samba - Nov 2001 - Problem printing from NT to printer attached to LInux box

I installed Samba 2.2.2 on my Linux box. The smb.conf file is as shown 
below. The permission on /var/spool/lpd/lp is set to 755; ie, it is 
writable only by the owner, which is lp. With the setup as is, when I
try to print from the NT machine, the smb log on the Linux box
indicates the following error: " print_job_start: insufficient
permissions to open spool file /var/spool/lpd/lp".
If I set the permission on /var/spool/lpd/lp to 777, I can
print; however, for obvious security concerns, this solution is
undesirable.

Could someone inform me as to what is the correct way to set things up
to allow printing from my NT machine without making /var/spool/lpd/lp
writable by all. My smb.conf file is shown below.

[global]
   netbios name = bert
   workgroup = WORKGROUP
   hosts allow = 10.10.10. 127.
   load printers = yes
   max log size = 50
   security = server
   password server = 10.10.10.8
   socket options = TCP_NODELAY 

[printers]
   comment = All Printers
   path = /var/spool/lpd/lp
   browseable = yes
   guest ok = yes
   writable = no
   printable = yes
   public = yes
   write list = @administrators,root   


Thanks in advance.

-Carlton

Hmmmm...
A juicy permissions problem.
Try running checkpc -f and see if that fixes up permissions for you.
Below are the permissions on lpr, I assume your print command.
It needs to be suid.
rwsr-xr-x   1 root     root       235672 Feb 17  2000 /usr/bin/lpr 
Joel
On Tue, Nov 20, 2001 at 05:50:41PM -0500, Carlton Davis
wrote:
> I installed Samba 2.2.2 on my Linux box. The smb.conf file is as shown 
> below. The permission on /var/spool/lpd/lp is set to 755; ie, it is 
> writable only by the owner, which is lp. With the setup as is, when I
> try to print from the NT machine, the smb log on the Linux box
> indicates the following error: " print_job_start: insufficient
> permissions to open spool file /var/spool/lpd/lp".
> If I set the permission on /var/spool/lpd/lp to 777, I can
> print; however, for obvious security concerns, this solution is
> undesirable.
> 
> Could someone inform me as to what is the correct way to set things up
> to allow printing from my NT machine without making /var/spool/lpd/lp
> writable by all. My smb.conf file is shown below.
> 
> [global]
>    netbios name = bert
>    workgroup = WORKGROUP
>    hosts allow = 10.10.10. 127.
>    load printers = yes
>    max log size = 50
>    security = server
>    password server = 10.10.10.8
>    socket options = TCP_NODELAY 
> 
> [printers]
>    comment = All Printers
>    path = /var/spool/lpd/lp
>    browseable = yes
>    guest ok = yes
>    writable = no
>    printable = yes
>    public = yes
>    write list = @administrators,root   
> 
> 
> Thanks in advance.
> 
> -Carlton
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

Thanks for your response Joel. The problem I am encountering though
is not related to the permision of lpr because it is already suid
as indicated below.
-r-sr-sr-x   1 root     lp          16224 Mar 11  2000 /usr/bin/lpr

Any other suggestions?

-Carlton    

On Tue, 20 Nov 2001, Joel Hammer wrote:
> Hmmmm...
> A juicy permissions problem.
> Try running checkpc -f and see if that fixes up permissions for you.
> Below are the permissions on lpr, I assume your print command.
> It needs to be suid.
> rwsr-xr-x   1 root     root       235672 Feb 17  2000 /usr/bin/lpr 
> Joel
> On Tue, Nov 20, 2001 at 05:50:41PM -0500, Carlton Davis wrote:
> > I installed Samba 2.2.2 on my Linux box. The smb.conf file is as shown
> > below. The permission on /var/spool/lpd/lp is set to 755; ie, it is 
> > writable only by the owner, which is lp. With the setup as is, when I
> > try to print from the NT machine, the smb log on the Linux box
> > indicates the following error: " print_job_start: insufficient
> > permissions to open spool file /var/spool/lpd/lp".
> > If I set the permission on /var/spool/lpd/lp to 777, I can
> > print; however, for obvious security concerns, this solution is
> > undesirable.
> > 
> > Could someone inform me as to what is the correct way to set things up
> > to allow printing from my NT machine without making /var/spool/lpd/lp
> > writable by all. My smb.conf file is shown below.
> > 
> > [global]
> >    netbios name = bert
> >    workgroup = WORKGROUP
> >    hosts allow = 10.10.10. 127.
> >    load printers = yes
> >    max log size = 50
> >    security = server
> >    password server = 10.10.10.8
> >    socket options = TCP_NODELAY 
> > 
> > [printers]
> >    comment = All Printers
> >    path = /var/spool/lpd/lp
> >    browseable = yes
> >    guest ok = yes
> >    writable = no
> >    printable = yes
> >    public = yes
> >    write list = @administrators,root   
> > 
> > 
> > Thanks in advance.
> > 
> > -Carlton
> > 
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

Have you run checkpc -f as root?
Here is what my /var/spool/lpd/ps looks like with ls -al:

[root@cc846558-a jlh]# ls -al /var/spool/lpd/ps
total 110
drwx--S---   2 daemon   lp           2048 Nov 16 20:19 . <---/ps
drwx--S---  13 daemon   lp           1024 Nov 12 19:42 .. <--/lpd
-rw-------   1 daemon   lp             69 Feb 20  2001 control.ps
-rwx------   1 daemon   lp            416 Feb 27  2001 filter
-rw-------   1 daemon   lp          68658 Aug  6 09:07 log
-rw-------   1 daemon   lp              5 Feb 18  2001 lp0
-rw-------   1 daemon   lp              5 Feb 18  2001 lp1
-rw-------   1 daemon   lp              2 Aug 18 16:46 ps
-rw-------   1 daemon   lp              0 Dec 19  1999 status
-rw-------   1 daemon   lp           3892 Aug  6 09:08 status.ps
-rw-------   1 daemon   lp              6 Aug  6 09:07 unspooler.ps 
 
I must say, I do not understand what the "S" is saying about
permissions.
That adds group id on execution of a file (chmod 4700) but I do not know
what that means for a directory. May have to do with who can descend the
directory.
Joel

On Tue, Nov 20, 2001 at 11:37:54PM -0500, Carlton Davis
wrote:
> Thanks for your response Joel. The problem I am encountering though
> is not related to the permision of lpr because it is already suid
> as indicated below.
> -r-sr-sr-x   1 root     lp          16224 Mar 11  2000 /usr/bin/lpr
> 
> Any other suggestions?
> 
> -Carlton    
> 
> On Tue, 20 Nov 2001, Joel Hammer wrote:
> 
> > Hmmmm...
> > A juicy permissions problem.
> > Try running checkpc -f and see if that fixes up permissions for you.
> > Below are the permissions on lpr, I assume your print command.
> > It needs to be suid.
> > rwsr-xr-x   1 root     root       235672 Feb 17  2000 /usr/bin/lpr 
> > Joel
> 
> 
> > On Tue, Nov 20, 2001 at 05:50:41PM -0500, Carlton Davis wrote:
> > > I installed Samba 2.2.2 on my Linux box. The smb.conf file is as
shown
> > > below. The permission on /var/spool/lpd/lp is set to 755; ie, it
is
> > > writable only by the owner, which is lp. With the setup as is,
when I
> > > try to print from the NT machine, the smb log on the Linux box
> > > indicates the following error: " print_job_start:
insufficient
> > > permissions to open spool file /var/spool/lpd/lp".
> > > If I set the permission on /var/spool/lpd/lp to 777, I can
> > > print; however, for obvious security concerns, this solution is
> > > undesirable.
> > > 
> > > Could someone inform me as to what is the correct way to set
things up
> > > to allow printing from my NT machine without making
/var/spool/lpd/lp
> > > writable by all. My smb.conf file is shown below.
> > > 
> > > [global]
> > >    netbios name = bert
> > >    workgroup = WORKGROUP
> > >    hosts allow = 10.10.10. 127.
> > >    load printers = yes
> > >    max log size = 50
> > >    security = server
> > >    password server = 10.10.10.8
> > >    socket options = TCP_NODELAY 
> > > 
> > > [printers]
> > >    comment = All Printers
> > >    path = /var/spool/lpd/lp
> > >    browseable = yes
> > >    guest ok = yes
> > >    writable = no
> > >    printable = yes
> > >    public = yes
> > >    write list = @administrators,root   
> > > 
> > > 
> > > Thanks in advance.
> > > 
> > > -Carlton
> > > 
> > > 
> > > 
> > > -- 
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >

You need 2 spool directories: one for samba, on for your lpd: Samba 
recives the print-file, stores it in it's own printer spool directory 
and then issues the unix print command to print the file. In most 
cases the file is copied to the lpd spool directory by lpd and if the 
unix print command is successfull, the file is removed form the samba 
spool directory by samba. Once lpd has printed the file, it clears 
it's spool dirctory.

Note:
This is the principle. Depending on its options, lpd may symlink the 
file to its spool directory, lpd may delete the file in the samba 
spool directory, ... lock at the options of your lpr command.

Remark:
"file" above is NOT my_word_documet.doc, but a file containing the 
data to be printed, which is postscript if you use a postscript 
printer.

see below


> I installed Samba 2.2.2 on my Linux box. The smb.conf file is as shown 
> below. The permission on /var/spool/lpd/lp is set to 755; ie, it is 
> writable only by the owner, which is lp. With the setup as is, when I
> try to print from the NT machine, the smb log on the Linux box
> indicates the following error: " print_job_start: insufficient
> permissions to open spool file /var/spool/lpd/lp".
> If I set the permission on /var/spool/lpd/lp to 777, I can
> print; however, for obvious security concerns, this solution is
> undesirable.
> 
> Could someone inform me as to what is the correct way to set things up
> to allow printing from my NT machine without making /var/spool/lpd/lp
> writable by all. My smb.conf file is shown below.
> 
> [global]
>    netbios name = bert
>    workgroup = WORKGROUP
>    hosts allow = 10.10.10. 127.
>    load printers = yes
>    max log size = 50
>    security = server
>    password server = 10.10.10.8
>    socket options = TCP_NODELAY 
> 
> [printers]
>    comment = All Printers
>    path = /var/spool/lpd/lp
According to the things said above this is worng. set:
     path = /var/spool/samba
and set up /var/spool/samba with the permissions "drwxrwxrwt", change 
the perimisions of /var/spool/lpd/lp back to it's original, restart 
samba, try again


Christian

>    browseable = yes
>    guest ok = yes
>    writable = no
>    printable = yes
>    public = yes
>    write list = @administrators,root   
> 
> 
> Thanks in advance.
> 
> -Carlton
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 

               _(_)_                          wWWWw   _
   @@@@       (_)@(_)   vVVVv     _     @@@@  (___) _(_)_
  @@()@@ wWWWw  (_)\    (___)   _(_)_  @@()@@   Y  (_)@(_)
   @@@@  (___)     `|/    Y    (_)@(_)  @@@@   \|/   (_)\
    /      Y       \|    \|/    /(_)    \|      |/      |
 \ |     \ |/       | / \ | /  \|/       |/    \|      \|/
jgs|//   \\|///  \\\|//\\\|/// \|///  \\\|//  \\|//  \\\|// 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^