Run and publish the print server

The print-server service is a Samba member server that joins the domain and runs CUPS with cups-pdf queues. It stands in for a Windows print server for anything that speaks the real wire protocols: SMB print spooling, the EnumPrinters/OpenPrinter RPCs, Point-and-Print driver download, and IPP.

Bring it up

The print server starts alongside the DC:

make up
make print-logs        # watch the domain join and CUPS queue setup
make print-status      # membership ("Join is OK") + the CUPS queue count
make list-printers     # the SMB shares a client sees

Submit a job

make test-print

This writes a text file and submits it through \\print1\PDF over SMB, exercising the full Windows-facing path (smbd to spoolss to CUPS to cups-pdf). The resulting PDF lands in ./print-output/ on the host, which is your proof the round trip works.

For the full 77-queue roster (defined in print-server/queues.txt):

make print-queues                       # list every queue (expect 77 + PDF)
make test-print-queue Q=GH12-pLab      # submit to one queue, prove it routed
make test-multiqueue                    # submit to three, prove distinct PDFs

Publish in the directory

Sharing a printer over SMB and publishing it in AD are separate layers. The queue is reachable at \\print1\PDF the moment the server is up, but it will not appear in Find Printers in the directory until a printQueue object exists for it under the print server’s computer object.

The print server self-publishes on startup: after its CUPS queues are live, it writes one printQueue object per queue at CN=<queue>,CN=PRINT1,CN=Computers,<base>, using its own machine account over LDAP/GSSAPI. So a plain make up lands with the queues already discoverable.

To re-converge on demand (after adding or renaming a queue) without restarting:

make publish-printers      # publish CUPS queues into AD as printQueue objects
make show-printers-ad      # what a directory search would return

Why not net ads printer publish?

The nominal tool RPC-connects to the print server by name to read spooler data, which hangs on this stack’s macvlan self-hairpin (a child cannot address its own macvlan IP). Writing the printQueue straight to the DC over LDAP sidesteps that with one authenticated TCP write. See the macvlan detour.

Per-queue access control

A queue tagged | Studio in queues.txt is restricted with a CUPS AllowUser @Studio policy against the winbind-resolved AD group. Enforcement is real: a non-member’s job is dropped by CUPS even though the SMB upload succeeds. Use the bare group name in queues.txt — CUPS drops the backslash in AD\Group, leaving an unresolvable ADGroup.

From a real Windows client

Add-Printer -ConnectionName \\print1.ad.supported.systems\PDF

Point-and-Print with a driver needs Windows driver binaries staged in [print$] first (Linux cannot synthesize .dlls); drop the CUPS PostScript Windows driver set into print-server/drivers/. The raw PDF queue is usable for submission immediately.

Next

• Make printers fail on demand: Inject printer faults.
• The device side (SNMP status, IPP): see the print-emulation explanation linked from there.