.com> wrote:
> Well, I did some playing and can't seem to break it..and I've tried.  This
> machine was a domain controller back in the day, but I've since upgraded (or
> downgraded depending on your POV) to a 2003 AD because we added our own
> exchange server.  Some accounts still exist on the samba server, but many
> new ones don't and they're still able to print just fine to the PDF
> printer.
>
> what does your smbusers file look like?  Here's mine:
> # Unix_name = SMB_name1 SMB_name2 ...
> root = administrator admin
> nobody = guest pcguest smbguest
>
> how about your smbpasswd file?  I have a strange entry for the "nobody"
> acct:
> nobody:99:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DU
> ]:LCT-00000000:
>
> If I'm reading that right, there's NO password for nobody and perhaps
> everyone fails auth as nobody and therefore are forced to send their
> username/password from win?(total guess, sort of reached up a deep dark
> cavity and pulled that one out)
>
>
> Anything there shedding light?
>
> Steve
>
> On 2/28/06, David McDowell <turnpike420 at gmail.com> wrote:
> >
> > Based on Steve's example config, how do we explain why he gets a value
> > in %U with security = share and I don't when I set mine up
> > identically?  The only difference I see is in our samba versions.  my
> > 3.0.10x vs his 3.0.12x
> >
> > %u is what I used when I got the nobody value, not %U.
> >
> > If I set security = user, nothing works, the printer nor the share for
> > pickup b/c there are no users in my smbpasswd list.  I would suspect
> > even if I created a list of my users with blank passwords it would
> > still fail b/c the logged in windows user's password wouldn't match
> > the smbpasswd list, thus failure to connect.  Thoughts?
> >
> > thanks folks for all your ideas so far!
> > David
> >
> >
> > On 2/28/06, Matt McGrievy <mcgrievy at email.unc.edu> wrote:
> > > Hi David,
> > >
> > > Following up on Rick's post, seeing "security=share" in your smb.conf
> > > reminded me of this little passage in the samba docs about username
> > > confusion with share-level security:
> > >
> > >
> > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2527269
> > > In share-level security, the client authenticates itself separately for
> > > each share. It sends a password along with each tree connection request
> > > (share mount), but it does not explicitly send a username with this
> > > operation. The client expects a password to be associated with each
> > > share, independent of the user. This means that Samba has to work out
> > > what username the client probably wants to use, the SMB server is not
> > > explicitly sent the username. Some commercial SMB servers such as NT
> > > actually associate passwords directly with shares in share-level
> > > security, but Samba always uses the UNIX authentication scheme where it
> > > is a username/password pair that is authenticated, not a share/password
> > > pair.
> > >
> > > So I guess that means that Samba CAN figure out the username, but maybe
> > > that's biting you in some way.  I don't know how it works if you're
> > > going through an AD (maybe Windows passes the right username or maybe it
> > > authenticates as a guest?).  That could explain why you're getting the
> > > "nobody" username on the print jobs.  It's possible that you'll have to
> > > use user or domain security.  The rest of the page above may be able to
> > > shed some light.
> > >
> > > -Matt
> > >
> > > Rick DeNatale wrote:
> > > > On 2/27/06, David McDowell <turnpike420 at gmail.com> wrote:
> > > >> woah, I changed %U to %u and now I get:  nobody-Feb27-164318.pdf for
> > > >> my filename.  I don't know if that is considered progress or not!  :p
> > > >
> > > > %u is the username of the current service according to man smb.conf in
> > > > your case the print service is running as user nobody.
> > > >
> > > >  %U  is the session username (the username that the client wanted, not
> > > >  necessarily the same as the one they got).
> > > >
> > > > %U is silently ignored for guest users, i.e. those who don't
> > > > authenticate on connect.
> > > >
> > > > I think that you have to set up proper mapping of windows accounts to
> > > > nix accounts to let the print server differentiate between users.  How
> > > > you do that, AD, LDAP, whatever is a variable.  I've never set that up
> > > > myself. Hopefully someone with more samba chops, or the samba
> > > > documentation will reveal the secrets.
> > > >
> > > > --
> > > > Rick DeNatale
> > > >
> > > > Visit the Project Mercury Wiki Site
> > > > http://www.mercuryspacecraft.com/
> > > --
> > > TriLUG mailing list        :
> > http://www.trilug.org/mailman/listinfo/trilug
> > > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > >
> > --
> > TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>



More information about the TriLUG mailing list