WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: How to get Samba to Store Windows Credentials  (Read 10544 times)

Offline wirelessben

  • Newbie
  • *
  • Posts: 15
How to get Samba to Store Windows Credentials
« on: February 16, 2012, 11:43:11 AM »
How can I get Samba to store credentials for printing to Windows printer shares?

I can connect to the Windows printer share with
Code: [Select]
smbclient //server/printer -U username -W mydomainBut I can't use CUPS to print. I've used these formats:
smb://username:password@domain/server/share
smb://domain/server/share
smb://server/share

CUPS adds the printer with the PPD, no problem, but seems to strip out the username and password.

/usr/local/etc/samba/private/secrets.tdb seems to be where these credentials should be stored.

The error I get is "Session setup failed: NT_STATUS_LOGON_FAILURE"

Here's my sanitized smb.conf:
Code: [Select]
[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
   workgroup = mydomain

# server string is the equivalent of the NT Description field
   server string = Samba Server

# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
   security = user

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1. 192.168.2. 127.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# you may wish to override the location of the printcap file
;   printcap name = /etc/printcap

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
;   printcap name = lpstat

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
;   printing = cups

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /usr/local/samba/var/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Use password server option only with security = server
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *
;   password server = <NT-Server-Name>

# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
;   realm = MY_REALM

# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
   passdb backend = tdbsam

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
#       this line.  The included file is read at that point.
;   include = /usr/local/samba/lib/smb.conf.%m

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 192.168.12.2/24 192.168.13.2/24

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
;   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
   dns proxy = no

# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
;  add user script = /usr/sbin/useradd %u
;  add group script = /usr/sbin/groupadd %g
;  add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
;  delete user script = /usr/sbin/userdel %u
;  delete user from group script = /usr/sbin/deluser %u %g
;  delete group script = /usr/sbin/groupdel %g


#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
;   comment = Network Logon Service
;   path = /usr/local/samba/lib/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
;    path = /usr/local/samba/profiles
;    browseable = no
;    guest ok = yes


# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11727
Re: How to get Samba to Store Windows Credentials
« Reply #1 on: February 16, 2012, 11:56:13 AM »
Hi wirelessben
Try clicking on the Search button that is to the right of the Help button. Set  By User  to  juanito  and enter
samba print  in the search field. I remember juanito recently wrote about setting up print sharing.

Offline wirelessben

  • Newbie
  • *
  • Posts: 15
Re: How to get Samba to Store Windows Credentials
« Reply #2 on: February 16, 2012, 05:38:38 PM »
Hi Rich,

I read that thread. It focuses on using Samba as a print server for a bunch of Windows clients.

I have the opposite situation: a bunch of tinycore kiosks needing to print to Windows print servers. Jpeters said as much:

Code: [Select]
If the printer is connected to the windows machine (windows server), I just needed to start cups for it to work, so none of this was necessary (I don't even have a samba spooler, or need to start samba (smbd, nmbd).  Surprisingly, I didn't need to edit smb.conf even for installing the cups printer....just copied smb.conf.default so something was there.   
I tried Jpeters cups-only approach, but did not get the Samba option for Windows printers in the cups gui, so I had to install Samba.

My Ubuntu box prints perfectly to the same printer. Here's the testparm output of smb.conf:

Code: [Select]
me@Ubuntubox:~$ testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    server string = %h server (Samba, Ubuntu)
    map to guest = Bad User
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d

[printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0700
    printable = Yes
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers

What am I missing?
 

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11727
Re: How to get Samba to Store Windows Credentials
« Reply #3 on: February 16, 2012, 09:26:06 PM »
Hi wirelessben
Maybe you need  cups-smb.tcz?
« Last Edit: February 16, 2012, 09:27:56 PM by Rich »

Offline wirelessben

  • Newbie
  • *
  • Posts: 15
Re: How to get Samba to Store Windows Credentials
« Reply #4 on: February 17, 2012, 11:01:51 AM »
Rich,

cups-smb.tcz depends on cups1311.tcz, which no longer exists. Installing cups-smb.tcz over cups.tcz doesn't work -- the Samba option is not present in the cups gui and the error log shows:

Code: [Select]
E [17/Feb/2012:11:20:26 +0000] [CGI] smbclient not found!
E [17/Feb/2012:11:20:26 +0000] [CGI] rpcclient not found!

Either cups1311.tcz should be restored or cups.tcz should be fixed to easily see smb printer shares.

netnomad's comment from http://forum.tinycorelinux.net/index.php/topic,11613.0.html seems to have been prescient:

Code: [Select]
please don't miss cups1311.tcz
cups.tcz is an alternative, please don't see it as an upgrade of cups1311.tcz.
it's a good infrastructure to connect printers especially in heterogenic networks.


I understand the reason for removing cups1311.tcz. The dev was gone, and cups1311 was causing confusion, me included. I would rather fix cups.tcz to properly store Windows credentials, or fix cups-smb to do so.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14860
Re: How to get Samba to Store Windows Credentials
« Reply #5 on: February 17, 2012, 11:23:33 AM »
the broken backends/smb symlink was fixed in the cups extension a week or so ago - do you have the lastest version of the cups extension?

Note: I see "Windows Printer via SAMBA" in the cups browser interface (with samba3 installed)
« Last Edit: February 17, 2012, 11:32:22 AM by Juanito »

Offline wirelessben

  • Newbie
  • *
  • Posts: 15
Re: How to get Samba to Store Windows Credentials
« Reply #6 on: February 21, 2012, 05:39:54 PM »
I do have the latest version of cups -->  No samba option in cups.
Code: [Select]
Note: I see "Windows Printer via SAMBA" in the cups browser interface (with samba3 installed)With Samba I have the samba option but get "Session setup failed: NT_STATUS_LOGON_FAILURE" when I try to print a test page.

If I have to have a whole samba server installed and running just to print to a Windows printer share, fine. What are the magic words?

For comparison, Ubuntu is able to store credentials and print to Windows print shares without having smbd and nmbd running. It seems to do this through winbindd, which is not ideal according to capscrew's comments in this insightful external thread: http://ubuntuforums.org/showthread.php?t=1496488. Basically you need NetBios or winbind to resolve Windows hosts and shares, but winbind makes web browsing slow, so that leaves NetBios.

The basic problem here is that both cups and samba really, really want to be servers, but I really really just want a kiosk that can print in a heavy Windows server environment. TC could really shine for me if it could just print.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14860
Re: How to get Samba to Store Windows Credentials
« Reply #7 on: February 22, 2012, 08:53:32 AM »
The basic problem here is that both cups and samba really, really want to be servers, but I really really just want a kiosk that can print in a heavy Windows server environment. TC could really shine for me if it could just print.

I too would really like to be able to do without cups/samba...

Offline gerald_clark

  • TinyCore Moderator
  • Hero Member
  • *****
  • Posts: 4254
Re: How to get Samba to Store Windows Credentials
« Reply #8 on: February 22, 2012, 11:10:39 AM »
Why not use a network printer?

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11727
Re: How to get Samba to Store Windows Credentials
« Reply #9 on: February 22, 2012, 12:42:49 PM »
Hi wirelessben
I notice that cups includes something called   /usr/local/bin/lppasswd , maybe related?
While the following article rants a lot about the CUPS user interface, there may be a couple of
relevant items about 3/4s of the way down:
http://www.catb.org/~esr/writings/cups-horror.html

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11727
Re: How to get Samba to Store Windows Credentials
« Reply #10 on: February 22, 2012, 02:26:45 PM »
Hi wirelessben
For what it's worth, I came across this variation:
smb://workgroup/username:password@server/share