[TriLUG] HOWTO: Create PDFs using Samba but not CUPS

Matt McGrievy mcgrievy at email.unc.edu
Tue Feb 28 09:20:40 EST 2006 

Hi David,

Following up on Rick's post, seeing "security=share" in your smb.conf 
reminded me of this little passage in the samba docs about username 
confusion with share-level security:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2527269
In share-level security, the client authenticates itself separately for 
each share. It sends a password along with each tree connection request 
(share mount), but it does not explicitly send a username with this 
operation. The client expects a password to be associated with each 
share, independent of the user. This means that Samba has to work out 
what username the client probably wants to use, the SMB server is not 
explicitly sent the username. Some commercial SMB servers such as NT 
actually associate passwords directly with shares in share-level 
security, but Samba always uses the UNIX authentication scheme where it 
is a username/password pair that is authenticated, not a share/password 
pair.

So I guess that means that Samba CAN figure out the username, but maybe 
that's biting you in some way.  I don't know how it works if you're 
going through an AD (maybe Windows passes the right username or maybe it 
authenticates as a guest?).  That could explain why you're getting the 
"nobody" username on the print jobs.  It's possible that you'll have to 
use user or domain security.  The rest of the page above may be able to 
shed some light.

-Matt

Rick DeNatale wrote:
> On 2/27/06, David McDowell <turnpike420 at gmail.com> wrote:
>> woah, I changed %U to %u and now I get:  nobody-Feb27-164318.pdf for
>> my filename.  I don't know if that is considered progress or not!  :p
> 
> %u is the username of the current service according to man smb.conf in
> your case the print service is running as user nobody.
> 
>  %U  is the session username (the username that the client wanted, not
>  necessarily the same as the one they got).
> 
> %U is silently ignored for guest users, i.e. those who don't
> authenticate on connect.
> 
> I think that you have to set up proper mapping of windows accounts to
> nix accounts to let the print server differentiate between users.  How
> you do that, AD, LDAP, whatever is a variable.  I've never set that up
> myself. Hopefully someone with more samba chops, or the samba
> documentation will reveal the secrets.
> 
> --
> Rick DeNatale
> 
> Visit the Project Mercury Wiki Site
> http://www.mercuryspacecraft.com/

More information about the TriLUG mailing list