* merges from SAMBA_2_2
[Samba.git] / docs / docbook / projdoc / printer_driver2.sgml
blob84a24bcdefcd8779b17e8f65170f0e230656712d
1 <chapter id="printing">
4 <chapterinfo>
5 <author>
6 <firstname>Gerald (Jerry)</firstname><surname>Carter</surname>
7 <affiliation>
8 <orgname>Samba Team</orgname>
9 <address>
10 <email>jerry@samba.org</email>
11 </address>
12 </affiliation>
13 </author>
16 <pubdate> (3 May 2001) </pubdate>
17 </chapterinfo>
19 <title>Printing Support in Samba 2.2.x</title>
21 <sect1>
22 <title>Introduction</title>
24 <para>Beginning with the 2.2.0 release, Samba supports
25 the native Windows NT printing mechanisms implemented via
26 MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
27 Samba only supported LanMan printing calls.</para>
29 <para>The additional functionality provided by the new
30 SPOOLSS support includes:</para>
32 <itemizedlist>
33 <listitem><para>Support for downloading printer driver
34 files to Windows 95/98/NT/2000 clients upon demand.
35 </para></listitem>
37 <listitem><para>Uploading of printer drivers via the
38 Windows NT Add Printer Wizard (APW) or the
39 Imprints tool set (refer to <ulink
40 url="http://imprints.sourceforge.net">http://imprints.sourceforge.net</ulink>).
41 </para></listitem>
43 <listitem><para>Support for the native MS-RPC printing
44 calls such as StartDocPrinter, EnumJobs(), etc... (See
45 the MSDN documentation at <ulink
46 url="http://msdn.microsoft.com/">http://msdn.microsoft.com/</ulink>
47 for more information on the Win32 printing API)
48 </para></listitem>
50 <listitem><para>Support for NT Access Control Lists (ACL)
51 on printer objects</para></listitem>
53 <listitem><para>Improved support for printer queue manipulation
54 through the use of an internal databases for spooled job
55 information</para></listitem>
56 </itemizedlist>
58 <para>
59 There has been some initial confusion about what all this means
60 and whether or not it is a requirement for printer drivers to be
61 installed on a Samba host in order to support printing from Windows
62 clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients
63 require that the Samba server possess a valid driver for the printer.
64 This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients
65 can use the local APW for installing drivers to be used with a Samba
66 served printer. This is the same behavior exhibited by Windows 9x clients.
67 As a side note, Samba does not use these drivers in any way to process
68 spooled files. They are utilized entirely by the clients.
69 </para>
71 <para>
72 The following MS KB article, may be of some help if you are dealing with
73 Windows 2000 clients: <emphasis>How to Add Printers with No User
74 Interaction in Windows 2000</emphasis>
75 </para>
77 <para>
78 <ulink url="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP">http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</ulink>
79 </para>
81 </sect1>
84 <sect1>
85 <title>Configuration</title>
87 <warning>
88 <title>[print$] vs. [printer$]</title>
90 <para>
91 Previous versions of Samba recommended using a share named [printer$].
92 This name was taken from the printer$ service created by Windows 9x
93 clients when a printer was shared. Windows 9x printer servers always have
94 a printer$ service which provides read-only access via no
95 password in order to support printer driver downloads.
96 </para>
98 <para>
99 However, the initial implementation allowed for a
100 parameter named <parameter>printer driver location</parameter>
101 to be used on a per share basis to specify the location of
102 the driver files associated with that printer. Another
103 parameter named <parameter>printer driver</parameter> provided
104 a means of defining the printer driver name to be sent to
105 the client.
106 </para>
108 <para>
109 These parameters, including <parameter>printer driver
110 file</parameter> parameter, are being depreciated and should not
111 be used in new installations. For more information on this change,
112 you should refer to the <link linkend="MIGRATION">Migration section</link>
113 of this document.
114 </para>
115 </warning>
117 <sect2>
118 <title>Creating [print$]</title>
120 <para>
121 In order to support the uploading of printer driver
122 files, you must first configure a file share named [print$].
123 The name of this share is hard coded in Samba's internals so
124 the name is very important (print$ is the service used by
125 Windows NT print servers to provide support for printer driver
126 download).
127 </para>
129 <para>You should modify the server's smb.conf file to add the global
130 parameters and to create the
131 following file share (of course, some of the parameter values,
132 such as 'path' are arbitrary and should be replaced with
133 appropriate values for your site):</para>
135 <para><programlisting>
136 [global]
137 ; members of the ntadmin group should be able
138 ; to add drivers and set printer properties
139 ; root is implicitly a 'printer admin'
140 printer admin = @ntadmin
142 [print$]
143 path = /usr/local/samba/printers
144 guest ok = yes
145 browseable = yes
146 read only = yes
147 ; since this share is configured as read only, then we need
148 ; a 'write list'. Check the file system permissions to make
149 ; sure this account can copy files to the share. If this
150 ; is setup to a non-root account, then it should also exist
151 ; as a 'printer admin'
152 write list = @ntadmin,root
153 </programlisting></para>
155 <para>The <ulink url="smb.conf.5.html#WRITELIST"><parameter>
156 write list</parameter></ulink> is used to allow administrative
157 level user accounts to have write access in order to update files
158 on the share. See the <ulink url="smb.conf.5.html">smb.conf(5)
159 man page</ulink> for more information on configuring file shares.</para>
161 <para>The requirement for <ulink url="smb.conf.5.html#GUESTOK"><command>guest
162 ok = yes</command></ulink> depends upon how your
163 site is configured. If users will be guaranteed to have
164 an account on the Samba host, then this is a non-issue.</para>
166 <note>
167 <title>Author's Note</title>
169 <para>
170 The non-issue is that if all your Windows NT users are guaranteed to be
171 authenticated by the Samba server (such as a domain member server and the NT
172 user has already been validated by the Domain Controller in
173 order to logon to the Windows NT console), then guest access
174 is not necessary. Of course, in a workgroup environment where
175 you just want to be able to print without worrying about
176 silly accounts and security, then configure the share for
177 guest access. You'll probably want to add <ulink
178 url="smb.conf.5.html#MAPTOGUEST"><command>map to guest = Bad User
179 </command></ulink> in the [global] section as well. Make sure
180 you understand what this parameter does before using it
181 though. --jerry
182 </para>
183 </note>
185 <para>In order for a Windows NT print server to support
186 the downloading of driver files by multiple client architectures,
187 it must create subdirectories within the [print$] service
188 which correspond to each of the supported client architectures.
189 Samba follows this model as well.</para>
191 <para>Next create the directory tree below the [print$] share
192 for each architecture you wish to support.</para>
194 <para><programlisting>
195 [print$]-----
196 |-W32X86 ; "Windows NT x86"
197 |-WIN40 ; "Windows 95/98"
198 |-W32ALPHA ; "Windows NT Alpha_AXP"
199 |-W32MIPS ; "Windows NT R4000"
200 |-W32PPC ; "Windows NT PowerPC"
201 </programlisting></para>
203 <warning>
204 <title>ATTENTION! REQUIRED PERMISSIONS</title>
206 <para>
207 In order to currently add a new driver to you Samba host,
208 one of two conditions must hold true:
209 </para>
211 <itemizedlist>
212 <listitem><para>The account used to connect to the Samba host
213 must have a uid of 0 (i.e. a root account)</para></listitem>
215 <listitem><para>The account used to connect to the Samba host
216 must be a member of the <ulink
217 url="smb.conf.5.html#PRINTERADMIN"><parameter>printer
218 admin</parameter></ulink> list.</para></listitem>
219 </itemizedlist>
221 <para>
222 Of course, the connected account must still possess access
223 to add files to the subdirectories beneath [print$]. Remember
224 that all file shares are set to 'read only' by default.
225 </para>
226 </warning>
229 <para>
230 Once you have created the required [print$] service and
231 associated subdirectories, simply log onto the Samba server using
232 a root (or <parameter>printer admin</parameter>) account
233 from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or
234 "My Network Places" and browse for the Samba host. Once you have located
235 the server, navigate to the "Printers..." folder.
236 You should see an initial listing of printers
237 that matches the printer shares defined on your Samba host.
238 </para>
239 </sect2>
241 <sect2>
242 <title>Setting Drivers for Existing Printers</title>
244 <para>The initial listing of printers in the Samba host's
245 Printers folder will have no real printer driver assigned
246 to them. By default, in Samba 2.2.0 this driver name was set to
247 <emphasis>NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER</emphasis>.
248 Later versions changed this to a NULL string to allow the use
249 tof the local Add Printer Wizard on NT/2000 clients.
250 Attempting to view the printer properties for a printer
251 which has this default driver assigned will result in
252 the error message:</para>
254 <para>
255 <emphasis>Device settings cannot be displayed. The driver
256 for the specified printer is not installed, only spooler
257 properties will be displayed. Do you want to install the
258 driver now?</emphasis>
259 </para>
261 <para>
262 Click "No" in the error dialog and you will be presented with
263 the printer properties window. The way assign a driver to a
264 printer is to either
265 </para>
267 <itemizedlist>
268 <listitem><para>Use the "New Driver..." button to install
269 a new printer driver, or</para></listitem>
271 <listitem><para>Select a driver from the popup list of
272 installed drivers. Initially this list will be empty.</para>
273 </listitem>
274 </itemizedlist>
276 <para>If you wish to install printer drivers for client
277 operating systems other than "Windows NT x86", you will need
278 to use the "Sharing" tab of the printer properties dialog.</para>
280 <para>Assuming you have connected with a root account, you
281 will also be able modify other printer properties such as
282 ACLs and device settings using this dialog box.</para>
284 <para>A few closing comments for this section, it is possible
285 on a Windows NT print server to have printers
286 listed in the Printers folder which are not shared. Samba does
287 not make this distinction. By definition, the only printers of
288 which Samba is aware are those which are specified as shares in
289 <filename>smb.conf</filename>.</para>
291 <para>Another interesting side note is that Windows NT clients do
292 not use the SMB printer share, but rather can print directly
293 to any printer on another Windows NT host using MS-RPC. This
294 of course assumes that the printing client has the necessary
295 privileges on the remote host serving the printer. The default
296 permissions assigned by Windows NT to a printer gives the "Print"
297 permissions to the "Everyone" well-known group.
298 </para>
300 </sect2>
303 <sect2>
304 <title>Support a large number of printers</title>
306 <para>One issue that has arisen during the development
307 phase of Samba 2.2 is the need to support driver downloads for
308 100's of printers. Using the Windows NT APW is somewhat
309 awkward to say the list. If more than one printer are using the
310 same driver, the <ulink url="rpcclient.1.html"><command>rpcclient's
311 setdriver command</command></ulink> can be used to set the driver
312 associated with an installed driver. The following is example
313 of how this could be accomplished:</para>
315 <para><programlisting>
316 <prompt>$ </prompt>rpcclient pogo -U root%secret -c "enumdrivers"
317 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
319 [Windows NT x86]
320 Printer Driver Info 1:
321 Driver Name: [HP LaserJet 4000 Series PS]
323 Printer Driver Info 1:
324 Driver Name: [HP LaserJet 2100 Series PS]
326 Printer Driver Info 1:
327 Driver Name: [HP LaserJet 4Si/4SiMX PS]
329 <prompt>$ </prompt>rpcclient pogo -U root%secret -c "enumprinters"
330 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
331 flags:[0x800000]
332 name:[\\POGO\hp-print]
333 description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
334 comment:[]
336 <prompt>$ </prompt>rpcclient pogo -U root%secret \
337 <prompt>&gt; </prompt> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
338 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
339 Successfully set hp-print to driver HP LaserJet 4000 Series PS.
340 </programlisting></para>
341 </sect2>
345 <sect2>
346 <title>Adding New Printers via the Windows NT APW</title>
348 <para>
349 By default, Samba offers all printer shares defined in <filename>smb.conf</filename>
350 in the "Printers..." folder. Also existing in this folder is the Windows NT
351 Add Printer Wizard icon. The APW will be show only if
352 </para>
354 <itemizedlist>
355 <listitem><para>The connected user is able to successfully
356 execute an OpenPrinterEx(\\server) with administrative
357 privileges (i.e. root or <parameter>printer admin</parameter>).
358 </para></listitem>
360 <listitem><para><ulink url="smb.conf.5.html#SHOWADDPRINTERWIZARD"><parameter>show
361 add printer wizard = yes</parameter></ulink> (the default).
362 </para></listitem>
363 </itemizedlist>
365 <para>
366 In order to be able to use the APW to successfully add a printer to a Samba
367 server, the <ulink url="smb.conf.5.html#ADDPRINTERCOMMAND"><parameter>add
368 printer command</parameter></ulink> must have a defined value. The program
369 hook must successfully add the printer to the system (i.e.
370 <filename>/etc/printcap</filename> or appropriate files) and
371 <filename>smb.conf</filename> if necessary.
372 </para>
374 <para>
375 When using the APW from a client, if the named printer share does
376 not exist, <command>smbd</command> will execute the <parameter>add printer
377 command</parameter> and reparse to the <filename>smb.conf</filename>
378 to attempt to locate the new printer share. If the share is still not defined,
379 an error of "Access Denied" is returned to the client. Note that the
380 <parameter>add printer program</parameter> is executed under the context
381 of the connected user, not necessarily a root account.
382 </para>
384 <para>
385 There is a complementing <ulink url="smb.conf.5.html#DELETEPRINTERCOMMAND"><parameter>delete
386 printer command</parameter></ulink> for removing entries from the "Printers..."
387 folder.
388 </para>
390 </sect2>
393 <sect2>
394 <title>Samba and Printer Ports</title>
396 <para>
397 Windows NT/2000 print servers associate a port with each printer. These normally
398 take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
399 concept of ports associated with a printer. By default, only one printer port,
400 named "Samba Printer Port", exists on a system. Samba does not really a port in
401 order to print, rather it is a requirement of Windows clients.
402 </para>
404 <para>
405 Note that Samba does not support the concept of "Printer Pooling" internally
406 either. This is when a logical printer is assigned to multiple ports as
407 a form of load balancing or fail over.
408 </para>
410 <para>
411 If you require that multiple ports be defined for some reason,
412 <filename>smb.conf</filename> possesses a <ulink
413 url="smb.conf.5.html#ENUMPORTSCOMMAND"><parameter>enumports
414 command</parameter></ulink> which can be used to define an external program
415 that generates a listing of ports on a system.
416 </para>
418 </sect2>
420 </sect1>
423 <sect1>
424 <title>The Imprints Toolset</title>
426 <para>The Imprints tool set provides a UNIX equivalent of the
427 Windows NT Add Printer Wizard. For complete information, please
428 refer to the Imprints web site at <ulink url="http://imprints.sourceforge.net/">
429 http://imprints.sourceforge.net/</ulink> as well as the documentation
430 included with the imprints source distribution. This section will
431 only provide a brief introduction to the features of Imprints.</para>
434 <sect2>
435 <title>What is Imprints?</title>
437 <para>Imprints is a collection of tools for supporting the goals
438 of</para>
440 <itemizedlist>
441 <listitem><para>Providing a central repository information
442 regarding Windows NT and 95/98 printer driver packages</para>
443 </listitem>
445 <listitem><para>Providing the tools necessary for creating
446 the Imprints printer driver packages.</para></listitem>
448 <listitem><para>Providing an installation client which
449 will obtain and install printer drivers on remote Samba
450 and Windows NT 4 print servers.</para></listitem>
451 </itemizedlist>
453 </sect2>
456 <sect2>
457 <title>Creating Printer Driver Packages</title>
459 <para>The process of creating printer driver packages is beyond
460 the scope of this document (refer to Imprints.txt also included
461 with the Samba distribution for more information). In short,
462 an Imprints driver package is a gzipped tarball containing the
463 driver files, related INF files, and a control file needed by the
464 installation client.</para>
465 </sect2>
468 <sect2>
469 <title>The Imprints server</title>
471 <para>The Imprints server is really a database server that
472 may be queried via standard HTTP mechanisms. Each printer
473 entry in the database has an associated URL for the actual
474 downloading of the package. Each package is digitally signed
475 via GnuPG which can be used to verify that package downloaded
476 is actually the one referred in the Imprints database. It is
477 <emphasis>not</emphasis> recommended that this security check
478 be disabled.</para>
479 </sect2>
481 <sect2>
482 <title>The Installation Client</title>
484 <para>More information regarding the Imprints installation client
485 is available in the <filename>Imprints-Client-HOWTO.ps</filename>
486 file included with the imprints source package.</para>
488 <para>The Imprints installation client comes in two forms.</para>
490 <itemizedlist>
491 <listitem><para>a set of command line Perl scripts</para>
492 </listitem>
494 <listitem><para>a GTK+ based graphical interface to
495 the command line perl scripts</para></listitem>
496 </itemizedlist>
498 <para>The installation client (in both forms) provides a means
499 of querying the Imprints database server for a matching
500 list of known printer model names as well as a means to
501 download and install the drivers on remote Samba and Windows
502 NT print servers.</para>
504 <para>The basic installation process is in four steps and
505 perl code is wrapped around <command>smbclient</command>
506 and <command>rpcclient</command>.</para>
508 <para><programlisting>
509 foreach (supported architecture for a given driver)
511 1. rpcclient: Get the appropriate upload directory
512 on the remote server
513 2. smbclient: Upload the driver files
514 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
517 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
518 create the printer
519 </programlisting></para>
521 <para>One of the problems encountered when implementing
522 the Imprints tool set was the name space issues between
523 various supported client architectures. For example, Windows
524 NT includes a driver named "Apple LaserWriter II NTX v51.8"
525 and Windows 95 calls its version of this driver "Apple
526 LaserWriter II NTX"</para>
528 <para>The problem is how to know what client drivers have
529 been uploaded for a printer. As astute reader will remember
530 that the Windows NT Printer Properties dialog only includes
531 space for one printer driver name. A quick look in the
532 Windows NT 4.0 system registry at</para>
534 <para><filename>HKLM\System\CurrentControlSet\Control\Print\Environment
535 </filename></para>
537 <para>will reveal that Windows NT always uses the NT driver
538 name. This is ok as Windows NT always requires that at least
539 the Windows NT version of the printer driver is present.
540 However, Samba does not have the requirement internally.
541 Therefore, how can you use the NT driver name if is has not
542 already been installed?</para>
544 <para>The way of sidestepping this limitation is to require
545 that all Imprints printer driver packages include both the Intel
546 Windows NT and 95/98 printer drivers and that NT driver is
547 installed first.</para>
548 </sect2>
550 </sect1>
553 <sect1>
554 <title><anchor id="MIGRATION">Migration to from Samba 2.0.x to 2.2.x</title>
556 <para>
557 Given that printer driver management has changed (we hope improved) in
558 2.2 over prior releases, migration from an existing setup to 2.2 can
559 follow several paths. Here are the possible scenarios for
560 migration:
561 </para>
563 <itemizedlist>
564 <listitem><para>If you do not desire the new Windows NT
565 print driver support, nothing needs to be done.
566 All existing parameters work the same.</para></listitem>
568 <listitem><para>If you want to take advantage of NT printer
569 driver support but do not want to migrate the
570 9x drivers to the new setup, the leave the existing
571 <filename>printers.def</filename> file. When smbd attempts
572 to locate a
573 9x driver for the printer in the TDB and fails it
574 will drop down to using the printers.def (and all
575 associated parameters). The <command>make_printerdef</command>
576 tool will also remain for backwards compatibility but will
577 be removed in the next major release.</para></listitem>
579 <listitem><para>If you install a Windows 9x driver for a printer
580 on your Samba host (in the printing TDB), this information will
581 take precedence and the three old printing parameters
582 will be ignored (including print driver location).</para></listitem>
584 <listitem><para>If you want to migrate an existing <filename>printers.def</filename>
585 file into the new setup, the current only solution is to use the Windows
586 NT APW to install the NT drivers and the 9x drivers. This can be scripted
587 using <command>smbclient</command> and <command>rpcclient</command>. See the
588 Imprints installation client at <ulink
589 url="http://imprints.sourceforge.net/">http://imprints.sourceforge.net/</ulink>
590 for an example.
591 </para></listitem>
592 </itemizedlist>
595 <warning>
596 <title>Achtung!</title>
598 <para>
599 The following <filename>smb.conf</filename> parameters are considered to
600 be deprecated and will be removed soon. Do not use them in new
601 installations
602 </para>
604 <itemizedlist>
605 <listitem><para><parameter>printer driver file (G)</parameter>
606 </para></listitem>
608 <listitem><para><parameter>printer driver (S)</parameter>
609 </para></listitem>
611 <listitem><para><parameter>printer driver location (S)</parameter>
612 </para></listitem>
613 </itemizedlist>
614 </warning>
617 <para>
618 The have been two new parameters add in Samba 2.2.2 to for
619 better support of Samba 2.0.x backwards capability (<parameter>disable
620 spoolss</parameter>) and for using local printers drivers on Windows
621 NT/2000 clients (<parameter>use client driver</parameter>). Both of
622 these options are described in the smb.coinf(5) man page and are
623 disabled by default.
624 </para>
627 </sect1>
630 <!--
632 This comment from rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex()
633 needs to be added into a section probably. This is to remind me it needs
634 to be done. -jerry
637 * If the openprinterex rpc call contains a devmode,
638 * it's a per-user one. This per-user devmode is derivated
639 * from the global devmode. Openprinterex() contains a per-user
640 * devmode for when you do EMF printing and spooling.
641 * In the EMF case, the NT workstation is only doing half the job
642 * of rendering the page. The other half is done by running the printer
643 * driver on the server.
644 * The EMF file doesn't contain the page description (paper size, orientation, ...).
645 * The EMF file only contains what is to be printed on the page.
646 * So in order for the server to know how to print, the NT client sends
647 * a devicemode attached to the openprinterex call.
648 * But this devicemode is short lived, it's only valid for the current print job.
650 * If Samba would have supported EMF spooling, this devicemode would
651 * have been attached to the handle, to sent it to the driver to correctly
652 * rasterize the EMF file.
654 * As Samba only supports RAW spooling, we only receive a ready-to-print file,
655 * we just act as a pass-thru between windows and the printer.
657 * In order to know that Samba supports only RAW spooling, NT has to call
658 * getprinter() at level 2 (attribute field) or NT has to call startdoc()
659 * and until NT sends a RAW job, we refuse it.
661 * But to call getprinter() or startdoc(), you first need a valid handle,
662 * and to get an handle you have to call openprintex(). Hence why you have
663 * a devicemode in the openprinterex() call.
666 * Differences between NT4 and NT 2000.
667 * NT4:
669 * On NT4, you only have a global devicemode. This global devicemode can be changed
670 * by the administrator (or by a user with enough privs). Every time a user
671 * wants to print, the devicemode is reset to the default. In Word, every time
672 * you print, the printer's characteristics are always reset to the global devicemode.
674 * NT 2000:
676 * In W2K, there is the notion of per-user devicemode. The first time you use
677 * a printer, a per-user devicemode is build from the global devicemode.
678 * If you change your per-user devicemode, it is saved in the registry, under the
679 * H_KEY_CURRENT_KEY sub_tree. So that every time you print, you have your default
680 * printer preferences available.
682 * To change the per-user devicemode: it's the "Printing Preferences ..." button
683 * on the General Tab of the printer properties windows.
685 * To change the global devicemode: it's the "Printing Defaults..." button
686 * on the Advanced Tab of the printer properties window.
689 </chapter>