Hi, We've been stuck with this problem for a while now and we believe I tried enough potential solutions to justify my posting here. We're using samba 3.0.14a in Sarge in order to allow printing from Windows workstations (The authentication works with AD+Kerberos+Winbind) to a set of shared printers. Printing works perfectly but we would like to allow users to have control over the jobs (most importantly remove jobs) they submit and them only. Unfortunately this does not seem to work with any of the configurations we've tried. When a job is cancelled, it is replaced in the windows queue by a job called "remote downlevel document" Here are the relevant sections of our smb.conf file: (without any of the hacks we attempted) [printers] comment = All Printers path = /var/spool/lpd printable = yes printing = lprng load printers = yes printcap name = /etc/printcap guest ok = no print command = /usr/bin/lpr -P%p -r %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j lppause command = /usr/sbin/lpc hold %p %j lpresume command = /usr/sbin/lpc release %p %j queuepause command = /usr/sbin/lpc stop %p queueresume command = /usr/sbin/lpc start %p One of the things we've tried to do was to replace the lrprng commands called by samba with setuid programs which call the same commands but specify the user using the -U option. This works for lpr as desired but for some unknown reason it seems that the program that should be called instead of lprm is only called at times when a user tries to remove a "remote downlevel document". (When called on a "normal" job, it gets turned into a remote downlevel, but the program is NOT called) Here is the same file as above, configured for the above method: (we're using the default lpd.perms) [printers] comment = All Printers path = /var/spool/lpd printable = yes printing = lprng load printers = yes printcap name = /etc/printcap guest ok = no print command = /usr/bin/setlpr "%U@%M" "%p" "%s" lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/setlprm "%U@%M" "%p" "%j" ... and the programs look like this: (they are setuid) setuid(0) system("lprm -U%s -P%s %s", arg1, arg2, arg3); Also, we tried to modify the source, but we were surprised by the fact that samba is doing so much permission checking, isn't that the role of lprng ? Any kind of help would be greatly appreciated, thanks in advance. Arthur NOTE: Our users are of the form "CAMPUS\username". I don't know if the backslash can cause a problem, but without using the -U option, the owner appears as "CAMPUS\username" in lpq but just "username" in the windows queue, and then "CAMPUS\username" in the windows queue when it is a remote downlevel document. When using our programs with the -U option it's just "username" everywhere.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I use: printing = lprng print command = /opt/LPRng/bin/lpr -P%p -U%U -J'%J' -r %s lpq command = /opt/LPRng/bin/lpq -P%p lprm command = /opt/LPRng/bin/lprm -P%p -U%U %j lppause command = /opt/LPRng/sbin/lpc -U%U hold %p %j lpresume command = /opt/LPRng/sbin/lpc -U%U release %p %j queuepause command = /opt/LPRng/sbin/lpc -U%U -P%p stop queueresume command = /opt/LPRng/sbin/lpc -U%U -P%p start Arthur Guez wrote:> Hi, > > We've been stuck with this problem for a while now and we believe I > tried enough potential solutions to justify my posting here. We're > using samba 3.0.14a in Sarge in order to allow printing from > Windows workstations (The authentication works with > AD+Kerberos+Winbind) to a set of shared printers. Printing works > perfectly but we would like to allow users to have control over the > jobs (most importantly remove jobs) they submit and them only. > Unfortunately this does not seem to work with any of the > configurations we've tried. When a job is cancelled, it is replaced > in the windows queue by a job called "remote downlevel document" > Here are the relevant sections of our smb.conf file: (without any > of the hacks we attempted) > > [printers] comment = All Printers path = /var/spool/lpd printable > yes printing = lprng load printers = yes printcap name > /etc/printcap guest ok = no print command = /usr/bin/lpr -P%p > -r %s lpq command = /usr/bin/lpq -P%p lprm command > /usr/bin/lprm -P%p %j lppause command = /usr/sbin/lpc hold %p > %j lpresume command = /usr/sbin/lpc release %p %j queuepause > command = /usr/sbin/lpc stop %p queueresume command > /usr/sbin/lpc start %p > > One of the things we've tried to do was to replace the lrprng > commands called by samba with setuid programs which call the same > commands but specify the user using the -U option. This works for > lpr as desired but for some unknown reason it seems that the > program that should be called instead of lprm is only called at > times when a user tries to remove a "remote downlevel document". > (When called on a "normal" job, it gets turned into a remote > downlevel, but the program is NOT called) Here is the same file as > above, configured for the above method: (we're using the default > lpd.perms) > > [printers] comment = All Printers path = /var/spool/lpd printable > yes printing = lprng load printers = yes printcap name > /etc/printcap guest ok = no print command = /usr/bin/setlpr > "%U@%M" "%p" "%s" lpq command = /usr/bin/lpq -P%p lprm > command = /usr/bin/setlprm "%U@%M" "%p" "%j" ... > > and the programs look like this: (they are setuid) setuid(0) > system("lprm -U%s -P%s %s", arg1, arg2, arg3); > > Also, we tried to modify the source, but we were surprised by the > fact that samba is doing so much permission checking, isn't that > the role of lprng ? > > Any kind of help would be greatly appreciated, thanks in advance. > > Arthur > > NOTE: Our users are of the form "CAMPUS\username". I don't know if > the backslash can cause a problem, but without using the -U option, > the owner appears as "CAMPUS\username" in lpq but just "username" > in the windows queue, and then "CAMPUS\username" in the windows > queue when it is a remote downlevel document. When using our > programs with the -U option it's just "username" everywhere.- -- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - User Support Spec. III |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEfcDqmb+gadEcsb4RAjtXAKCeTMo2B9gNNU5YuVO+jxnVRiF55ACfUHwn sYk/+9zfW03evo5OojAVkS0=uIzu -----END PGP SIGNATURE-----