Windows – Using cups to print to windows domain with password in a separate file

cifscupsprintingsambawindows

Every guide I've seen so far that explains how to print to a Windows print server from CUPS, indicates to put the username and password, in plain text, in the Device URI either in the web interface (localhost:631) or in the /etc/cups/printers.conf

smb://user:password@hostname/printer

The trouble is my password contains spaces and special characters. When I attempt this, I still get NT authentication failures when printing test pages. I can connect via smbclient:

smbclient -L //ourprintserver01 -Uourdomain\\myusername

I've tried to create a /etc/samba/printing.auth file with the correct username, password and domain in it, as I've seen in some tutorials, but this still doesn't allow cups to properly authenticate. Is there a way to tell CUPS to use this file, or keep the password, username and domain in some other file cups can use?

Best Answer

If you create the printer, either through the web ui or via lpadmin with a URL with the special characters % encoded like this:

lpadmin -p fake -v smb://bob:pass%20word@rice/BLAH -P /tmp/foo.ppd

then the password will be stored in the /etc/cups/printers.conf file (which is readable only by root) and will not be displayed in the web UI.

Be careful though as if you accidentally enter a malformed URL then the cups web-ui won't be able to figure out which bit is the password and it will be displayed.

1.

So your first problem seems to be this:

Currently not working:

Cannot add the Windows printer driver to CUPS using the "printmanagement.msc" MMC (I get a "access denied" error). So Samba's Point'n'Print will not work.

Note, that the Windows clients do not retrieve their printer drivers from CUPS, and CUPS itself cannot communicate with the Windows clients directly.

Only Samba can do that, so Windows clients will retrieve their printer drivers from Samba. Samba poses as a Windows print server for the clients, and Samba will also provide a special share (listed [print$] in smb.conf) for clients to auto-install the drivers from. (You should try to use the UNC path of \\myserver\print$ or \\myworkstation\print$ in Windows explorer and see the drivers from any host which shares a printer.)

Windows users need a special privilege in to administer printers and configuring/uploading drivers. This privilege was named SePrintOperatorPrivilege by Microsoft.

Samba implements the SMB set of Windows networking protocols and procedures so Windows clients can use its services.

Hence, only users which have this privilege granted can upload and preconfigure printer drivers to a Samba server, just like it would be the case for a Windows print server.

Typically, you would want to grant the privilege to the Domain Admins group, plus, maybe another Domain Group you may have called Our Printer Admins. I now assume your domain name is MYDOMAIN.

To grant the named user groups that right, execute the following commands:

  net rpc rights grant "MYDOMAIN\Domain Admins" \
     SePrintOperatorPrivilege -U "MYDOMAIN\administrator"

  net rpc rights grant "MYDOMAIN\Our Printer Admins" \
     SePrintOperatorPrivilege -U "MYDOMAIN\administrator"

  net rpc rights grant "MYDOMAIN\User54321" \
     SePrintOperatorPrivilege -U "MYDOMAIN\administrator"

In each case you'll be prompted to supply the domain admin password:

  Enter MYDOMAIN\administrator's password:

If you know this password and everything works, you'll see this confirmation:

  Successfully granted rights.

Of course, you could grant this privilege to one or more individual domain users (example above: MYDOMAIN\User54321) too. But this is not recommended. Better grant the privilege to a group instead of individual accounts. This enables you to add and revoke the privilege by updating the group membership.

To list all users and groups having the SePrintOperatorPrivilege privilege granted, enter:

  net rpc rights list privileges SePrintOperatorPrivilege\
     -U "MYDOMAIN\administrator"

You should see the following output:

  SePrintOperatorPrivilege:
     BUILTIN\Administrators
     MYDOMAIN\Domain Admins
     MYDOMAIN\Our Printer Admins
     MYDOMAIN\User54321

You've now created the pre-condition that users listed above can upload and install printer drivers to your Samba server.

(Update: Just had a closer look at the smb.conf you quoted above... Replace MYDOMAIN\ with MYWORKGRP\ for the commands I gave, or skip it altogether and just use a user name or a group name known to Samba. You could possibly also temporarily try guest ok = yes inside the [print$] stanza. Don't forget to set it back to no once your drivers are in place...)

2.

Your second problem seems to be:

It seems CUPS default options interfere with the workstation's ones: I set duplex printing off by default on CUPS but want it to work if the user tick the checkbox on it's printing settings.

Where should I go to make CUPS use user's settings?

CUPS by default does not "filter" print jobs it gets handed over by Samba. It processes them as "raw" jobs and just passes them to the real print hardware device.

So if the driver is correctly installed on the Windows print clients, whatever job options they click, should be honored by the printer, regardless of default settings which may be configured into CUPS for CUPS-local printing...

You cannot "make" CUPS use user's settings -- CUPS will just pass them through.

Best Answer

Related Solutions

Windows – Store Windows print driver on Samba for a CUPS print server

1.

2.

Related Question