7.8. Printers and Security
The idea of controlling access to printers is a recent addition to Unix world. In order to provide a consistent and Windows-compatible view of security, Samba internally performs access checks to validate actions such as printing a document, removing a job, or changing a printer attribute. There are two levels of authorization controls related to printer operations, both of which mirror security checks done on file shares. However, a user possessing the SePrintOperatorPrivilege is granted access regardless of the access control settings.
The first access check done when connecting to a printer, assuming that the client has authorization to access the Samba server at all, is the Windows NT security descriptor assigned to that printer. This is the same security model used by Windows print servers. Figure 7-8 shows the default security descriptor assigned to a printer on standalone Samba server. The default access control entries created on a domain member server or domain controller will be slightly different in order to grant members of the Domain Admins group full control over printer attributes.
Figure 7-8. The Security tab in the printer properties dialog box of a Samba print share
The second layer of authorization controls is the standard set of smb.conf parameters, such as valid users and host allow. Note, however, that certain options such as force group are not currently enforced when printing from a Windows NT client variant, due to the way printer operations are carried out. For many sites, restricting access to printers via smb.conf setting is much easier. However, other sites require pure Windows semantics and choose to rely on the printer ACLs stored in ntprinters.tdb.
One final comment about Samba and print authorization: Samba currently provides no built-in means of performing page accounting for printers. This has traditionally been considered a job for the underlying printing system.