CUPS Access Security with AD
Kurt Pfeifle
kurt.pfeifle at infotec.com
Mon Jun 30 01:53:00 PDT 2008
> We have already 'joined' our server to the domain (net ads join) and
> use kerberos to pass-thru AD authentication requests.
>
> What other configuration will I require in my cups.conf or do I need
> to configure PAM/LDAP as well ??
You didn't mention which version of Samba/Winbind you're using... You may need to configure PAM for using Samba's winbindd to handle authentication requests for Windows domain users and groups (should your cupsd.conf reference user or groupnames anywhere in its settings).
Depending on the version, and on your smb.conf settings, a
wbinfo -u
command will return the domain user list with either the "DOMAINNAME\" prefixed (like "infotec\kpfeifle") or just the username. So in your cupsd.conf and printer operation policy settings, you need to use the same naming conventions. Make sure you either double the "\" as "\\" in the usernames used or wrap them into quotes:
infotec\\kpfeifle
"infotec\kpfeifle"
If you do not want the domain prefix, you can change the smb.conf setting to
printjob username = %U
(instead of
printjob username = %D\%U
which uses that prefix.)
More information about the cups
mailing list