CUPS/Samba/Kerb to AD - Console OK, Printer Fails
Damon Brinson
djb at damonbrinson.com
Thu Feb 21 14:03:01 PST 2008
Printing from Linux via Samba/CUPS to ActiveDirectory printer works from the command line, but CUPS won't print to the printer after it's added. Error messages and configuration files follow...
I've spent forever on this, and I feel like I'm 99% there... Just some simple thing missing or misconfigured...
Sincere thanks,
-Damon
============================================================
Configuration:
- kubuntu 7.10
- cupsys 1.3.2
- cupsys-bsd 1.3.2
- cupsys-client 1.3.2
- cupsys-common 1.3.2
- smbclient 3.0.26a
- samba-common 3.0.26a
- krb5-user 1.6dfsg.1-7build1
- krb5-config 1.17
============================================================
Here's the flow of events:
1) Authenticate via Kerberos (success):
$ kinit abdc at XYZ.EDU
2) Verify Kerberos ticket (success):
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: abdc at XYZ.EDU
Valid starting Expires Service principal
02/20/08 08:04:03 02/20/08 08:44:03 krbtgt/XYZ.EDU at XYZ.EDU
02/20/08 08:05:11 02/20/08 08:44:03 krbtgt/AD.XYZ.EDU at XYZ.EDU
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
3) Query the shares on the print server (via Kerberos) (success):
$ smbclient -L //servername.ad.xyz.edu -N -k
OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2]
Sharename Type Comment
--------- ---- -------
J$ Disk Default share
...
Print-144 Printer Student Printer Pool, HP 9050
...
session request to SERVERNAME.AD. failed (Called name not present)
session request to SERVERNAME failed (Called name not present)
OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2]
4) Print the word "Hello" to the printer (via Kerberos) (success):
$ echo -en "\rHello\r\f" | smbclient "//servername.ad.xyz.edu/Print-144" -c "print -" -N -k
OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2]
putting file - as stdin-5403 (0.3 kb/s) (average 0.3 kb/s)
Note: "success" means that one page, with the word Hello, is printed from the appropriate printer pool.
Also note: the "-N" no password option works...the URI for printing to the queue does NOT require the "username:password@//server/share" syntax...
NOW... ADDING THE PRINTER
============================================================
FIRST VARIATION -- add printer through CUPS interface (http://localhost:631/)
5) Click Administration tab.
6) Click Add Printer.
7) Name field: Print-144
8) Location field: Library
9) Descr field: HP LaserJet 9050
10) Click Continue.
11) Device: Windows Printer via SAMBA
12) Click Continue.
13) Device URI: smb://servername.ad.xyz.edu/Print-144
14) Click Continue.
15) Make: HP
16) Click Continue.
17) Model: HP LaserJet 9050 Postscript (recommended) (en)
18) Click Add Printer.
19) Enter Linux username/password at prompt.
20) Click Printers tab.
21) Click Print Test Page for Print-144 printer.
22) Brief message indicating that test print sent.
23) CUPS interface goes to the status page for the Print-144 printer.
24) Message: "Unable to connect to CIFS host, will retry in 60 seconds..."
25) The system stays in this state, never processing the print job, forever.
Error_log:
<snip>
E [21/Feb/2008:11:48:43 -0600] [Job 66] Session setup failed: SUCCESS - 0
D [21/Feb/2008:11:48:43 -0600] Discarding unused printer-state-changed event...
E [21/Feb/2008:11:48:43 -0600] [Job 66] Session setup failed: NT_STATUS_LOGON_FAILURE
D [21/Feb/2008:11:48:43 -0600] Discarding unused printer-state-changed event...
E [21/Feb/2008:11:48:43 -0600] [Job 66] Tree connect failed (NT_STATUS_BAD_NETWORK_NAME)
E [21/Feb/2008:11:48:43 -0600] [Job 66] Unable to connect to CIFS host, will retry in 60 seconds...
<snip>
Alternative URIs tested in step 13:
a) Adding -k to specify kerberos as authentication:
Device URI: smb://servername.ad.xyz.edu/Print-144 -k
Result: same.
b) Adding -N to specify "no password" for kerberos:
Device URI: smb://servername.ad.xyz.edu/Print-144 -k -N
Result: same.
c) Putting two kerberos options together:
Device URI: smb://servername.ad.xyz.edu/Print-144 -kN
Result: same.
d) Putting whole URI in quotes in step 13:
Device URI: "smb://servername.ad.xyz.edu/Print-144 -k -N"
Result: crashes web interface; no response to http://localhost:631
Resolution: must hand-edit /etc/cups/printers.conf to remove offending URI; restart cupsd.
============================================================
SECOND VARIATION -- edit /etc/cups/printers.conf file manually to create printer...
5) Add the following to /etc/cups/printers.conf file to create printer:
<Printer Print-144>
Info Print-144
Location School
DeviceURI smb://servername.ad.xyz.edu/Print-144 -k
State Idle
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job
</Printer>
6) Error message in CUPS and error_log equivalent to when adding printer through CUPS web interface.
Alternative URIs tested in step 5 (same as above in first variation through CUPS interface)...results always the same.
CONFIGURATION FILES
============================================================
/etc/cups/cupsd.conf
============================================================
LogLevel debug
SystemGroup lpadmin
# Only listen for connections from the local machine.
Listen localhost:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
DefaultAuthType Negotiate
<Location />
# Restrict access to the server...
Order allow,deny
Allow localhost
</Location>
<Location /admin>
# Restrict access to the admin pages...
Order allow,deny
Allow localhost
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
# Restrict access to the configuration files...
Order allow,deny
Allow localhost
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
============================================================
/etc/samba/smb.conf
============================================================
[global]
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *passwd:*password\supdated\ssuccessfully* .
printing = cups
printcap name = cups
socket options = TCP_NODELAY
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
public = no
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
============================================================
/etc/krb5.conf
============================================================
[libdefaults]
default_realm = XYZ.EDU
dns_fallback = yes
ticket_lifetime = 2400
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
XYZ.EDU = {
admin_server = krb-w.tc.xyz.edu.
kdc = krb-w.tc.xyz.edu.:88
}
[domain_realm]
[login]
krb4_convert = true
krb4_get_tickets = false
============================================================
SMB.CONF TESTPARM OUTPUT
============================================================
$ testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
ERROR: lock directory /var/run/samba does not exist
ERROR: pid directory /var/run/samba does not exist
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *passwd:*password\supdated\ssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
printcap name = cups
dns proxy = No
panic action = /usr/share/samba/panic-action %d
invalid users = root
printing = cups
print command =
lpq command = %p
lprm command =
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
============================================================
NOTE:
samba and samba-client are NOT installed (only smbclient). I assume this is why the testparm contains the two errors. But it doesn't prevent printing from the command line (see above). Is it a problem for printing through CUPS "normally"?
Thanks again!
More information about the cups
mailing list