Mike Norman's Blog

Ok, so i don’t know how indebth I’m going to go here, but I’m going to try to give you instructions on how to install cups and get it handling print spooling on your windows domain. Getting cups installed and running is the easy part. if your on Ubuntu “apt-get cups install” on fedora “yum install cups”. You’ll also need samba to share out the printer drivers (thats the more complex part, but ill get to that later) and were going to assume that this linux box is already joined to the domain and pulling ldap info for file sharing or something.

OK, so we’ve got samba and cups running on our local print spooler, heres what we need to do. go into your samba conf file (smb.conf) on my setup its in /etc/samba/smb.conf you’ll need to make sure winbind is setup properly to get info form active directory. thats a long story though, ill assume you’ve done that. so here are the modifications i made to the smb.conf

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writable = no
printable = yes

[PRINT$]
comment = Printer Drivers
path = /usr/share/cups/drivers
browseable = yes
guest ok = yes
read only = yes
write list = root @<DOMAIN-NAME>\”DOMAIN GROUP”
admin users = root @<DOMAIN-NAME>\”DOMAIN GROUP”
create mask = 0644
directory mask = 0755

This config is relatively self explanatory with a couple exceptions. the first being the path under [PRINT$]. that path needs to be created manually. its where the print drivers will be shared out of, you will also need to create a subfolder of the drivers folder called “W32X86″ and just to be safe a “WIN40″ aswell. these are needed because thats where windows looks for drivers. id create them all with a 775 an nobody nobody ownership. the second chunk that needs a little explaining is the “root @<DOMAIN-NAME>\”DOMAIN GROUP”" the <DOMAIN-NAME>\”DOMAIN GROUP” part is the fully qualified name of the group, and the @ sign perpending it lets samba know its a group. so if you just wanted to add one user you wouldn’t need the @ but it is still suggested you keep the fully qualified part.

Ok the next part is adding printers to your printers.conf (in /etc/cups/) you can be a nancy-boy and add printers though the web interface. but if your a real man you’ll do it this way (and get a full chest of hair to prove it). so vi printers.conf and add something that looks alittle like this.

<Printer Printer_Name>
Info RICOH Aficio 3228C PCL 6
Location Front Desk
DeviceURI lpd://IP_ADDRESS/RAW
State Idle
StateTime 1207173632
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
AllowUser @User_Group
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>

This is pretty much obvious asto what each of the variables does, if not use the web interface… in shame. so we’ve got our printer configured. feel free to add all the printers you want in here. those are the main config changes. ill go ahead and post my cupsd.conf config in the continued section if you need it. so restart cups and reload samba and lets get to the wonky windows part. now all of this previous shit is configs, and self explanatory. this is not at all. what we need to do to get the drivers added to the server is… go to the fully qualified domain name of the server in question. “\\printserver.mikesdomain.com” will be mine, and im going there on the account or group that was specified in my [PRINT$] admin users = section. when i navigate to that path there will be my printer listed. but thats a trap, don’t try to configure it there or windows will wigg out (if your configing for a domain) double click on “Printers and Faxes”. thats where you can change you print configs and add drivers. so in the printers section right click on your printer and left click on connect, it’ll ask you something to the effect of, there are no drivers here want to add some. this is a trap aswell. click no. this will brong up the basic printer properties screen. click the advanced tab to add drivers, click “new driver” and locate your driver. you’ll hafto have the driver, you cant just pull it out of the windows cab files. it should take about 3 min for the driver to be installed on th print server. after that id recommend sharing the printer and adding it to the directory (both on the sharing tab). after that. BAM you’ve got a printer being spooled on your linux machine thats available to all windows users in the printers directory on your DCs hope this helps someone, and if you need any more help feel free to shoot me an email or somthing. and if you need that config look at the full post

#
# “$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $”
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See “man cupsd.conf” for a complete description of this
# file.
#
MaxLogSize 2000000000

# Log general information in error_log – change “info” to “debug” for
# troubleshooting…
LogLevel debug

# Administrator user group…
SystemGroup sys root

# Only listen for connections from the local machine.
Listen *:631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
# (Change ‘@LOCAL’ to ‘ALL’ if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL

# Default authentication type, when authentication is required…
DefaultAuthType Basic

# Restrict access to the server…
<Location />
Order allow,deny
Allow ALL
</Location>

# Restrict access to the admin pages…
<Location /admin>
Encryption Required
Order allow,deny
Allow ALL
</Location>

# Restrict access to configuration files…
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow ALL
</Location>

# Set the default printer/job policies…
<Policy default>
# Job-related operations must be done by the owner or an adminstrator…
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>

# All administration operations require an adminstrator to authenticate…
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>

# Only the owner or an administrator can cancel or authenticate a job…
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>

<Limit All>
Order deny,allow
</Limit>
</Policy>