nobody uid printing, take 2

Christopher Dingle cmd at head-cfa.harvard.edu
Tue Dec 14 21:41:26 GMT 1999


Hi,

Samba 2.0.6 on Solaris 7 or Samba 2.0.5 on Solaris 2.6
security = share

Ok, in my previous email on this subject I indicated that switching to 
security = user might be the right idea to fix the problem I am having. 
However, this isn't possible for a variety of reasons.

So basically, the question is now this: with security = share and the following
printer share definition:

[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
#   public = yes
   writable = no
   printable = yes

How to make it so that users don't have to enter a password to access the 
print services and that the jobs come out with the correct owner?

Here is a recap from my last message, more detailed information about how 
things are running here follows.

I used to have the printers share defined to allow guest to print. However,
everyone's jobs were coming out with a header page that listed "nobody" as the 
owner. Since the guest parameter was set to nobody this makes sense if guest 
tries to print. What confounded me was that everyone's jobs came out this way. 
So I tried to set guest ok = no and see what would happen. Now when the PC 
users would attempt to print it prompted them for a passwd. If they typed 
the correct passwd that corresponded with the correct unix username that samba 
was attempting to guess, then the print job would come out and with the correct 
username. I know that the PC clients don't send usernames and that in share mode 
samba  attempts to guess the user. This has worked well enough, but I 
understand that the security of this setup is wanting, for obvious reasons and 
anyway it's icky.

Bill Knox came up with the great suggestion of using LPRng with samba. It allows 
for the specification of the owner of the print job by specified non-root users. However, 
in our current implementation, we use System V style printing and maintain a 
printers.conf NIS map. I don't know that LPRng will work with NIS. Does anyone have any 
experience with this?

Here is a copy of the smb.conf (definitions only) that I am using for testing 
purposes:

#==================== Global Settings =====================================
[global]

   workgroup = HEAD-CFA

   server string = HEAD Samba Server %v

   hosts allow = 131.142.42. 127.

   load printers = yes
   printcap name = /export/samba/lib/printers

   printing = sysv
#  was printing = lprng

#  default guest account = nobody
  
  log file = /export/samba/var/log.%m

   max log size = 50

   security = share
   encrypt passwords = no

   socket options = TCP_NODELAY
   dns proxy = no

#========================= Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   path = /home/%u

[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   public = yes
   writable = no
   printable = yes

[pool1]
comment = Pool for a day
path = /pool1
guest ok = yes
writeable = yes
create mask = 0765

[pool7]
comment = Pool for a week
path = /pool7
guest ok = yes
writeable = yes
create mask = 0765

[pool14]
comment = Pool for two weeks
path = /pool14
guest ok = yes
writeable = yes
create mask = 0765

As you can see, it's very plain right now--nothing fancy.

Any suggestions appreciated.

Chris

--
Christopher M. Dingle
Unix SysAdmin
Smithsonian Astrophysical Observatory
High Energy Astrophysics Division
http://hea-www.harvard.edu



More information about the samba mailing list