Discussion:
[Samba] Howto modify samba printer ACLs without Windows?
Christoph Peus
2007-11-19 21:28:27 UTC
Permalink
Hi all,

I would like to limit access to our samba shared printers to certain
user groups by commandline without using Windows. Is this possible?
Thanks!

Christoph
Jim McDonough
2007-11-19 22:09:45 UTC
Permalink
Post by Christoph Peus
I would like to limit access to our samba shared printers to certain
user groups by commandline without using Windows. Is this possible?
see smbcacls

http://us1.samba.org/samba/docs/man/manpages-3/smbcacls.1.html
--
Jim McDonough
Samba Team
jmcd at samba dot org
Christoph Peus
2007-11-19 22:38:40 UTC
Permalink
Post by Jim McDonough
Post by Christoph Peus
I would like to limit access to our samba shared printers to certain
user groups by commandline without using Windows. Is this possible?
see smbcacls
http://us1.samba.org/samba/docs/man/manpages-3/smbcacls.1.html
Thanks, but the manpage says:

"The smbcacls program manipulates NT Access Control Lists (ACLs) on SMB
file shares."

Is there a trick to make this work for printer shares?

Christoph
Guido Lorenzutti
2007-11-20 04:42:48 UTC
Permalink
Post by Christoph Peus
Post by Jim McDonough
Post by Christoph Peus
I would like to limit access to our samba shared printers to certain
user groups by commandline without using Windows. Is this possible?
see smbcacls
http://us1.samba.org/samba/docs/man/manpages-3/smbcacls.1.html
"The smbcacls program manipulates NT Access Control Lists (ACLs) on
SMB file shares."
Is there a trick to make this work for printer shares?
Christoph
Yes, you have to create a share per printer... saddly... I have the same
problem.
I have 400 printers and I need to do the same thing you are trying to do
with no luck.

Tell me if you find a solution to this.
Necos Secon
2007-11-22 14:32:12 UTC
Permalink
Have either of you tried setting the permissions on \\server\Printer? Since this is the way that I see WinXP try to do when I access a printer.
_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007
Guido Lorenzutti
2007-11-22 14:51:58 UTC
Permalink
Date: Mon, 19 Nov 2007 18:56:10 -0300
Subject: Re: [Samba] Re: Howto modify samba printer ACLs without
Windows?
Post by Christoph Peus
Post by Jim McDonough
Post by Christoph Peus
I would like to limit access to our samba shared printers to certain
user groups by commandline without using Windows. Is this possible?
see smbcacls
http://us1.samba.org/samba/docs/man/manpages-3/smbcacls.1.html
"The smbcacls program manipulates NT Access Control Lists (ACLs) on
SMB file shares."
Is there a trick to make this work for printer shares?
Christoph
Yes, you have to create a share per printer... saddly... I have the same
problem.
I have 400 printers and I need to do the same thing you are trying to do
with no luck.
Tell me if you find a solution to this.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Have either of you tried setting the permissions on \\server\Printer
<file://%5C%5Cserver%5CPrinter>? Since this is the way that I see
WinXP try to do when I access a printer.
------------------------------------------------------------------------
Connect and share in new ways with Windows Live. Connect now!
<http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007>
Yes! I found this! Is great.
Know im working on a script to parse the printers.conf from the cups and
make the shares in samba. You need a share per printer to assing
privilegies like you suggest.

Tnxs.
Necos Secon
2007-11-22 14:55:27 UTC
Permalink
You don't have to write a script, as the wonderful CUPS team already did. It's called cupsaddsmb. Refer to its manpage for instructions. > Date: Thu, 22 Nov 2007 05:51:42 -0300> From: ***@lorenzutti.com.ar> To: ***@hotmail.com> CC: ***@uni-wh.de; ***@lists.samba.org> Subject: Re: [Samba] Re: Howto modify samba printer ACLs without Windows?> > Necos Secon wrote:> >> >> > > Date: Mon, 19 Nov 2007 18:56:10 -0300> > > From: ***@lorenzutti.com.ar> > > To: ***@uni-wh.de> > > Subject: Re: [Samba] Re: Howto modify samba printer ACLs without> > Windows?> > > CC: ***@lists.samba.org> > >> > > Christoph Peus wrote:> > > > Jim McDonough wrote:> > > >> On Nov 19, 2007 10:27 AM, Christoph Peus <***@uni-wh.de> wrote:> > > >>> I would like to limit access to our samba shared printers to certain> > > >>> user groups by commandline without using Windows. Is this possible?> > > >> see smbcacls> > > >>> > > >> http://us1.samba.org/samba/docs/man/manpages-3/smbcacls.1.html> > > >> > > > Thanks, but the manpage says:> > > >> > > > "The smbcacls program manipulates NT Access Control Lists (ACLs) on> > > > SMB file shares."> > > >> > > > Is there a trick to make this work for printer shares?> > > >> > > > Christoph> > > >> > >> > > Yes, you have to create a share per printer... saddly... I have the same> > > problem.> > > I have 400 printers and I need to do the same thing you are trying to do> > > with no luck.> > >> > > Tell me if you find a solution to this.> > >> > > --> > > To unsubscribe from this list go to the following URL and read the> > > instructions: https://lists.samba.org/mailman/listinfo/samba> >> > Have either of you tried setting the permissions on \\server\Printer> > <file://%5C%5Cserver%5CPrinter>? Since this is the way that I see> > WinXP try to do when I access a printer.> >> > ------------------------------------------------------------------------> > Connect and share in new ways with Windows Live. Connect now!> > <http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007>> > Yes! I found this! Is great.> Know im working on a script to parse the printers.conf from the cups and> make the shares in samba. You need a share per printer to assing> privilegies like you suggest.> > Tnxs.>
_________________________________________________________________
Share life as it happens with the new Windows Live.Download today it's FREE!
http://www.windowslive.com/share.html?ocid=TXT_TAGLM_Wave2_sharelife_112007
Guido Lorenzutti
2007-11-22 15:00:27 UTC
Permalink
This would be great, but the cupsaddsmb dosen't make the share in
samba... I will read again the manpage, but as far as I know..
Post by Necos Secon
You don't have to write a script, as the wonderful CUPS team already
did. It's called cupsaddsmb. Refer to its manpage for instructions.
Post by Necos Secon
Date: Thu, 22 Nov 2007 05:51:42 -0300
Subject: Re: [Samba] Re: Howto modify samba printer ACLs without
Windows?
Post by Necos Secon
Date: Mon, 19 Nov 2007 18:56:10 -0300
Subject: Re: [Samba] Re: Howto modify samba printer ACLs without
Windows?
Post by Christoph Peus
Post by Jim McDonough
Post by Christoph Peus
I would like to limit access to our samba shared printers to
certain
Post by Necos Secon
Post by Christoph Peus
Post by Jim McDonough
Post by Christoph Peus
user groups by commandline without using Windows. Is this
possible?
Post by Necos Secon
Post by Christoph Peus
Post by Jim McDonough
see smbcacls
http://us1.samba.org/samba/docs/man/manpages-3/smbcacls.1.html
"The smbcacls program manipulates NT Access Control Lists
(ACLs) on
Post by Necos Secon
Post by Christoph Peus
SMB file shares."
Is there a trick to make this work for printer shares?
Christoph
Yes, you have to create a share per printer... saddly... I have
the same
Post by Necos Secon
problem.
I have 400 printers and I need to do the same thing you are
trying to do
Post by Necos Secon
with no luck.
Tell me if you find a solution to this.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Have either of you tried setting the permissions on \\server\Printer
<file://%5C%5Cserver%5CPrinter>? Since this is the way that I see
WinXP try to do when I access a printer.
------------------------------------------------------------------------
Post by Necos Secon
Connect and share in new ways with Windows Live. Connect now!
<http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007>
Post by Necos Secon
Yes! I found this! Is great.
Know im working on a script to parse the printers.conf from the cups and
make the shares in samba. You need a share per printer to assing
privilegies like you suggest.
Tnxs.
------------------------------------------------------------------------
Share life as it happens with the new Windows Live. Share now!
<http://www.windowslive.com/share.html?ocid=TXT_TAGLM_Wave2_sharelife_112007>
Necos Secon
2007-11-22 15:04:37 UTC
Permalink
"This would be great, but the cupsaddsmb dosen't make the share insamba... I will read again the manpage, but as far as I know.."

Well, it does create a share, sort of... It adds an entry in the printing database for the printer, allowing it to be accessable from the [printers] share. So, in essense, you could use a script to loop over the output of this command:

smbclient -L //server | grep -i 'printer'

and then use smbacls to do the actual work. It's 1am where I live, so I'm not really good with the code right now.
_________________________________________________________________
You keep typing, we keep giving. Download Messenger and join the i?m Initiative now.
http://im.live.com/messenger/im/home/?source=TAGLM
Guido Lorenzutti
2007-11-22 15:19:46 UTC
Permalink
_"This would be great, but the cupsaddsmb dosen't make the share in
samba... I will read again the manpage, but as far as I know.."
_
Well, it does create a share, sort of... It adds an entry in the
printing database for the printer, allowing it to be accessable from
the [printers] share. So, in essense, you could use a script to loop
smbclient -L //server | grep -i 'printer'
and then use smbacls to do the actual work. It's 1am where I live, so
I'm not really good with the code right now.
I will try this and post the results...

Tnxs.

Christoph Peus
2007-11-22 14:55:35 UTC
Permalink
Post by Necos Secon
Have either of you tried setting the permissions on \\server\Printer? Since this is the way that I see WinXP try to do when I access a printer.
???
This is what I'm trying all the time. ;-)
But how to do this without Windows based tools?
(Defining a share for every single printer in smb.conf is not an option...)
Thanks.

Christoph

PS: How to do this with Windows:

setacl -on \\printserver\$printer -ot prn -actn ace -ace
"n:$printer;p:print" -ace "n:printserver\administrators;p:full" -actn
clear -clr dacl

This sets the print permission for the group that is named like the
printer and full permissions for the print spoolers local administrators
(after existing ACEs have been cleared) using "setacl" (setacl.sf.net).
Necos Secon
2007-11-22 14:59:59 UTC
Permalink
Someone mentioned the use of the smbacls program, which is what I was referring to. So, if you use smbacls on \\server\share or //server/share (I forget which format it uses), it should work.
_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007
Guido Lorenzutti
2007-11-22 15:04:33 UTC
Permalink
I just read the "not much helpfull" manpage of cupsaddsmb, and nothing
about creating the shares on samba.
If I try to set permissions without the share, samba complains about the
fact that there is no share.... You must have the share and I can't find
the way to create the share via cupsaddsmb.

PD: Not to say that I never found a working "add printer command" in
smb.conf. Having this would be a miracle. I would create the share in
that script!
Post by Necos Secon
Someone mentioned the use of the smbacls program, which is what I was referring to. So, if you use smbacls on \\server\share or //server/share (I forget which format it uses), it should work.
_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Loading...