daily system administration

Linux, Debian and the rest
any questions or comments: Tom@d7031.de

CUPS and Samba as Printserver in a Samba/LDAP-Domain with Debian Lenny

This short howto is an update from my old howto and describes a Samba-(3.0.30-2) and CUPSYS-(1.3.7-5) configuration for a print server as member of a Samba-Domain with (Open)LDAP backend. This example is based on a debian lenny system (current in testing).

First setting up the ldap-connections to get all users and groups. I use an OpenLDAP server (2.3.30-5+etch1) as backend for the samba PDC/BDC (3.0.24-6etch10). Install the necessary packages apt-get install libnss-ldap cupsys with there dependencies and edit the configs:

Your /etc/nsswitch.conf should contain the following lines (winbind comes later):

passwd:         compat ldap winbind
    group:          compat ldap winbind
    shadow:         compat ldap

    hosts:          files winbind mdns4_minimal [NOTFOUND=return] dns mdns4

You also have to set up the /etc/ldap/ldap.conf like this:

BASE    dc=your,dc=ldap,dc=suffix
    URI     ldap://<your first ldap server ip>:389 ldap://<your second ldap server ip>:389

    
    pam_password exop
    LDAP_VERSION    3
    
    nss_base_passwd ou=people,dc=your,dc=ldap,dc=suffix?one
    nss_base_shadow ou=people,dc=your,dc=ldap,dc=suffix?one
    nss_base_group  ou=groups,dc=your,dc=ldap,dc=suffix?one

With this configurations and the right settings in your /etc/libnss-ldap.conf:

base   dc=your,dc=ldap,dc=suffix
    uri ldap://<your first ldap server ip>/ ldap://<your second ldap server ip>/
    ldap_version 3

    # The ldap-admin account. The appropriate password is in /etc/libnss-ldap.secret. Keep the permissions right.
    rootbinddn cn=admin,dc=your,dc=ldap,dc=suffix

        nss_base_passwd ou=people,dc=your,dc=ldap,dc=suffix?one
        nss_base_shadow ou=people,dc=your,dc=ldap,dc=suffix?one
        nss_base_group  ou=groups,dc=your,dc=ldap,dc=suffix?one

you should get all your local and ldap users with getent passwd and all groups with getent group. During your tests you should stop the nscd-daemon if it runs. With a getent passwd (and a running configured winbind) you get tree types of user entries:

...
    sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
    ...
    user:x:10001:513:full name:/homedir:/bin/false
    ...
    domain\user:*:15001:15001:full name:/homedir:/bin/false
    ...

The first entry is from your /etc/passwd, the second is over LDAP and the last is over winbind.

Now install and setting up the samba server (apt-get install samba). This moment, version 3.0.30-2 is in lenny. Here is my configuration:

# global parameters
    [global]
    
    ## NETBIOS / Domain Server settings
    
            workgroup = <your domain>
            netbios name = <the netbios name>
            security = domain
            server string = <a string>
    
    ## USER / LDAP settings
            
            ldap suffix = dc=your,dc=ldap,dc=suffix
            ldap machine suffix = ou=machines
            ldap group suffix = ou=groups
            ldap user suffix = ou=people
            ldap idmap suffix = ou=idmap
            ldap admin dn=cn=admin,dc=your,dc=ldap,dc=suffix
    
            idmap backend = ldap:"ldap://<your first ldap server ip> ldap://<your second ldap server ip>"
    
            winbind enum users = yes
            winbind enum groups = yes
    
    ## WINS / DNS settings
            wins server = <your WINS server ip('s)>

            dns proxy = no
            name resolve order = wins hosts bcast
    
    ## LOGGING
                    
            syslog = 0
            log level = 3 passdb:1 auth:1 winbind:1
            panic action = /usr/share/samba/panic-action %d
            max log size = 1000
            log file = /var/log/samba/log.%m
    
    
    ## MISC Files/Directories                     
                                                                                    
            map acl inherit = yes
            case sensitive = no
            directory mask = 0770
            hide unreadable = yes

            printcap name = cups
            printing = cups
        cups options = "raw"
    ### userful in an multidomain environment
        printjob username = %D\%U
    ### prevent driver name changing
        force printername = yes

    ###     printer admin is marked as deprecated 
    ###     use: net rpc rights grant "<Domain\username>" SePrintOperatorPrivilege -U <admin> 
    ### 'enable privileges = yes' must be set (it's the default)
    
    [printers]
            comment = all printers
            path = /var/spool/samba
            public = yes
            guest ok = yes
            writable = no
            printable = yes
    
    [print$]
            comment = printer drivers
            path = /var/lib/samba/printers
            browseable = yes
            guest ok = no
            read only = yes
        write list = "<Domain\name>"

Join the domain with net rpc join -U -S .

And don’t forget a smbpasswd -w to set the LDAP-Password. For this you should use a dash-shell to prevent passwords in your shell history.

Now check the nessesary directories for spooling the jobs /var/spool/samba and the printer drivers/var/lib/samba/printers and the right permissons. The printer admins need write access to the driver directory. Add a printer admin or better a group with the command net rpc rights grant “” SePrintOperatorPrivilege -U and the associated password. Groups from trusted domains are also available here. You need to set this rights only on your print server. There is no replication mechanism (yet) over your domain. You don’t see this rights inside the MS-Printer options dialog, but you can set printer options (it’s not greyed-out). The driver installation should be done with one account, because driver values could be changed and you get a ‘permission denied’ (/var/lib/samba/ntprinters.tdb) or better set force printername = yes.

Now comment out the line beginning with application/octet-stream inside the files/etc/cups/mime.types and /etc/cups/mime.convs.

Use the admistration webfronted coming with cupsys to add some RAW-printers. Now you are ready to use the Add Printer Wizard or the cupsaddsmb to upload the necessary printer driver.

You can set the default print options for the client drivers on a MS Windows admin PC. Please use the right dialog. 🙂 You can get more useful details on this and this chapter. You can’t set “Enable advanced printing features”, because this use EMF and it’s not supported by samba/cups. Do You have a problem with drivers an missing paper sizes? This article could be helpful.

Todo: samba and cups fine tuning (refresh rate inside the printer view, …)