[Samba] Problem with job removal

Arthur Guez joyman555 at gmail.com
Mon May 29 22:27:36 GMT 2006


Hi,

We've been stuck with this problem for a while now and we believe I tried
enough potential solutions to justify my posting here.
We're using samba 3.0.14a in Sarge in order to allow printing from Windows
workstations (The authentication works with AD+Kerberos+Winbind) to a set of
shared printers. Printing works perfectly but we would like to allow users
to have control over the jobs (most importantly remove jobs) they submit and
them only. Unfortunately this does not seem to work with any of the
configurations we've tried. When a job is cancelled, it is replaced in the
windows queue by a job called "remote downlevel document"
Here are the relevant sections of our smb.conf file: (without any of the
hacks we attempted)

[printers]
    comment = All Printers
    path = /var/spool/lpd
    printable = yes
    printing = lprng
    load printers = yes
    printcap name = /etc/printcap
    guest ok = no
    print command =       /usr/bin/lpr -P%p -r %s
    lpq command   =      /usr/bin/lpq -P%p
    lprm command  =       /usr/bin/lprm -P%p %j
    lppause command =     /usr/sbin/lpc hold %p %j
    lpresume command =    /usr/sbin/lpc release %p %j
    queuepause command =  /usr/sbin/lpc stop %p
    queueresume command = /usr/sbin/lpc start %p

One of the things we've tried to do was to replace the lrprng commands
called by samba with setuid programs which call the same commands but
specify the user using the -U option.
This works for lpr as desired but for some unknown reason it seems that the
program that should be called instead of lprm is only called at times when a
user tries to remove a "remote downlevel document". (When called on a
"normal" job, it gets turned into a remote downlevel, but the program is NOT
called)
Here is the same file as above, configured for the above method:
(we're using the default lpd.perms)

   [printers]
    comment = All Printers
    path = /var/spool/lpd
    printable = yes
    printing = lprng
    load printers = yes
    printcap name = /etc/printcap
    guest ok = no
    print command =      /usr/bin/setlpr "%U@%M" "%p" "%s"
    lpq command   =      /usr/bin/lpq -P%p
    lprm command  =      /usr/bin/setlprm "%U@%M" "%p" "%j"
    ...

and the programs look like this:  (they are setuid)
         setuid(0)
         system("lprm -U%s -P%s %s", arg1, arg2, arg3);

Also, we tried to modify the source, but we were surprised by the fact that
samba is doing so much permission checking,  isn't that the role of lprng ?

Any kind of help would be greatly appreciated, thanks in advance.

Arthur

NOTE: Our users are of the form "CAMPUS\username". I don't know if the
backslash can cause a problem, but without using the -U option, the owner
appears as "CAMPUS\username" in lpq but just "username" in the windows
queue, and then "CAMPUS\username" in the windows queue when it is a remote
downlevel document. When using our programs with the -U option it's just
"username" everywhere.


More information about the samba mailing list