Bug 3283 - "guest only = yes" seems to be ignored for printers
"guest only = yes" seems to be ignored for printers
Status: RESOLVED LATER
Product: Samba 3.0
Classification: Unclassified
Component: Printing
3.0.14a
x86 Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-24 16:56 UTC by Christian Mueller
Modified: 2006-03-16 07:28 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Mueller 2005-11-24 16:56:55 UTC
Hi,

I'm using Samba on Linux (Debian Sarge 3.1) to provide a virtual printer which, when used by Windows clients, will convert incoming Postscript print requests into a PDF document which is then sent via email to the originating user (using ldapsearch on Active Directory to determine the proper email address).

Since I don't administer our corporate domain, my Samba server is not really participating in the corresponding Windows Server 2003 domain. Furthermore, I don't want people who have access to my Linux box to be able to see what other people are printing.

Hence, I'm trying to force all operations concerning this particular printer to use the guest user (nobody) and set up PDF printer in a directory which is only accessible to "nobody".

Everything works fine for unknown users in the domain (map to guest = bad user) because they are already assigned to the guest account during login. However, when I try to use the virtual printer from my own XP box (which connects using a Unix login that is known to Samba), the setting "guest only = yes" seems to be ignored, Samba tries to create the spool file using the user "chris" instead of "nobody" and fails because the directory is only accessible to "nobody".

Relevant smb.conf entries:

[global]
  passdb backend = tdbsam guest
  obey pam restrictions = yes

  security = user
  encrypt passwords = yes
  guest account = nobody
  map to guest = bad user

  printing = bsd
  printcap name = /etc/printcap

  preserve case = yes

[printers]
  comment = All Printers
  browseable = yes
  path = /tmp
  printable = yes
  public = yes
  writable = no
  create mode = 0700

[print$]
  comment = Printer Drivers
  path = /var/lib/samba/printers
  browseable = yes
  read only = yes
  guest ok = yes
  write list = root

[ps2pdf]
  comment = PS to PDF converter
  print ok = yes
  path = /home/ps2pdf/tmp
  print command = "/home/ps2pdf/bin/ps2pdf_filter %s %p %U"
  lpq command = "echo %p is ready; echo no entries"
  printer admin = root
  browsable = yes
  read only = yes
  guest ok = yes
  guest only = yes


Permissions for /home/ps2pdf:

drwx------   6 nobody nogroup  4096 Nov  2 10:16 ./
drwxrwsr-x  10 root   staff    4096 Nov 22 20:28 ../
drwx------   2 nobody nogroup  4096 Nov 24 22:10 bin/
drwx------   2 nobody nogroup  4096 Jun 11  2003 etc/
drwx------   2 nobody nogroup  4096 Oct  8  2003 log/
drwx------   2 nobody nogroup  4096 Nov 25 00:18 tmp/


Log file for the client using "chris" as user name (log level = 2):

[2005/11/25 00:05:19, 2] smbd/server.c:exit_server(609)
  Closing connections

[2005/11/25 00:05:26, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/11/25 00:05:26, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/11/25 00:05:26, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [chris] -> [chris] -> [chris] succeeded
[2005/11/25 00:06:00, 0] printing/printing.c:print_job_start(2297)
  print_job_start: insufficient permissions to open spool file /home/ps2pdf/tmp/smbprn.00000022.ppqJ80.

[2005/11/25 00:07:34, 2] smbd/server.c:exit_server(609)
  Closing connections
Comment 1 Gerald (Jerry) Carter 2005-12-15 08:31:16 UTC
This is due to the fact that thw XP client is using the 
RPC printing protocol (\spoolss pipe).  Requires some rework
to fix.
Comment 2 Gerald (Jerry) Carter 2006-03-16 07:28:26 UTC
I'm marking this as an enhancement and will put it down 
for a fixing when I rework the print server code after 
the move it IDL.