[Samba] samba printing and disk quotas in Active Directory domain

[Wilkins, Vern]

I've recently made a great deal of progress getting ready to roll out
linux workstations in our Windows Active Directory environment.  There
are a couple of very significant problems I'm stuck with though, one of
which is definitely Samba related, and the other which is borderline
Samba related.

 

Problem 1 - Printing from Linux to Windows print servers

 

I have read all the documentation I could find on this subject and it
appears that CUPS and Samba work fairly well together for this purpose.
The problem is that our AD domain is well over 40000 users.  The only
way I see to print to a windows print server is by embedding the
username/password combo in a CUPS URI, something like
smb://user:password@servername/printersharename. That doesn't work well
on a workstation where users are going to be logging in with their
Active Directory accounts, via Winbind.  It appears to me that even
though I am using Kerberos, there's no way to seamlessly pass the
credentials used to login, to the print server.   Is this a limitation
of CUPS or is it a Samba limitation?  I thought of writing a script and
having a shortcut to it on the desktop to setup printing.  The script
would prompt users again for credentials to setup a printer, and then
setup the printer using lpadmin with the URI format above.  Since CUPS
and/or Samba handles the username:password combo in the URI in clear
text, that's not really a good option though.  It states in the Samba
documentation that although the URI is sanitized in certain instances,
such as logging, the username and password are in clear text in some
places, such as the process list.  I feel like I must be missing
something.  It seems odd that if Samba already has Kerberos and AD
integration, not being able to seamlessly pass those credentials to
Windows machines in the domain for printing, would be a very significant
limitation.  Has anyone come up with a better way to deal with printing
in such an environment?  Also, I don't have any other options for
printing because our university utilizes a printing quota system that
must receive the Active Directory credentials (i.e. I can't bypass
authentication or use a guest account).

 

Problem 2 - Using quotas for Active Directory accounts

 

I'm using Winbind so that users can login to our Linux workstations with
their Active Directory accounts.  This works fine but it seems there is
no good way to use quotas, partly because of the huge number of users in
our environment.  This seems to be primarily a quota utilities problem
since the utilities don't to my knowledge provide the functionality that
I would find most useful.  Being able to set a quota for example on all
users with a UID greater than X for example, or having a group quota
apply to individuals in that group rather than the group as a whole.
For example, being able to set a soft limit of 1000000K for the group
Users and having that be the quota for each individual in the group,
rather than the quota for all individuals in that group combined.  I
realize this is certainly a limitation of the quota utilities rather
than Samba, but in my opinion it severely limits the use of Winbind in a
large enterprise environment.  Any suggestions for getting around this
issue?  Basically I just need a way to set a quota for all 40,000+ users
whose accounts exist in Active Directory, not on the Linux workstations.

 

Thanks,
Vern