[Samba] Print Server in AD

Aaron C. de Bruyn aaron at heyaaron.com
Thu Jan 16 21:01:25 UTC 2025


I would skip all the Windows garbage if you can.  Specifically don't have
Windows load printer drivers from shares.

If it's a single office where everyone has the same printer (or the same
multiple printers), the basic process is:

Preload the drivers into the driver store
Add an IPP printer connection to CUPS which doesn't rely on the filesharing
/ print driver hacks that were added because things are so insecure as an
admin to make sure everything is loaded properly
Add the printer to the user session when they sign in.

To accomplish this:
* Set up CUPS on your Samba server
* Set up your printers in CUPs (preferably using the IPP driver) and test
that CUPS prints
* Don't bother with any config for printing in Samba or loading drivers
* Download the printer drivers somewhere, unzip, extract, etc...  They can
live on a Samba or Windows share, or they can be downloaded to every
machine  (our script just downloads/extracts them to
c:\printers\{some-printer-name}\)

Use any number of available tools to execute processes directly on all the
workstations as an administrator.  PDQ Inventory/Deploy is a good combo for
dealing with Windows networks, but there are plenty of other automation
tools out there that can launch a script:
  * pnputil /add-driver \\path\to\extracted\driver\*.inf /subdirs/install
  * add-printerdriver -name "HP Universal Printing PCL 6"  (or whatever you
printer driver's name is in the INF file)
  * add-printer -name "MyPrinter" -DriverName "HP Universal Printing PCL 6"
-PortName "https://mycupsserver.customer.tld:631/printers/MyPrinter"
(MyPrinter is the name of the printer in CUPS)

Now you have an IPP Printer in Windows that prints to the CUPS server that
turns around and prints to the actual printer using IPP (or whatever you
chose).

For the user session, create c:\programdata\microsoft\windows\start
menu\programs\startup\map_printers.cmd and run:
powershell -command "Add-Printer -Name \"MyPrinter\" -DriverName \"HP
Universal Printing PCL 6\" -PortName \"https://mycupsserver.customer.tld
:631/printers/MyPrinter\""

Then set the Print Spooler to not allow any outside connections and
uninstall any print server garbage from your Windows servers and
workstations.  Workstations simply need the print spooler running but not
accepting outside connections.  Not allowing it to load drivers from any
share mitigates another security risk.

We went from 5-10 printer calls per day (across ~1,000 desktops) throughout
the whole print nightmare saga (we weren't using Linux, CUPS, or Samba for
printing at the time) to maybe 1 or 2 per month.

If you have multiple offices, you can repeat the process for each office
and just change the CUPs server and/or printer names as appropriate.
Standardizing on one or two models of company printer really helps.

-A

On Tue, Jan 14, 2025 at 11:10 PM electronico via samba <
samba at lists.samba.org> wrote:

> Hi all,
>
> Trying to setup a print server to add automaticaly printers to Windows
> 10 clients.
> There are actually :
> 2 * physical DC
> 1 * physical File Server
> several Windows VMs on File Server
> 20 * Windows 10 clients
> What would be the smarter location for the Print Server :
> - File Server
> - New VM
> - Other ?
>
> Thanks in advance for your time !
>
> Nicolas Canonne
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list