Brian Wiese
2003-May-20 16:35 UTC
2cent note-- RE: [Samba] Access denied, unable to connect to prin ter
We had a similar problem here, different but perhaps not entirely unique if someone else happens to make the same mistake. We give kudos to the samba logging. =) We have a linux samba print server with cups as a member server of an nt4 domain. The win98 users could print fine, win 2k could not - but that wasn't the problem, though only these systems had an "access denied" error message for the network printers. In the samba global config, we had "admin users = root,@NT4dom+adminusers" so these users were being translated to "root" while we also had "valid users = @NT4dom+domainusers" in the global samba config as well (to prevent share/printer enumeration by nondomain users)... so, this prevented our NT4dom+adminusers group from printing... as "root" was not in the "valid users" field. So we added 'root' to the "valid users = " line and it works again. hth someone else out there. peace Brian and Brandon |-----Original Message----- |From: Ryan Novosielski [mailto:novosirj@umdnj.edu] |Sent: Tuesday, May 20, 2003 9:40 AM |To: Samba Mailing List |Subject: Re: [Samba] Access denied, unable to connect to printer | | |I have the exact same problem. Printing does work, however -- just not |actually opening the print queue. | |---- _ _ _ _ ___ _ _ _ ||Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX |Systems Admin ||$&| |__| | | |__/ | \| _| | novosirj@umdnj.edu - |973/972.0922 (2-0922) |\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science |Bldg - C630 | |On Tue, 6 May 2003, Norman Walsh wrote: | |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> / "Kurt Pfeifle" <kpfeifle@danka.de> was heard to say: |> | Norman Walsh ndw at nwalsh.com wrote on Samba Digest |> | |> |> Mon Apr 28 10:21:43 GMT 2003 |> |> / "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say |> |> | Unforch, 2.2.3a is very old, with many known weaknesses |in the printing |> |> | code. |> |> I should go off and build something more recent, eh? Fair 'nough. |> |> I see Debian binaries for 2.2.8, would that be |significantly better? |> | |> | I would assume so. |> |> Ok, I'm now running 2.2.8. |> |> |> |> The server is using Cups |> |> | |> |> | Which version of CUPS? |> |> 1.1.15 |> |> | What is the exact message you are getting on XP? What |is the exact |> |> | procedure you are using to connect to the printer? |> |> I get "Access dened, unable to connnect" |> |> First I double-click on a share drive to make sure I get |prompted for |> |> username/password. After I've made sure I can connect to |the server, I |> |> double click on the printer and it says "epson - Access |dened, unable |> |> to connnect" in the status bar. |> | |> | That's strange. |> |> It gets stranger. Looking in the /var/log/samba/log.athena file: |> |> [2003/05/06 13:20:53, 3] smbd/process.c:process_smb(846) |> Transaction 13 of length 856 |> [2003/05/06 13:20:53, 3] smbd/process.c:switch_message(685) |> switch message SMBtrans (pid 642) |> [2003/05/06 13:20:53, 3] smbd/ipc.c:reply_trans(520) |> trans <\PIPE\> data=776 params=0 setup=2 |> [2003/05/06 13:20:53, 3] smbd/ipc.c:named_pipe(334) |> named pipe command on <> name |> [2003/05/06 13:20:53, 3] smbd/ipc.c:api_fd_reply(296) |> Got API command 0x26 on pipe "spoolss" (pnum |7425)free_pipe_context: destroying talloc pool of size 0 |> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_pipe_request(1165) |> Doing \PIPE\spoolss |> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_rpcTNP(1197) |> api_rpcTNP: pipe 29733 rpc command: SPOOLSS_OPENPRINTEREX |> checking name: \\zeus\Epson |> [2003/05/06 13:20:53, 3] |rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(394) |> Setting printer type=\\zeus\Epson |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(269) |> se_access_check: user sid is |S-1-5-21-258535541-2170564375-100393917-3004 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-3005 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1013 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1015 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1041 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1043 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1045 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1049 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1051 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1059 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1081 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1089 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1101 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1121 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1201 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1025 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-1-0 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-2 |> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273) |> se_access_check: also S-1-5-11 |> [2003/05/06 13:20:53, 3] |rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1181) |> access DENIED for printer open |> [2003/05/06 13:20:53, 3] |rpc_server/srv_lsa_hnd.c:close_policy_hnd(197) |> Closed policy |> [2003/05/06 13:20:53, 3] |rpc_server/srv_pipe_hnd.c:free_pipe_context(444) |> free_pipe_context: destroying talloc pool of size 662 |> |> Ok, at least I can see the explicit fail message. But... |> |> echo hi > \\zeus\epson |> |> prints "hi"! |> |> So the data actually flows to the device! |> |> |> | Is it XP Prof or XP Home? Service Packs? |> |> Uhm, XP Home I would guess. |> | |> | Hmmmm... that is a completely different animal from XP |Prof and I have no |> | experience with it. |> | |> | What does the "ver" command give you in a DOS box? |> |> Microsoft Windows XP [Version 5.1.2600] |> |> |> |> Here's my smb.conf: |> |> |> [global] |> |> |> debuglevel = 5 |> |> |> server string = Zeus |> |> |> encrypt passwords = true |> |> |> obey pam restrictions = Yes |> | |> | Are you trying to authenticate via PAM? |> |> Uhm, perhaps not. I deleted that line. |> |> | What is the setting for "security" on your Samba box? |> | If you haven't set it in smb.conf, "testparm" will show you the |> | compiled-in default taken in lieu of a specified "security = .." |> | line... |> |> "USER". |> |> Here's what testparm says about my configuration (I've tinkered a bit |> since I last posted it). |> |> # Global parameters |> [global] |> coding system |> client code page = 850 |> code page directory = /usr/share/samba/codepages |> workgroup = WORKGROUP |> netbios name |> netbios aliases |> netbios scope |> server string = Zeus |> interfaces |> bind interfaces only = No |> security = USER |> encrypt passwords = Yes |> update encrypted = No |> allow trusted domains = Yes |> hosts equiv |> min passwd length = 5 |> map to guest = Never |> null passwords = No |> obey pam restrictions = No |> password server |> smb passwd file = /etc/samba/smbpasswd |> root directory |> pam password change = No |> passwd program = /usr/bin/passwd |> passwd chat = *new*password* %n\n *new*password* %n\n *changed* |> passwd chat debug = No |> username map |> password level = 0 |> username level = 0 |> unix password sync = No |> restrict anonymous = No |> lanman auth = Yes |> use rhosts = No |> admin log = No |> log level = 3 |> syslog = 0 |> syslog only = No |> log file = /var/log/samba/log.%m |> max log size = 1000 |> timestamp logs = Yes |> debug hires timestamp = No |> debug pid = No |> debug uid = No |> protocol = NT1 |> large readwrite = Yes |> max protocol = NT1 |> min protocol = CORE |> read bmpx = No |> read raw = Yes |> write raw = Yes |> acl compatibility |> nt smb support = Yes |> nt pipe support = Yes |> nt status support = Yes |> announce version = 4.9 |> announce as = NT |> max mux = 50 |> max xmit = 16644 |> name resolve order = lmhosts host wins bcast |> max ttl = 259200 |> max wins ttl = 518400 |> min wins ttl = 21600 |> time server = No |> unix extensions = No |> change notify timeout = 60 |> deadtime = 0 |> getwd cache = Yes |> keepalive = 300 |> lpq cache time = 10 |> max smbd processes = 0 |> max disk size = 0 |> max open files = 10000 |> name cache timeout = 660 |> read size = 16384 |> socket options = TCP_NODELAY |> stat cache size = 50 |> use mmap = Yes |> total print jobs = 0 |> load printers = Yes |> printcap name = cups |> disable spoolss = No |> enumports command |> addprinter command |> deleteprinter command |> show add printer wizard = Yes |> os2 driver map |> strip dot = No |> mangling method = hash |> character set |> mangled stack = 50 |> stat cache = Yes |> domain admin group |> domain guest group |> machine password timeout = 604800 |> add user script |> delete user script |> logon script |> logon path = \\%N\%U\profile |> logon drive |> logon home = \\%N\%U |> domain logons = No |> os level = 20 |> lm announce = Auto |> lm interval = 60 |> preferred master = Auto |> local master = Yes |> domain master = Yes |> browse list = Yes |> enhanced browsing = Yes |> dns proxy = No |> wins proxy = No |> wins server |> wins support = Yes |> wins hook |> kernel oplocks = Yes |> lock spin count = 3 |> lock spin time = 10 |> oplock break wait time = 0 |> add share command |> change share command |> delete share command |> config file |> preload |> lock dir |> pid directory = /var/run/samba |> utmp directory |> wtmp directory |> utmp = No |> default service |> message command |> dfree command |> valid chars |> remote announce |> remote browse sync |> socket address = 0.0.0.0 |> homedir map |> time offset = 0 |> NIS homedir = No |> source environment |> panic action |> hide local users = No |> host msdfs = No |> winbind uid |> winbind gid |> template homedir = /home/%D/%U |> template shell = /bin/false |> winbind separator = \ |> winbind cache time = 15 |> winbind enum users = Yes |> winbind enum groups = Yes |> winbind use default domain = No |> comment |> path |> alternate permissions = No |> username |> guest account = nobody |> invalid users |> valid users |> admin users |> read list |> write list |> printer admin |> force user |> force group |> read only = Yes |> create mask = 0744 |> force create mode = 00 |> security mask = 0777 |> force security mode = 00 |> directory mask = 0755 |> force directory mode = 00 |> directory security mask = 0777 |> force directory security mode = 00 |> force unknown acl user = 00 |> inherit permissions = No |> inherit acls = No |> guest only = No |> guest ok = No |> only user = No |> hosts allow |> hosts deny |> status = Yes |> nt acl support = Yes |> profile acls = No |> block size = 1024 |> max connections = 0 |> min print space = 0 |> strict allocate = No |> strict sync = No |> sync always = No |> write cache size = 0 |> max print jobs = 1000 |> printable = No |> postscript = No |> printing = cups |> print command = lpr -r -P'%p' %s |> lpq command = lpq -P'%p' |> lprm command = lprm -P'%p' %j |> lppause command |> lpresume command |> queuepause command |> queueresume command |> printer name |> use client driver = No |> default devmode = No |> printer driver |> printer driver file = /etc/samba/printers.def |> printer driver location |> default case = lower |> case sensitive = No |> preserve case = Yes |> short preserve case = Yes |> mangle case = No |> mangling char = ~ |> hide dot files = Yes |> hide unreadable = No |> delete veto files = No |> veto files |> hide files |> veto oplock files |> map system = No |> map hidden = No |> map archive = Yes |> mangled names = Yes |> mangled map |> browseable = Yes |> blocking locks = Yes |> csc policy = manual |> fake oplocks = No |> locking = Yes |> oplocks = Yes |> level2 oplocks = Yes |> oplock contention limit = 2 |> posix locking = Yes |> strict locking = No |> share modes = Yes |> copy |> include |> exec |> preexec close = No |> postexec |> root preexec |> root preexec close = No |> root postexec |> available = Yes |> volume |> fstype = NTFS |> set directory = No |> wide links = Yes |> follow symlinks = Yes |> dont descend |> magic script |> magic output |> delete readonly = No |> dos filemode = No |> dos filetimes = No |> dos filetime resolution = No |> fake directory create times = No |> vfs object |> vfs options |> msdfs root = No |> |> [homes] |> comment = Home Directories |> read only = No |> create mask = 0644 |> directory mask = 0775 |> |> [printers] |> comment = All Printers |> path = /tmp |> read only = No |> create mask = 0777 |> guest ok = Yes |> printable = Yes |> browseable = No |> |> [cdrom] |> comment = Samba server's CD-ROM |> path = /cdrom |> guest ok = Yes |> locking = No |> exec = /bin/mount /cdrom |> postexec = /bin/umount /cdrom |> |> [epson] |> comment = Norm's CX3200 |> path = /var/spool/samba |> read only = No |> create mask = 0777 |> guest ok = Yes |> printable = Yes |> printer name = Epson |> |> [Music] |> path = /share/Music |> |> | invalid users = root # (possibly overridden by "guest ok = yes") |> |> I removed it. |> |> |> | To troubleshoot the "Access denied", you might want to |> |> | look into the "smbstatus" command, which shows *as which |> |> | user* Samba is connecting clients to each share. |> | |> | Did you check this out? |> |> Yep. smbstatus tells me that 'dbw' is connecting. That makes sense: |> |> Samba version 2.2.8a-0.1 for Debian |> Service uid gid pid machine |> - ---------------------------------------------- |> IPC$ dbw dbw 642 athena |(192.168.1.109) Tue May 6 13:19:35 2003 |> |> No locked files |> |> |> | One final attempt to describe a more complete procedure: |> |> | |> |> | Can you connect with smbclient? Try (from a Linux client): |> |> | |> |> | smbclient //[SambaIPaddress]/[printersharename] -U |root%[password] |> |> | |> |> | You should see s.th. like this: |> |> | |> |> | added interface ip=10.160.51.60 bcast=10.160.51.255 |nmask=255.255.252.0 |> |> | Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a] |> |> Oddly, "ndw" (me) fails: NT_STATUS_LOGON_FAILURE. But dbw |(my wife), |> |> guest, and nobody all succeed. |> | |> | Have you added "ndw" to the list of valid Samba users? Try |> | |> | smbpasswd -a ndw |> | |> | as root. Or use any other authentication scheme you might |have configured. |> |> Yes, I can connect that way. |> |> | [But it is still very strange, since the "guest ok = yes" |should let you |> | access the share... Could it possibly be that WinXP Home |isn't fit for |> | networking inside an NT-domain-like environment? |> |> *Sigh* I hope not. And I don't think so. This did work once |before, before my |> server got trashed. |> |> | You *should* be able to get some more meaningful messages |by staring at |> | |> | tail -f /var/log/samba/log.[name_of_XPclient] |> | |> | while you try to connect...] |> |> Above. More meaningful perhaps, but not actually very |meaningful to me :-/ |> |> |> | If this works, install the driver to use your parallel |port on Windows XP. |> |> | Then try this from the "DOS window" in XP: |> |> | |> |> | net use lpt1: \\[SambaIPaddress]\[printersharename] |-U root%[password] |> | |> | This should of course be |> | |> | net use lpt1: |\\[SambaIPaddress]\[printersharename] -U |Administrator%[password] |> |> I can net use it, and then I can type "echo hi > lpt1:" and |it prints. But |> adding a printer on lpt1: and printing to that doesn't work. |The job appears in |> the Windows queue for a few minutes then goes away. |> |> | OK -- we'll see... ;-) |> |> I hope you can see more clearly than I :-) |> |> Be seeing you, |> norm |> |> - -- |> Norman Walsh <ndw@nwalsh.com> | Nearly every complex solution to a |> http://nwalsh.com/ | programming problem that I |have looked |> | at carefully has turned out to be |> | wrong.--Brent Welch |> -----BEGIN PGP SIGNATURE----- |> Version: GnuPG v1.0.6 (GNU/Linux) |> Comment: Processed by Mailcrypt 3.5.7 |<http://mailcrypt.sourceforge.net/> |> |> |iD8DBQE+t/bUOyltUcwYWjsRAq+TAKCM7QjRHdosNRdbBh/bwSOsOg888wCeMHab |> g9TbFoYEiiZHnH8V5hLnDiA|> =vNtt |> -----END PGP SIGNATURE----- |> -- |> To unsubscribe from this list go to the following URL and read the |> instructions: http://lists.samba.org/mailman/listinfo/samba |> |-- |To unsubscribe from this list go to the following URL and read the |instructions: http://lists.samba.org/mailman/listinfo/samba |
Possibly Parallel Threads
Wisdom of the Ancients
