New "printjob user" parameter for smb.conf in upcoming Samba release

Sun Mar 18 13:05:48 PDT 2007

> Kurt Pfeifle wrote:
>
> > This enables CUPS to use PAM with Winbind to authenticate print
> > client requests coming in from a Windows workstations which are
> > part of a Windows-style domain. (In a Windows-style domain, the
> > $domain string is an integral part of the user name, and "wbinfo
> > -u" will return the usernames in that very format).
> >
>
> Hello Kurt,
>
> please show me the way to enable PAM with Winbind.
> I have never seen a configuration for this.

There's nothing special with that.

 * CUPS uses PAM by default, if PAM is enabled on the system.
 * PAM can be set up to accept winbind's response for user authentication
   (winbind checks with the Windows Domain Controllers for users and groups)

Here is, roughly (can't check details at the moment, sorry), what I remember:

In /etc/nsswitch these lines do enable Winbind (they mean: "first check local files like /etc/passwd for the request, and if that fails, ask winbind"):

  passwd:  files winbind
  group:   files winbind

In a file named /etc/pam.d/cups (you may need to create it), lines like

  auth     sufficient   pam_winbind.so   try_first_pass
  account  sufficient   pam_winbind.so

are doing what you need (but be careful -- depending on what else is in that file, or in "included" ones, this may alter your expected behavior; PAM modules are "stacked", and their returns are evaluated in the order the lines appear in the config files).

In smb.conf the more heavy part of the config has to take place: integration into the AD domain, using Kerberos, mapping local Unix users and groups to Windows domain groups etc. (this includes setting up krb5.conf to use the correct Kerberos domain controller). Relevant info in the Samba HOWTO Collection.

> Is it possible to use windows-user (not local systemuser) in a special
> Windowsgroup to administrate the cups printers?

Yes, of course.

When PAM is setup to use Winbind for user authentication (and if all the relevant configuration is OK), every user that is returned by the Domain controller as a valid one automatically counts as a valid local Unix user. Same for groups. (The only thorny issues with this may be the spaces and the umlauts in Windows user and group names like "Domänen Benutzer").

> .... and authenticated against AD (kerberos)...

Yes. (However, *that* type of Kerberos authentication has nothing to do with the recently added Kerberos support to CUPS. In the case of Winbind, it is Samba that handles the authentication of Domain users via winbindd.)

> This would be great.

:-)

Note:  - the /etc/nsswitch file is sufficient for CUPS access to Windows
         domain users via Samba
       - the /etc/pam.d/cups file (and other files) are meant to give
         direct access to Windows domain users for the named services
         (you'd need that if you want a group Windows users be able to
         access the CUPS web interface to delete jobs of other users);
         they are also required if you want automatically create a home
         directorys share (using something like "pam_mkhomedir.so")
         when a user accesses Samba the first time (such a home dir may
         be needed if you offer a virtual "PDF creating printer" to
         your Windows users).

Cheers,
Kurt

P.S.: I seem to remember having seen a good, concise howto about that
      stuff on "www.debian-administration.org" some time ago. Otherwise,
      the "Samba HOWTO Collection" and "Samba by Example" should be good
      enough too.