[Samba] Guest Printing Broke after upgrade from 2.28 to 3.010

[Dan Willis]

I'm running a CUPS print server with SuSe 9.0 Pro with printers shared through Samba. I've recently upgraded from 2.28 to 3.010.  My server is a member of an NT 4 domain.  I run winbind to authenticate users to the domain; however, I also allow guest printing because many laptop users' machines are not domain members.  

There has been a change in guest printing behavior after the upgrade.  Domain authentication is working fine. Guest printing (desired) is working OK if the guest's username is not a valid domain username. However, guest printing for laptop users who have domain accounts but are not logged in to the domain does not work and actually locks the user's domain account.  In Samba 2.28, these users would map to "nobody" and could print as desired. 

I have tried changing the winbind use default domain parameter, the allow trusted domains parameter, etc. with no change.  I'd like to be able to authenticate users if possible, but still provide guest printing to laptop users.  I've pasted a sanitized version of my smb.conf file below.  What am I overlooking? 

Thanks,
Dan Willis

# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
 # Date: 2004/12/19 23:29:05 
# Global parameters [global]
workgroup = DOMAINNAME 
server string = Print server
security = DOMAIN
 auth methods = guest, sam, winbind 
allow trusted domains = No
 min password length = 6
 map to guest = Bad Password
 pam password change = Yes
 unix password sync = Yes 
client NTLMv2 auth = Yes
 client lanman auth = No
 client plaintext auth = No
 log level = 2 
log file = /var/log/samba/log.%m 
acl compatibility = win2k
 name resolve order = wins lmhosts host bcast
 time server = Yes
 paranoid server security = No 
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
 printcap name = CUPS
 domain master = No 
dns proxy = No 
wins server = IP ADDRESS
 ldap ssl = no 
idmap uid = 10000-20000 
idmap gid = 10000-20000
 winbind trusted domains only = Yes
 invalid users = 
printer admin = 
 hosts deny = 
 veto files = /*.eml/*.nws/riched20.dll/*.{*}/ 
level2 oplocks = No 
[homes]
 comment = Home Directories
 valid users = %D/%U/%S 
read only = No 
create mask = 0640
 directory mask = 0750
 browseable = No 
[printers]
comment = All Printers
 path = /var/tmp 
create mask = 0600 
guest ok = Yes
 printable = Yes 
use client driver = Yes
 browseable = No 
[print$]
 comment = Printer Drivers 
path = /var/lib/samba/drivers
 write list = @ntadmin, root 
force group = ntadmin 
create mask = 0664 
directory mask = 0775
 [Lexmark]
 comment = Lexmark example printer
 path = /var/tmp
 printer admin = Mydomain\myusername
read only = No
 create mask = 0600 
guest ok = Yes 
printable = Yes 
printer name = Lexmark example printer
use client driver = Yes 
oplocks = No

idmap backend = 
idmap uid = 10000-20000
 idmap gid = 10000-20000
 template primary group = nobody
 template homedir = /home/%D/%U 
template shell = /bin/false
 winbind separator = \ 
winbind cache time = 300
 winbind enable local accounts = No 
winbind enum users = Yes 
winbind enum groups = Yes
 winbind use default domain = No 
winbind trusted domains only = Yes
 winbind nested groups = No