Wilkins, Vern
2004-Sep-30 21:16 UTC
[Samba] samba printing and disk quotas in Active Directory domain
I've recently made a great deal of progress getting ready to roll out linux workstations in our Windows Active Directory environment. There are a couple of very significant problems I'm stuck with though, one of which is definitely Samba related, and the other which is borderline Samba related. Problem 1 - Printing from Linux to Windows print servers I have read all the documentation I could find on this subject and it appears that CUPS and Samba work fairly well together for this purpose. The problem is that our AD domain is well over 40000 users. The only way I see to print to a windows print server is by embedding the username/password combo in a CUPS URI, something like smb://user:password@servername/printersharename. That doesn't work well on a workstation where users are going to be logging in with their Active Directory accounts, via Winbind. It appears to me that even though I am using Kerberos, there's no way to seamlessly pass the credentials used to login, to the print server. Is this a limitation of CUPS or is it a Samba limitation? I thought of writing a script and having a shortcut to it on the desktop to setup printing. The script would prompt users again for credentials to setup a printer, and then setup the printer using lpadmin with the URI format above. Since CUPS and/or Samba handles the username:password combo in the URI in clear text, that's not really a good option though. It states in the Samba documentation that although the URI is sanitized in certain instances, such as logging, the username and password are in clear text in some places, such as the process list. I feel like I must be missing something. It seems odd that if Samba already has Kerberos and AD integration, not being able to seamlessly pass those credentials to Windows machines in the domain for printing, would be a very significant limitation. Has anyone come up with a better way to deal with printing in such an environment? Also, I don't have any other options for printing because our university utilizes a printing quota system that must receive the Active Directory credentials (i.e. I can't bypass authentication or use a guest account). Problem 2 - Using quotas for Active Directory accounts I'm using Winbind so that users can login to our Linux workstations with their Active Directory accounts. This works fine but it seems there is no good way to use quotas, partly because of the huge number of users in our environment. This seems to be primarily a quota utilities problem since the utilities don't to my knowledge provide the functionality that I would find most useful. Being able to set a quota for example on all users with a UID greater than X for example, or having a group quota apply to individuals in that group rather than the group as a whole. For example, being able to set a soft limit of 1000000K for the group Users and having that be the quota for each individual in the group, rather than the quota for all individuals in that group combined. I realize this is certainly a limitation of the quota utilities rather than Samba, but in my opinion it severely limits the use of Winbind in a large enterprise environment. Any suggestions for getting around this issue? Basically I just need a way to set a quota for all 40,000+ users whose accounts exist in Active Directory, not on the Linux workstations. Thanks, Vern