New "printjob user" parameter for smb.conf in upcoming Samba release
Kurt Pfeifle
kpfeifle at danka.de
Thu Mar 8 16:00:13 PST 2007
This may be of interest for all IT folks who are using CUPS in
combination with Samba:
+----------------------------------------------+
| The next Samba release likely will contain |
| a new parameter "printjob user". |
+----------------------------------------------+
The code is now in the Samba Subversion repository. This can be
used to set the printjob user name for instance like this:
printjob user = %D\%U
Samba then inserts the Windows Domain name for %D, and the Windows
"session user" name for %U. Hence, CUPS will see for example a
CUPS_USER=Domain\kpfeifle when it receives the printjob from Samba.
This enables CUPS to use PAM with Winbind to authenticate print
client requests coming in from a Windows workstations which are
part of a Windows-style domain. (In a Windows-style domain, the
$domain string is an integral part of the user name, and "wbinfo
-u" will return the usernames in that very format).
This fixes a few issues lots of admins had in the past. Because
in the past Samba passed as the requesting-user-name only the bare
username to CUPS, and CUPS (not knowing anything about the Windows
domain) asked PAM/winbind for authentication only to hear a
rejection (PAM/winbind by default can only authenticate usernames
in the form "DOMAINname\username").
The past workaround for that problem was to use another the smb.conf
parameter
winbind use default domain = yes
This would make "wbinfo -u" to return usernames without their
domain prefix, and it would make winbind to silently add the
domain prefix to all bare usernames it sees. However, this had
other serious drawbacks, because it broke applications which
relied on the presence of the domain part of the full username...
So a final fix for this long standing annoyance is now in sight!
(A customer of mine required the change, and they paid Sernet
to provide a quick fix, which thankfully was accepted by the
Samba Team into their sources).
See also
http://www.cups.org/str.php?L460
http://www.cups.org/str.php?L465
http://www.cups.org/str.php?L507
More information about the cups
mailing list