[Samba] [printer]
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Jun 9 13:40:13 MDT 2011
By default, XP does cache domain logins and passwords. So I can see
that if you have disabled that, then it would be effectively impossible
for a domain user to use the machine offline- which should really only
be an issue for laptop users.
I don't use roaming profiles- they caused more problems then they
solved in our environment.
I didn't go for the "map user = bad password" option since it means that
a valid user who messes up the password might not realize it right way
and think he or she was connected to a share with full permissions. I
would rather make sure he or she gets the fully authorized connection.
On 06/09/2011 02:23 PM, upen wrote:
> Well, what more should I say Gaiseric, you are genius. You fixed my issue!
>
> Thanks for the hint about 'map to guest= bad user'. Upon adding 'map
> to guest' to global section and 'guest account = nobody' to [printer],
> I restarted samba and there you go printing now works for local users
> on XP
>
> One thing to note I used 'bad password' as suggested here at
> http://wiki.samba.org/index.php/Frequently_Asked_Questions (Guest
> access section). Things may work with bad user as well.
>
> How easy it is to configure to have only 1 or 2 domain users to store
> data locally? Some times steady state software plays big role as we
> don't allow caching of passwords/hash as well as don't allow locked
> and roaming profiles not found on computer from logging in, Do not
> cache copies of locked /roaming profile users previously logged on to
> this computer, and also do not store username/passwords used for
> domain.
>
> We also wanted users not be able to write to c:\ except Document and
> settings and locked local user profiles which is currently nicely
> taken care by steady state..
>
> All in all we were able to achieve balance between steady state
> configuration and things that users able to do..
>
> Thanks,
> ~A
>
> On Thu, Jun 9, 2011 at 10:33 AM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com> wrote:
>> I think
>>
>> guest account = nobody
>>
>> is enabled by default. But I found when I went from 3.0.x to 3.4.x that
>> samba would complain if the unix nobody user didn't already exist. I
>> created a separate "smb_nobody" account so that I could set permissions for
>> the "Windows" guest account if needed without accidentally granting rights
>> for anonymous or general unix or nfs users.
>>
>> FYI
>>
>> You could still use domain accounts and have people store data locally (i.e.
>> don't use roaming profiles.) I found- in my experience- that once you
>> have more than 5 XP machines that not having centralized accounts got to be
>> a PITA- at least if they were sharing data. I guess it is also in my
>> nature to like to keep network control as structured as possible.
>>
>>
>>
>>
>>
>> On 06/09/2011 10:55 AM, upen wrote:
>>> Hi,
>>> Thanks for helping me out.
>>>> Why are users using non-domain accounts?
>>> Answer : We provided 2 options 2 end users. One they can have domain
>>> accounts if they want to use store data for long term and want to
>>> access it remotely. Second, they can use local account where the data
>>> gets deleted after each logoff(locked account using steady state).
>>> Some users wish to use that local account and don't have domain
>>> account. They see printer ready but it doesn't print for them.
>>>
>>> Just want to provide extra information about guest account,
>>>
>>> testparm -s -v | grep "guest account"
>>> Load smb config files from /etc/samba/smb.conf
>>> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
>>> Processing section "[homes]"
>>> Processing section "[netlogon]"
>>> Global parameter logon script found in service section!
>>> Processing section "[Profiles]"
>>> Processing section "[printers]"
>>> Global parameter guest account found in service section!
>>> Global parameter null passwords found in service section!
>>> Processing section "[print$]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_PDC
>>> guest account = nobody
>>>
>>> Does this mean it is already mapped to nobody, if it is then do I
>>> still need to create a new account and replace nobody with that?
>>>
>>> If you can help me a little more I think I will have it working :)
>>>
>>> Thanks,
>>> ~A
>>>
>>>
>>> On Thu, Jun 9, 2011 at 9:45 AM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com> wrote:
>>>> I am not sure about printers but I ran into a similar issue with a guest
>>>> share. I had security=user, and set up a guest share. But users in
>>>> different domain could not connect, and the samba logs showed that the
>>>> user
>>>> was unknown. (in this case domain trusts were not being user.)
>>>>
>>>>
>>>> Finally last week found the solution which was to set
>>>>
>>>> map to guest= bad user
>>>>
>>>> i.e. if the user is valid but the password is bad, the user can't
>>>> connect.
>>>> But if the user is just unknown then treat them as a guest. You may
>>>> also
>>>> need to explicitly create unix "guest" user account that is specified in
>>>> smb.conf (at least with samba 3.4. and higher.)
>>>>
>>>> e.g.
>>>> guest account = smb_nobody
>>>>
>>>>
>>>> Why are users using non-domain accounts?
>>>>
>>>>
>>>>
>>>> On 06/09/2011 10:31 AM, upen wrote:
>>>>> Alright, let's not assume.
>>>>>
>>>>> Load smb config files from /etc/samba/smb.conf
>>>>> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
>>>>> Processing section "[homes]"
>>>>> Processing section "[netlogon]"
>>>>> Global parameter logon script found in service section!
>>>>> Processing section "[Profiles]"
>>>>> Processing section "[printers]"
>>>>> Global parameter guest account found in service section!
>>>>> Global parameter null passwords found in service section!
>>>>> Processing section "[print$]"
>>>>> Loaded services file OK.
>>>>> Server role: ROLE_DOMAIN_PDC
>>>>> Press enter to see a dump of your service definitions
>>>>>
>>>>> security = USER
>>>>> paranoid server security = Yes
>>>>> security mask = 0777
>>>>> force security mode = 00
>>>>> directory security mask = 0777
>>>>> force directory security mode = 00
>>>>>
>>>>> I did those printer settings already but due to security=user it won't
>>>>> let the localuser on XP machine to print. Is there anyway to let
>>>>> everyone print with security=user enabled.
>>>>>
>>>>> On Thu, Jun 9, 2011 at 9:22 AM, Gaiseric Vandal
>>>>> <gaiseric.vandal at gmail.com> wrote:
>>>>>> You know what they say about ASS-U-ME ....
>>>>>>
>>>>>>
>>>>>> "testparm -v" will show you the current settings (whether explicitly
>>>>>> set
>>>>>> or
>>>>>> default)
>>>>>>
>>>>>>
>>>>>> man smb.conf (3.5.) shows a possible samba printer share as :
>>>>>>
>>>>>>
>>>>>> [aprinter]
>>>>>> path = /usr/spool/public
>>>>>> read only = yes
>>>>>> printable = yes
>>>>>> guest ok = yes
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 06/09/2011 10:05 AM, upen wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have configured samba as a PDC for Windows XP machines. It is
>>>>>>> running as domain. I haven't configured security = paramter but I
>>>>>>> assume it defaults to value 'user' . In this case if I have to share
>>>>>>> ALL printers on this system for anonymous printing, can I use security
>>>>>>> = share inside [printer] section and guest = ok then will it allow
>>>>>>> printing from local accounts on windows XP machines which are in
>>>>>>> domain? I don't want to set security=share in Global section.
>>>>>>>
>>>>>>> I believe there must be a way to get this to work. Any advise is
>>>>>>> appreciated.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> ~A
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
More information about the samba
mailing list