[Samba] Wide open (security = share) w/ printers including driver download success story

malk at sidehack.sat.gweep.net malk at sidehack.sat.gweep.net
Thu Mar 1 04:21:12 GMT 2007 

Hi-

I wanted to share my experience w/ the list in getting a completely wide open
file and printer (w/ automagic driver download) with security = share setup
working.

My requirement was to setup a server for a small office of XP boxes w/ file and
printer sharing and had always done samba as domain controller w/ full logons
etc.  No need for any security in this setup and I wanted to have the nice
driver download stuff.  Here is how I did it.

Fedora Core 6 install w/ Samba 3.0.24-1.fc6 packages (samba, samba-common, and
samba-client).  cups-1.2.4-9 for printing support.

Setup cups for raw printing first

/etc/cups/mime.types already had "application/octet-stream" enabled
(uncommented) in this setup.

/etc/cups/mime.convs -- had to uncomment the "application/octet-stream" in
this file.  restarted cups.

I had 3 printers, two on the network w/ static IP addrs, and one USB.  I like
to just add the queues w/ lpadmin since it's cut and dry and quick (I'm a
command line kind of guy).  Printers are a Brother DCP8045D, Brother MFC8840D,
and HP color laserjet 3500 (the USB guy).  Added raw queues this way:

lpadmin -p brother-1 -v lpd://brother-1/raw -E -m raw
lpadmin -p brother-2 -v lpd://brother-2/raw -E -m raw
lpadmin -p hp-lj3500 -v usb:/dev/usb/lp0 -E -m raw

In my setup, brother-1 and brother-2 have entries in DNS pointing to printer
IP addrs.  Hence the names in lpd:// instead of IP addrs.

Directory permissions for the one data share and printer driver area:

mkdir -p /shares/data
chown nobody.nobody /shares/data
chmod 775 /shares/data

mkdir -p /etc/samba/drivers/W32X86
mkdir -p /etc/samba/drivers/WIN40
chown -R nobody.nobody /etc/samba/drivers
chmod 775 /etc/samba/drivers

smb.conf file is attached last for completeness.

I ran into trouble trying to upload drivers w/ the add printer wizard because
unix user "nobody" was not a printer admin.  I tried the "printer admin ="
parameter, but it's deprecated and didn't allow the "Driver" button to be
un-greyed in the add printer wizard.  The key to getting this working was the
following:

Setup a password for the samba root user.  I'm using the passdb backend in this
case as it's modern compared to smbpasswd file, easier than ldap, and automagic
for a simple setup like this:

pdbedit -L

(make sure no root user in there -- if there is, use "smbpasswd root" to set
root's password if you don't know it (perhaps your distro setup some default)).
you'll need a working root samba user account for the next steps.

If you don't have a samba root user (which was my case on FC6), add one and set
root's password:

pdbedit -a -u root
password: <samba root user password>

Now tell the samba setup that the "Everyone" windows group (imagine this samba
server being a windows box w/ it's personal (local in windoze terms) "Everyone"
group you want to modify) has the SePrintOperatorPrivilege set -- you can first
list the "rights" and see initially "Everyone" has nothing:

net rpc rights list accounts
Password:  (use root samba user password)

Now grant "Everyone" SePrintOperatorPrivilege:

net rpc rights grant Everyone SePrintOperatorPrivilege
Password: (use root samba user password)

Use the above command to list the rights again and verify that "Everyone" has
printer operator privileges.  Now You'll be able to download drivers on a
windows box that is not a domain member or anything else special.  Browse the
server:

start -> run, and type \\srgolf-srv

Go into the "printers and faxes" folder
Right-click and properties on one of the printers and answer "NO" when asked
to install a driver for the printer since your windows box knows the samba
server doesn't yet have a driver.

Then go into the tab where it shows and empty driver list and you can click
the "Driver" button to bring up the add printer wizard.

When you select the proper inf file for your printer, it will download the
driver into the samba server's print$ share instead of the local computer
(you'll be able to see this as it's copying files to know you've got it right
-- if it copies files to c:\windows\system or system32 or whatever, you have
something wrong).  Then you can do the automagic right-click and "connect" on
each windows computer to automatically download the samba server provided
printer drivers.

I trained the folks at the golf course to access the server using

start -> run, and type \\srgolf-srv

Then they just map a network drive for the data share, and "connect" to the 3
printers and queue to them, delete jobs, pause printing, etc. etc.

The only negative thing about this setup is that each job is always "nobody" 
and all the files are owned by "nobody", but this is the whole point of a
security = share setup.

I hope this helps save someone time who might be trying to accomplish the same
setup w/ a recent samba 3.0.XX setup.  The golf course people are very happy
with their very inexpensive server (about $400.00 w/ 250 gigs of RAID-1
software raid, VPN w/ PPTPd, https and http w/ apache, squirellmail / dovecot /
 postfix for e-mail, rsync for remote backup of data weekly, IPtables firewall,
caching BIND DNS server, ISC DHCP w/ dynamic DNS updates for internal DHCP).
The cost for a windoze server 2003 setup w/ exchange etc. etc. would have been
a lot more than $400.00.

One last note, I've found "default devmode = Yes" to be required under the
[printers] auto share for most setups as I've seen many times when windows
explorer (the desktop / taskbar shell) would crash and restart when samba
didn't provide ** something ** when there wasn't a driver installed yet for
a printer.  Ever since enabling it to make one setup work, I've used it w/
several different printers on serveral different servers.
 
here's the smb.conf I used:

# Samba config file
# For an open setup

# Global parameters
[global]
        workgroup = srgolf
        security = share
        netbios name = srgolf-srv

        os level = 65
        preferred master = Yes
        domain master = Yes
        local master = Yes
        printing = cups
        wins support = Yes
        time server = Yes
        username map = /etc/samba/smbusers
        passdb backend = tdbsam

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0600
        guest ok = Yes
        read only = Yes
        printable = Yes
        browseable = No
        default devmode = Yes

[print$]
        comment = Printer Drivers Share
        path = /etc/samba/drivers
        read only = no
        guest ok = yes
        force user = nobody
        force group = nobody
        force create mode = 775
        force directory mode = 775

[data]
        comment = SR Golf File Store
        path = /shares/data
        read only = No
        guest ok = Yes
        force group = nobody
        force user = nobody
        force create mode = 755
        force directory mode = 755

More information about the samba mailing list