[TriLUG] HOWTO: Create PDFs using Samba but not CUPS

Matt McGrievy mcgrievy at email.unc.edu
Tue Feb 28 10:50:10 EST 2006 

Ah, right -- wasn't following the thread closely enough.  I'll let you 
and Steve continue to hash it out ;)

-Matt

David McDowell wrote:
> Based on Steve's example config, how do we explain why he gets a value
> in %U with security = share and I don't when I set mine up
> identically?  The only difference I see is in our samba versions.  my
> 3.0.10x vs his 3.0.12x
> 
> %u is what I used when I got the nobody value, not %U.
> 
> If I set security = user, nothing works, the printer nor the share for
> pickup b/c there are no users in my smbpasswd list.  I would suspect
> even if I created a list of my users with blank passwords it would
> still fail b/c the logged in windows user's password wouldn't match
> the smbpasswd list, thus failure to connect.  Thoughts?
> 
> thanks folks for all your ideas so far!
> David
> 
> 
> On 2/28/06, Matt McGrievy <mcgrievy at email.unc.edu> wrote:
>> Hi David,
>>
>> Following up on Rick's post, seeing "security=share" in your smb.conf
>> reminded me of this little passage in the samba docs about username
>> confusion with share-level security:
>>
>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2527269
>> In share-level security, the client authenticates itself separately for
>> each share. It sends a password along with each tree connection request
>> (share mount), but it does not explicitly send a username with this
>> operation. The client expects a password to be associated with each
>> share, independent of the user. This means that Samba has to work out
>> what username the client probably wants to use, the SMB server is not
>> explicitly sent the username. Some commercial SMB servers such as NT
>> actually associate passwords directly with shares in share-level
>> security, but Samba always uses the UNIX authentication scheme where it
>> is a username/password pair that is authenticated, not a share/password
>> pair.
>>
>> So I guess that means that Samba CAN figure out the username, but maybe
>> that's biting you in some way.  I don't know how it works if you're
>> going through an AD (maybe Windows passes the right username or maybe it
>> authenticates as a guest?).  That could explain why you're getting the
>> "nobody" username on the print jobs.  It's possible that you'll have to
>> use user or domain security.  The rest of the page above may be able to
>> shed some light.
>>
>> -Matt
>>
>> Rick DeNatale wrote:
>>> On 2/27/06, David McDowell <turnpike420 at gmail.com> wrote:
>>>> woah, I changed %U to %u and now I get:  nobody-Feb27-164318.pdf for
>>>> my filename.  I don't know if that is considered progress or not!  :p
>>> %u is the username of the current service according to man smb.conf in
>>> your case the print service is running as user nobody.
>>>
>>>  %U  is the session username (the username that the client wanted, not
>>>  necessarily the same as the one they got).
>>>
>>> %U is silently ignored for guest users, i.e. those who don't
>>> authenticate on connect.
>>>
>>> I think that you have to set up proper mapping of windows accounts to
>>> nix accounts to let the print server differentiate between users.  How
>>> you do that, AD, LDAP, whatever is a variable.  I've never set that up
>>> myself. Hopefully someone with more samba chops, or the samba
>>> documentation will reveal the secrets.
>>>
>>> --
>>> Rick DeNatale
>>>
>>> Visit the Project Mercury Wiki Site
>>> http://www.mercuryspacecraft.com/
>> --
>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>

More information about the TriLUG mailing list