Hi, I'm using Samba on Linux (Debian Sarge 3.1) to provide a virtual printer which, when used by Windows clients, will convert incoming Postscript print requests into a PDF document which is then sent via email to the originating user (using ldapsearch on Active Directory to determine the proper email address). Since I don't administer our corporate domain, my Samba server is not really participating in the corresponding Windows Server 2003 domain. Furthermore, I don't want people who have access to my Linux box to be able to see what other people are printing. Hence, I'm trying to force all operations concerning this particular printer to use the guest user (nobody) and set up PDF printer in a directory which is only accessible to "nobody". Everything works fine for unknown users in the domain (map to guest = bad user) because they are already assigned to the guest account during login. However, when I try to use the virtual printer from my own XP box (which connects using a Unix login that is known to Samba), the setting "guest only = yes" seems to be ignored, Samba tries to create the spool file using the user "chris" instead of "nobody" and fails because the directory is only accessible to "nobody". Relevant smb.conf entries: [global] passdb backend = tdbsam guest obey pam restrictions = yes security = user encrypt passwords = yes guest account = nobody map to guest = bad user printing = bsd printcap name = /etc/printcap preserve case = yes [printers] comment = All Printers browseable = yes path = /tmp printable = yes public = yes writable = no create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = yes write list = root [ps2pdf] comment = PS to PDF converter print ok = yes path = /home/ps2pdf/tmp print command = "/home/ps2pdf/bin/ps2pdf_filter %s %p %U" lpq command = "echo %p is ready; echo no entries" printer admin = root browsable = yes read only = yes guest ok = yes guest only = yes Permissions for /home/ps2pdf: drwx------ 6 nobody nogroup 4096 Nov 2 10:16 ./ drwxrwsr-x 10 root staff 4096 Nov 22 20:28 ../ drwx------ 2 nobody nogroup 4096 Nov 24 22:10 bin/ drwx------ 2 nobody nogroup 4096 Jun 11 2003 etc/ drwx------ 2 nobody nogroup 4096 Oct 8 2003 log/ drwx------ 2 nobody nogroup 4096 Nov 25 00:18 tmp/ Log file for the client using "chris" as user name (log level = 2): [2005/11/25 00:05:19, 2] smbd/server.c:exit_server(609) Closing connections [2005/11/25 00:05:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/11/25 00:05:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/11/25 00:05:26, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [chris] -> [chris] -> [chris] succeeded [2005/11/25 00:06:00, 0] printing/printing.c:print_job_start(2297) print_job_start: insufficient permissions to open spool file /home/ps2pdf/tmp/smbprn.00000022.ppqJ80. [2005/11/25 00:07:34, 2] smbd/server.c:exit_server(609) Closing connections
This is due to the fact that thw XP client is using the RPC printing protocol (\spoolss pipe). Requires some rework to fix.
I'm marking this as an enhancement and will put it down for a fixing when I rework the print server code after the move it IDL.