Gerald (Jerry)Carter Samba Team
jerry@samba.org
(3 May 2001)
Printing Support in Samba 2.2.x Introduction Beginning with the 2.2.0 release, Samba supports the native Windows NT printing mechanisms implemented via MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of Samba only supported LanMan printing calls. The additional functionality provided by the new SPOOLSS support includes: Support for downloading printer driver files to Windows 95/98/NT/2000 clients upon demand. Uploading of printer drivers via the Windows NT Add Printer Wizard (APW) or the Imprints tool set (refer to http://imprints.sourceforge.net). Support for the native MS-RPC printing calls such as StartDocPrinter, EnumJobs(), etc... (See the MSDN documentation at http://msdn.microsoft.com/ for more information on the Win32 printing API) Support for NT Access Control Lists (ACL) on printer objects Improved support for printer queue manipulation through the use of an internal databases for spooled job information There has been some initial confusion about what all this means and whether or not it is a requirement for printer drivers to be installed on a Samba host in order to support printing from Windows clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients require that the Samba server possess a valid driver for the printer. This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients can use the local APW for installing drivers to be used with a Samba served printer. This is the same behavior exhibited by Windows 9x clients. As a side note, Samba does not use these drivers in any way to process spooled files. They are utilized entirely by the clients. The following MS KB article, may be of some help if you are dealing with Windows 2000 clients: How to Add Printers with No User Interaction in Windows 2000 http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP Configuration [print$] vs. [printer$] Previous versions of Samba recommended using a share named [printer$]. This name was taken from the printer$ service created by Windows 9x clients when a printer was shared. Windows 9x printer servers always have a printer$ service which provides read-only access via no password in order to support printer driver downloads. However, the initial implementation allowed for a parameter named printer driver location to be used on a per share basis to specify the location of the driver files associated with that printer. Another parameter named printer driver provided a means of defining the printer driver name to be sent to the client. These parameters, including printer driver file parameter, are being deprecated and should not be used in new installations. For more information on this change, you should refer to the Migration section of this document. Creating [print$] In order to support the uploading of printer driver files, you must first configure a file share named [print$]. The name of this share is hard coded in Samba's internals so the name is very important (print$ is the service used by Windows NT print servers to provide support for printer driver download). You should modify the server's smb.conf file to add the global parameters and to create the following file share (of course, some of the parameter values, such as 'path' are arbitrary and should be replaced with appropriate values for your site): [global] ; members of the ntadmin group should be able ; to add drivers and set printer properties ; root is implicitly a 'printer admin' printer admin = @ntadmin [print$] path = /usr/local/samba/printers guest ok = yes browseable = yes read only = yes ; since this share is configured as read only, then we need ; a 'write list'. Check the file system permissions to make ; sure this account can copy files to the share. If this ; is setup to a non-root account, then it should also exist ; as a 'printer admin' write list = @ntadmin,root The write list is used to allow administrative level user accounts to have write access in order to update files on the share. See the smb.conf(5) man page for more information on configuring file shares. The requirement for guest ok = yes depends upon how your site is configured. If users will be guaranteed to have an account on the Samba host, then this is a non-issue. Author's Note The non-issue is that if all your Windows NT users are guaranteed to be authenticated by the Samba server (such as a domain member server and the NT user has already been validated by the Domain Controller in order to logon to the Windows NT console), then guest access is not necessary. Of course, in a workgroup environment where you just want to be able to print without worrying about silly accounts and security, then configure the share for guest access. You'll probably want to add map to guest = Bad User in the [global] section as well. Make sure you understand what this parameter does before using it though. --jerry In order for a Windows NT print server to support the downloading of driver files by multiple client architectures, it must create subdirectories within the [print$] service which correspond to each of the supported client architectures. Samba follows this model as well. Next create the directory tree below the [print$] share for each architecture you wish to support. [print$]----- |-W32X86 ; "Windows NT x86" |-WIN40 ; "Windows 95/98" |-W32ALPHA ; "Windows NT Alpha_AXP" |-W32MIPS ; "Windows NT R4000" |-W32PPC ; "Windows NT PowerPC" ATTENTION! REQUIRED PERMISSIONS In order to currently add a new driver to you Samba host, one of two conditions must hold true: The account used to connect to the Samba host must have a uid of 0 (i.e. a root account) The account used to connect to the Samba host must be a member of the printer admin list. Of course, the connected account must still possess access to add files to the subdirectories beneath [print$]. Remember that all file shares are set to 'read only' by default. Once you have created the required [print$] service and associated subdirectories, simply log onto the Samba server using a root (or printer admin) account from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or "My Network Places" and browse for the Samba host. Once you have located the server, navigate to the "Printers..." folder. You should see an initial listing of printers that matches the printer shares defined on your Samba host. Setting Drivers for Existing Printers The initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned to them. By default, in Samba 2.2.0 this driver name was set to NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER. Later versions changed this to a NULL string to allow the use tof the local Add Printer Wizard on NT/2000 clients. Attempting to view the printer properties for a printer which has this default driver assigned will result in the error message: Device settings cannot be displayed. The driver for the specified printer is not installed, only spooler properties will be displayed. Do you want to install the driver now? Click "No" in the error dialog and you will be presented with the printer properties window. The way to assign a driver to a printer is to either Use the "New Driver..." button to install a new printer driver, or Select a driver from the popup list of installed drivers. Initially this list will be empty. If you wish to install printer drivers for client operating systems other than "Windows NT x86", you will need to use the "Sharing" tab of the printer properties dialog. Assuming you have connected with a root account, you will also be able modify other printer properties such as ACLs and device settings using this dialog box. A few closing comments for this section, it is possible on a Windows NT print server to have printers listed in the Printers folder which are not shared. Samba does not make this distinction. By definition, the only printers of which Samba is aware are those which are specified as shares in smb.conf. Another interesting side note is that Windows NT clients do not use the SMB printer share, but rather can print directly to any printer on another Windows NT host using MS-RPC. This of course assumes that the printing client has the necessary privileges on the remote host serving the printer. The default permissions assigned by Windows NT to a printer gives the "Print" permissions to the "Everyone" well-known group. Support a large number of printers One issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for 100's of printers. Using the Windows NT APW is somewhat awkward to say the list. If more than one printer are using the same driver, the rpcclient's setdriver command can be used to set the driver associated with an installed driver. The following is example of how this could be accomplished: $ rpcclient pogo -U root%secret -c "enumdrivers" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] [Windows NT x86] Printer Driver Info 1: Driver Name: [HP LaserJet 4000 Series PS] Printer Driver Info 1: Driver Name: [HP LaserJet 2100 Series PS] Printer Driver Info 1: Driver Name: [HP LaserJet 4Si/4SiMX PS] $ rpcclient pogo -U root%secret -c "enumprinters" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] flags:[0x800000] name:[\\POGO\hp-print] description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,] comment:[] $ rpcclient pogo -U root%secret \ > -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] Successfully set hp-print to driver HP LaserJet 4000 Series PS. Adding New Printers via the Windows NT APW By default, Samba offers all printer shares defined in smb.conf in the "Printers..." folder. Also existing in this folder is the Windows NT Add Printer Wizard icon. The APW will be show only if The connected user is able to successfully execute an OpenPrinterEx(\\server) with administrative privileges (i.e. root or printer admin). show add printer wizard = yes (the default). In order to be able to use the APW to successfully add a printer to a Samba server, the add printer command must have a defined value. The program hook must successfully add the printer to the system (i.e. /etc/printcap or appropriate files) and smb.conf if necessary. When using the APW from a client, if the named printer share does not exist, smbd will execute the add printer command and reparse to the smb.conf to attempt to locate the new printer share. If the share is still not defined, an error of "Access Denied" is returned to the client. Note that the add printer program is executed under the context of the connected user, not necessarily a root account. There is a complementary delete printer command for removing entries from the "Printers..." folder. The following is an example add printer command script. It adds the appropriate entries to /etc/printcap.local (change that to what you need) and returns a line of 'Done' which is needed for the whole process to work. #!/bin/sh # Script to insert a new printer entry into printcap.local # # $1, printer name, used as the descriptive name # $2, share name, used as the printer name for Linux # $3, port name # $4, driver name # $5, location, used for the device file of the printer # $6, win9x location # # Make sure we use the location that RedHat uses for local printer defs PRINTCAP=/etc/printcap.local DATE=`date +%Y%m%d-%H%M%S` LP=lp RESTART="service lpd restart" # Keep a copy cp $PRINTCAP $PRINTCAP.$DATE # Add the printer to $PRINTCAP echo "" >> $PRINTCAP echo "$2|$1:\\" >> $PRINTCAP echo " :sd=/var/spool/lpd/$2:\\" >> $PRINTCAP echo " :mx=0:ml=0:sh:\\" >> $PRINTCAP echo " :lp=/usr/local/samba/var/print/$5.prn:" >> $PRINTCAP touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 mkdir /var/spool/lpd/$2 chmod 700 /var/spool/lpd/$2 chown $LP /var/spool/lpd/$2 #echo $1 >> "/usr/local/samba/var/print/$5.prn" #echo $2 >> "/usr/local/samba/var/print/$5.prn" #echo $3 >> "/usr/local/samba/var/print/$5.prn" #echo $4 >> "/usr/local/samba/var/print/$5.prn" #echo $5 >> "/usr/local/samba/var/print/$5.prn" #echo $6 >> "/usr/local/samba/var/print/$5.prn" $RESTART >> "/usr/local/samba/var/print/$5.prn" # Not sure if this is needed touch /usr/local/samba/lib/smb.conf # # You need to return a value, but I am not sure what it means. # echo "Done" exit 0 Samba and Printer Ports Windows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the concept of ports associated with a printer. By default, only one printer port, named "Samba Printer Port", exists on a system. Samba does not really a port in order to print, rather it is a requirement of Windows clients. Note that Samba does not support the concept of "Printer Pooling" internally either. This is when a logical printer is assigned to multiple ports as a form of load balancing or fail over. If you require that multiple ports be defined for some reason, smb.conf possesses a enumports command which can be used to define an external program that generates a listing of ports on a system. The Imprints Toolset The Imprints tool set provides a UNIX equivalent of the Windows NT Add Printer Wizard. For complete information, please refer to the Imprints web site at http://imprints.sourceforge.net/ as well as the documentation included with the imprints source distribution. This section will only provide a brief introduction to the features of Imprints. What is Imprints? Imprints is a collection of tools for supporting the goals of Providing a central repository information regarding Windows NT and 95/98 printer driver packages Providing the tools necessary for creating the Imprints printer driver packages. Providing an installation client which will obtain and install printer drivers on remote Samba and Windows NT 4 print servers. Creating Printer Driver Packages The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt also included with the Samba distribution for more information). In short, an Imprints driver package is a gzipped tarball containing the driver files, related INF files, and a control file needed by the installation client. The Imprints server The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer entry in the database has an associated URL for the actual downloading of the package. Each package is digitally signed via GnuPG which can be used to verify that package downloaded is actually the one referred in the Imprints database. It is not recommended that this security check be disabled. The Installation Client More information regarding the Imprints installation client is available in the Imprints-Client-HOWTO.ps file included with the imprints source package. The Imprints installation client comes in two forms. a set of command line Perl scripts a GTK+ based graphical interface to the command line perl scripts The installation client (in both forms) provides a means of querying the Imprints database server for a matching list of known printer model names as well as a means to download and install the drivers on remote Samba and Windows NT print servers. The basic installation process is in four steps and perl code is wrapped around smbclient and rpcclient. foreach (supported architecture for a given driver) { 1. rpcclient: Get the appropriate upload directory on the remote server 2. smbclient: Upload the driver files 3. rpcclient: Issues an AddPrinterDriver() MS-RPC } 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually create the printer One of the problems encountered when implementing the Imprints tool set was the name space issues between various supported client architectures. For example, Windows NT includes a driver named "Apple LaserWriter II NTX v51.8" and Windows 95 calls its version of this driver "Apple LaserWriter II NTX" The problem is how to know what client drivers have been uploaded for a printer. As astute reader will remember that the Windows NT Printer Properties dialog only includes space for one printer driver name. A quick look in the Windows NT 4.0 system registry at HKLM\System\CurrentControlSet\Control\Print\Environment will reveal that Windows NT always uses the NT driver name. This is ok as Windows NT always requires that at least the Windows NT version of the printer driver is present. However, Samba does not have the requirement internally. Therefore, how can you use the NT driver name if is has not already been installed? The way of sidestepping this limitation is to require that all Imprints printer driver packages include both the Intel Windows NT and 95/98 printer drivers and that NT driver is installed first. <anchor id="MIGRATION">Migration to from Samba 2.0.x to 2.2.x Given that printer driver management has changed (we hope improved) in 2.2 over prior releases, migration from an existing setup to 2.2 can follow several paths. Here are the possible scenarios for migration: If you do not desire the new Windows NT print driver support, nothing needs to be done. All existing parameters work the same. If you want to take advantage of NT printer driver support but do not want to migrate the 9x drivers to the new setup, the leave the existing printers.def file. When smbd attempts to locate a 9x driver for the printer in the TDB and fails it will drop down to using the printers.def (and all associated parameters). The make_printerdef tool will also remain for backwards compatibility but will be removed in the next major release. If you install a Windows 9x driver for a printer on your Samba host (in the printing TDB), this information will take precedence and the three old printing parameters will be ignored (including print driver location). If you want to migrate an existing printers.def file into the new setup, the current only solution is to use the Windows NT APW to install the NT drivers and the 9x drivers. This can be scripted using smbclient and rpcclient. See the Imprints installation client at http://imprints.sourceforge.net/ for an example. Achtung! The following smb.conf parameters are considered to be deprecated and will be removed soon. Do not use them in new installations printer driver file (G) printer driver (S) printer driver location (S) The have been two new parameters add in Samba 2.2.2 to for better support of Samba 2.0.x backwards capability (disable spoolss) and for using local printers drivers on Windows NT/2000 clients (use client driver). Both of these options are described in the smb.coinf(5) man page and are disabled by default.