This short howto is an update from my old howto and describes a Samba-(3.0.30-2) and CUPSYS-(1.3.7-5) configuration for a print server as member of a Samba-Domain with (Open)LDAP backend. This example is based on a debian lenny system (current in testing).
First setting up the ldap-connections to get all users and groups. I use an OpenLDAP server (2.3.30-5+etch1) as backend for the samba PDC/BDC (3.0.24-6etch10). Install the necessary packages apt-get install libnss-ldap cupsys with there dependencies and edit the configs:
Your /etc/nsswitch.conf should contain the following lines (winbind comes later):
passwd: compat ldap winbind group: compat ldap winbind shadow: compat ldap hosts: files winbind mdns4_minimal [NOTFOUND=return] dns mdns4
You also have to set up the /etc/ldap/ldap.conf like this:
BASE dc=your,dc=ldap,dc=suffix URI ldap://<your first ldap server ip>:389 ldap://<your second ldap server ip>:389 pam_password exop LDAP_VERSION 3 nss_base_passwd ou=people,dc=your,dc=ldap,dc=suffix?one nss_base_shadow ou=people,dc=your,dc=ldap,dc=suffix?one nss_base_group ou=groups,dc=your,dc=ldap,dc=suffix?one
With this configurations and the right settings in your /etc/libnss-ldap.conf:
base dc=your,dc=ldap,dc=suffix uri ldap://<your first ldap server ip>/ ldap://<your second ldap server ip>/ ldap_version 3 # The ldap-admin account. The appropriate password is in /etc/libnss-ldap.secret. Keep the permissions right. rootbinddn cn=admin,dc=your,dc=ldap,dc=suffix nss_base_passwd ou=people,dc=your,dc=ldap,dc=suffix?one nss_base_shadow ou=people,dc=your,dc=ldap,dc=suffix?one nss_base_group ou=groups,dc=your,dc=ldap,dc=suffix?one
you should get all your local and ldap users with getent passwd and all groups with getent group. During your tests you should stop the nscd-daemon if it runs. With a getent passwd (and a running configured winbind) you get tree types of user entries:
... sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin ... user:x:10001:513:full name:/homedir:/bin/false ... domain\user:*:15001:15001:full name:/homedir:/bin/false ...
The first entry is from your /etc/passwd, the second is over LDAP and the last is over winbind.
Now install and setting up the samba server (apt-get install samba). This moment, version 3.0.30-2 is in lenny. Here is my configuration:
# global parameters [global] ## NETBIOS / Domain Server settings workgroup = <your domain> netbios name = <the netbios name> security = domain server string = <a string> ## USER / LDAP settings ldap suffix = dc=your,dc=ldap,dc=suffix ldap machine suffix = ou=machines ldap group suffix = ou=groups ldap user suffix = ou=people ldap idmap suffix = ou=idmap ldap admin dn=cn=admin,dc=your,dc=ldap,dc=suffix idmap backend = ldap:"ldap://<your first ldap server ip> ldap://<your second ldap server ip>" winbind enum users = yes winbind enum groups = yes ## WINS / DNS settings wins server = <your WINS server ip('s)> dns proxy = no name resolve order = wins hosts bcast ## LOGGING syslog = 0 log level = 3 passdb:1 auth:1 winbind:1 panic action = /usr/share/samba/panic-action %d max log size = 1000 log file = /var/log/samba/log.%m ## MISC Files/Directories map acl inherit = yes case sensitive = no directory mask = 0770 hide unreadable = yes printcap name = cups printing = cups cups options = "raw" ### userful in an multidomain environment printjob username = %D\%U ### prevent driver name changing force printername = yes ### printer admin is marked as deprecated ### use: net rpc rights grant "<Domain\username>" SePrintOperatorPrivilege -U <admin> ### 'enable privileges = yes' must be set (it's the default) [printers] comment = all printers path = /var/spool/samba public = yes guest ok = yes writable = no printable = yes [print$] comment = printer drivers path = /var/lib/samba/printers browseable = yes guest ok = no read only = yes write list = "<Domain\name>"
Join the domain with net rpc join -U
And don’t forget a smbpasswd -w to set the LDAP-Password. For this you should use a dash-shell to prevent passwords in your shell history.
Now check the nessesary directories for spooling the jobs /var/spool/samba and the printer drivers/var/lib/samba/printers and the right permissons. The printer admins need write access to the driver directory. Add a printer admin or better a group with the command net rpc rights grant “
Now comment out the line beginning with application/octet-stream inside the files/etc/cups/mime.types and /etc/cups/mime.convs.
You can set the default print options for the client drivers on a MS Windows admin PC. Please use the right dialog. 🙂 You can get more useful details on this and this chapter. You can’t set “Enable advanced printing features”, because this use EMF and it’s not supported by samba/cups. Do You have a problem with drivers an missing paper sizes? This article could be helpful.
Todo: samba and cups fine tuning (refresh rate inside the printer view, …)