[Samba] Prompt domain user for credentials when in ADS

[Thom Savage]

We are using Samba for home directories, roaming profiles, and to expose CUPS printers. I have joined my Samba server (SS) to our Windows domain and have set the Samba security to ADS. We are also running the winbind service, and `wbinfo -u` displays all of our domain users correctly. Samba is configured with a printers and print$ share for Windows clients to connect and print to our CUPS printers on SS. By default, all of these printers are set to allow SS\Administrators and Everyone to print.

For one of the printers, I want only two of my domain users to be allowed to print. To do this, I connected to the "Printers and Faxes" of SS as an allowed printer administrator and added the domain user accounts to the appropriate ACL. The behavior I observe is that when one of the assigned domain users tries to connect to that printer, they are either prompted for credentials or allowed to connect but disallowed printing or viewing of the ACL with "Access denied" errors. 

I noticed that my domain users have no problem accessing their "homes" and "profiles" services. The ACLs on these shares shows the user account as SS\user1 as compared to what the ACL showed when I added the domain account to the printer: "user1 <user1 at mydomain.com>".

I would be very thankful if someone would point me in the right direction for this one, as the problem is not readily apparent to me. (Hence the list posting! :-)

~~
Thom Savage