CUPS and Samba as Printserver in a Samba/LDAP-Domain with Debian Lenny

By | 2008-12-31

This short howto is an update from my old howto and describes a Samba-(3.0.30-2) and CUPSYS-(1.3.7-5) configuration for a print server as member of a Samba-Domain with (Open)LDAP backend. This example is based on a debian lenny system (current in testing).

First setting up the ldap-connections to get all users and groups. I use an OpenLDAP server (2.3.30-5+etch1) as backend for the samba PDC/BDC (3.0.24-6etch10). Install the necessary packages apt-get install libnss-ldap cupsys with there dependencies and edit the configs:

Your /etc/nsswitch.conf should contain the following lines (winbind comes later):

	passwd:         compat ldap winbind
	group:          compat ldap winbind
	shadow:         compat ldap

	hosts:          files winbind mdns4_minimal [NOTFOUND=return] dns mdns4

You also have to set up the /etc/ldap/ldap.conf like this:

	BASE    dc=your,dc=ldap,dc=suffix
	URI     ldap://<your first ldap server ip>:389 ldap://<your second ldap server ip>:389

	pam_password exop
	nss_base_passwd ou=people,dc=your,dc=ldap,dc=suffix?one
	nss_base_shadow ou=people,dc=your,dc=ldap,dc=suffix?one
	nss_base_group  ou=groups,dc=your,dc=ldap,dc=suffix?one

With this configurations and the right settings in your /etc/libnss-ldap.conf:

	base 	dc=your,dc=ldap,dc=suffix
	uri	ldap://<your first ldap server ip>/ ldap://<your second ldap server ip>/
	ldap_version 3

	# The ldap-admin account. The appropriate password is in /etc/libnss-ldap.secret. Keep the permissions right.
	rootbinddn cn=admin,dc=your,dc=ldap,dc=suffix

        nss_base_passwd ou=people,dc=your,dc=ldap,dc=suffix?one
        nss_base_shadow ou=people,dc=your,dc=ldap,dc=suffix?one
        nss_base_group  ou=groups,dc=your,dc=ldap,dc=suffix?one

you should get all your local and ldap users with getent passwd and all groups with getent group. During your tests you should stop the nscd-daemon if it runs. With a getent passwd (and a running configured winbind) you get tree types of user entries:

	user:x:10001:513:full name:/homedir:/bin/false
	domain\user:*:15001:15001:full name:/homedir:/bin/false

The first entry is from your /etc/passwd, the second is over LDAP and the last is over winbind.

Now install and setting up the samba server (apt-get install samba). This moment, version 3.0.30-2 is in lenny. Here is my configuration:

	# global parameters
	## NETBIOS / Domain Server settings
	        workgroup = <your domain>
	        netbios name = <the netbios name>
	        security = domain
	        server string = <a string>
	## USER / LDAP settings
	        ldap suffix = dc=your,dc=ldap,dc=suffix
	        ldap machine suffix = ou=machines
	        ldap group suffix = ou=groups
	        ldap user suffix = ou=people
	        ldap idmap suffix = ou=idmap
	        ldap admin dn=cn=admin,dc=your,dc=ldap,dc=suffix
	        idmap backend = ldap:"ldap://<your first ldap server ip> ldap://<your second ldap server ip>"
	        winbind enum users = yes
	        winbind enum groups = yes
	## WINS / DNS settings
	        wins server = <your WINS server ip('s)>

	        dns proxy = no
	        name resolve order = wins hosts bcast
	        syslog = 0
	        log level = 3 passdb:1 auth:1 winbind:1
	        panic action = /usr/share/samba/panic-action %d
	        max log size = 1000
	        log file = /var/log/samba/log.%m
	## MISC Files/Directories                     
	        map acl inherit = yes
	        case sensitive = no
	        directory mask = 0770
	        hide unreadable = yes

	        printcap name = cups
	        printing = cups
		cups options = "raw"
	###	userful in an multidomain environment
		printjob username = %D\%U
	###	prevent driver name changing
		force printername = yes

	###     printer admin is marked as deprecated 
	###     use: net rpc rights grant "<Domain\username>" SePrintOperatorPrivilege -U <admin> 
	###	'enable privileges = yes' must be set (it's the default)
	        comment = all printers
	        path = /var/spool/samba
	        public = yes
	        guest ok = yes
	        writable = no
	        printable = yes
	        comment = printer drivers
	        path = /var/lib/samba/printers
	        browseable = yes
	        guest ok = no
	        read only = yes
		write list = "<Domain\name>"

Join the domain with net rpc join -U <admin> -S <domain>.

And don’t forget a smbpasswd -w to set the LDAP-Password. For this you should use a dash-shell to prevent passwords in your shell history.

Now check the nessesary directories for spooling the jobs /var/spool/samba and the printer drivers/var/lib/samba/printers and the right permissons. The printer admins need write access to the driver directory. Add a printer admin or better a group with the command net rpc rights grant “<Domain\name>” SePrintOperatorPrivilege -U <admin> and the associated password. Groups from trusted domains are also available here. You need to set this rights only on your print server. There is no replication mechanism (yet) over your domain. You don’t see this rights inside the MS-Printer options dialog, but you can set printer options (it’s not greyed-out). The driver installation should be done with one account, because driver values could be changed and you get a ‘permission denied’ (/var/lib/samba/ntprinters.tdb) or better set force printername = yes.

Now comment out the line beginning with application/octet-stream inside the files/etc/cups/mime.types and /etc/cups/mime.convs.

Use the admistration webfronted coming with cupsys to add some RAW-printers. Now you are ready to use the Add Printer Wizard or the cupsaddsmb to upload the necessary printer driver.

You can set the default print options for the client drivers on a MS Windows admin PC. Please use the right dialog. 🙂 You can get more useful details on this and this chapter. You can’t set “Enable advanced printing features”, because this use EMF and it’s not supported by samba/cups. Do You have a problem with drivers an missing paper sizes? This article could be helpful.

Todo: samba and cups fine tuning (refresh rate inside the printer view, …)


Leave a Reply

Your email address will not be published. Required fields are marked *

2 + 1 =