This short howto is an update from my old howto and describes a Samba-(3.0.30-2) and CUPSYS-(1.3.7-5) configuration for a print server as member of a Samba-Domain with (Open)LDAP backend. This example is based on a debian lenny system (current in testing).
First setting up the ldap-connections to get all users and groups. I use an OpenLDAP server (2.3.30-5+etch1) as backend for the samba PDC/BDC (3.0.24-6etch10). Install the necessary packages apt-get install libnss-ldap cupsys with there dependencies and edit the configs:
Your /etc/nsswitch.conf should contain the following lines (winbind comes later):
passwd: compat ldap winbind group: compat ldap winbind shadow: compat ldap hosts: files winbind mdns4_minimal [NOTFOUND=return] dns mdns4
You also have to set up the /etc/ldap/ldap.conf like this:
BASE dc=your,dc=ldap,dc=suffix URI ldap://<your first ldap server ip>:389 ldap://<your second ldap server ip>:389 pam_password exop LDAP_VERSION 3 nss_base_passwd ou=people,dc=your,dc=ldap,dc=suffix?one nss_base_shadow ou=people,dc=your,dc=ldap,dc=suffix?one nss_base_group ou=groups,dc=your,dc=ldap,dc=suffix?one
With this configurations and the right settings in your /etc/libnss-ldap.conf:
base dc=your,dc=ldap,dc=suffix uri ldap://<your first ldap server ip>/ ldap://<your second ldap server ip>/ ldap_version 3 # The ldap-admin account. The appropriate password is in /etc/libnss-ldap.secret. Keep the permissions right. rootbinddn cn=admin,dc=your,dc=ldap,dc=suffix nss_base_passwd ou=people,dc=your,dc=ldap,dc=suffix?one nss_base_shadow ou=people,dc=your,dc=ldap,dc=suffix?one nss_base_group ou=groups,dc=your,dc=ldap,dc=suffix?one
you should get all your local and ldap users with getent passwd and all groups with getent group. During your tests you should stop the nscd-daemon if it runs. With a getent passwd (and a running configured winbind) you get tree types of user entries:
... sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin ... user:x:10001:513:full name:/homedir:/bin/false ... domain\user:*:15001:15001:full name:/homedir:/bin/false ...
The first entry is from your /etc/passwd, the second is over LDAP and the last is over winbind.
Now install and setting up the samba server (apt-get install samba). This moment, version 3.0.30-2 is in lenny. Here is my configuration:
# global parameters [global] ## NETBIOS / Domain Server settings workgroup = <your domain> netbios name = <the netbios name> security = domain server string = <a string> ## USER / LDAP settings ldap suffix = dc=your,dc=ldap,dc=suffix ldap machine suffix = ou=machines ldap group suffix = ou=groups ldap user suffix = ou=people ldap idmap suffix = ou=idmap ldap admin dn=cn=admin,dc=your,dc=ldap,dc=suffix idmap backend = ldap:"ldap://<your first ldap server ip> ldap://<your second ldap server ip>" winbind enum users = yes winbind enum groups = yes ## WINS / DNS settings wins server = <your WINS server ip('s)> dns proxy = no name resolve order = wins hosts bcast ## LOGGING syslog = 0 log level = 3 passdb:1 auth:1 winbind:1 panic action = /usr/share/samba/panic-action %d max log size = 1000 log file = /var/log/samba/log.%m ## MISC Files/Directories map acl inherit = yes case sensitive = no directory mask = 0770 hide unreadable = yes printcap name = cups printing = cups cups options = "raw" ### userful in an multidomain environment printjob username = %D\%U ### prevent driver name changing force printername = yes ### printer admin is marked as deprecated ### use: net rpc rights grant "<Domain\username>" SePrintOperatorPrivilege -U <admin> ### 'enable privileges = yes' must be set (it's the default) [printers] comment = all printers path = /var/spool/samba public = yes guest ok = yes writable = no printable = yes [print$] comment = printer drivers path = /var/lib/samba/printers browseable = yes guest ok = no read only = yes write list = "<Domain\name>"
Join the domain with net rpc join -U <admin> -S <domain>.
And don’t forget a smbpasswd -w to set the LDAP-Password. For this you should use a dash-shell to prevent passwords in your shell history.
Now check the nessesary directories for spooling the jobs /var/spool/samba and the printer drivers/var/lib/samba/printers and the right permissons. The printer admins need write access to the driver directory. Add a printer admin or better a group with the command net rpc rights grant “<Domain\name>” SePrintOperatorPrivilege -U <admin> and the associated password. Groups from trusted domains are also available here. You need to set this rights only on your print server. There is no replication mechanism (yet) over your domain. You don’t see this rights inside the MS-Printer options dialog, but you can set printer options (it’s not greyed-out). The driver installation should be done with one account, because driver values could be changed and you get a ‘permission denied’ (/var/lib/samba/ntprinters.tdb) or better set force printername = yes.
Now comment out the line beginning with application/octet-stream inside the files/etc/cups/mime.types and /etc/cups/mime.convs.
You can set the default print options for the client drivers on a MS Windows admin PC. Please use the right dialog. 🙂 You can get more useful details on this and this chapter. You can’t set “Enable advanced printing features”, because this use EMF and it’s not supported by samba/cups. Do You have a problem with drivers an missing paper sizes? This article could be helpful.
Todo: samba and cups fine tuning (refresh rate inside the printer view, …)