samba - Apr 2010 - Printer Admin Difficulties

I have been trying to setup a new print server on Fedora 12 based around 
samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64.  All looks 
good except for the ability for printer administrators to manage 
printers.  Whether I specify users in a system group using the 
deprecated printer admin option, or specifically using net rpc rights 
and the SePrinterOperatorPrivilege, it does not matter.  This is against 
an NT4 domain on samba-3.4.2.

Interestingly, I have one user who can manage printers, whether or not 
he is in the group or has the privilege.  Also, the printer admin pieces 
work correctly on an existing samba-3.0.28a print server against that 
same domain controller.

I have been looking at level 10 logs to compare two users, the mystery 
adminuser, and the feckless denieduser, when running the following 
command (again, both are members of the printer admin group):

rpcclient -c 'setdriver ZZZ "HP LaserJet 4000 Series PS"' -U
<user>
localhost

Following are log snippets, both beginning with SPOOLSS_OPENPRINTEREX 
and ending when printer access is either granted as 
PRINTER_ACCESS_ADMINISTER or denied outright.  Whether or not in the 
proper printer admin group or given the privilege, the outcome does not 
change for either user.

First the user for whom administrative access is granted:

--------------------------------------------
[2010/03/31 13:43:35,  4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
   api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: 
SPOOLSS_OPENPRINTEREX
[2010/03/31 13:43:35,  6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
   api_rpc_cmds[69].fn == 0x7f0e2d66c890
[2010/03/31 13:43:35,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
        spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
           in: struct spoolss_OpenPrinterEx
               printername              : *
                   printername              : '\\LOCALHOST\ZZZ'
               datatype                 : NULL
               devmode_ctr: struct spoolss_DevmodeContainer
                   _ndr_size                : 0x00000000 (0)
                   devmode                  : NULL
               access_mask              : 0x000f000c (983052)
                      0: SERVER_ACCESS_ADMINISTER
                      0: SERVER_ACCESS_ENUMERATE
                      1: PRINTER_ACCESS_ADMINISTER
                      1: PRINTER_ACCESS_USE
                      0: JOB_ACCESS_ADMINISTER
                      0: JOB_ACCESS_READ
               level                    : 0x00000001 (1)
               userlevel                : union spoolss_UserLevel(case 1)
               level1                   : *
                   level1: struct spoolss_UserLevel1
                       size                     : 0x0000001c (28)
                       client                   : *
                           client                   : '\\TKNEW'
                       user                     : *
                           user                     : 'adminuser'
                       build                    : 0x00000565 (1381)
                       major                    : UNKNOWN_ENUM_VALUE (2)
                       minor                    : 
SPOOLSS_MINOR_VERSION_0 (0)
                       processor                : 
PROCESSOR_ARCHITECTURE_INTEL (0)
   checking name: \\LOCALHOST\ZZZ
[2010/03/31 13:43:35, 10] rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
   open_printer_hnd: name [\\LOCALHOST\ZZZ]
[2010/03/31 13:43:35,  4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
   Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B C7 89   ........ .....K..
   [0010] F9 54 00 00                                       .T..
[2010/03/31 13:43:35,  3] 
rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
   Setting printer type=\\LOCALHOST\ZZZ
   Printer is a printer
[2010/03/31 13:43:35,  4] 
rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
   Setting printer name=\\LOCALHOST\ZZZ (len=15)
[2010/03/31 13:43:35,  8] lib/util.c:1879(is_myname)
   is_myname("LOCALHOST") returns 0
   searching for [ZZZ]
[2010/03/31 13:43:35, 10] 
printing/nt_printing.c:4630(get_a_printer_internal)
   get_a_printer: [printers] level 2
[2010/03/31 13:43:35, 10] 
printing/nt_printing.c:3917(get_a_printer_2_default)
   get_a_printer_2_default: driver name set to []
   printername: printers
[2010/03/31 13:43:35, 10] 
printing/nt_printing.c:3917(get_a_printer_2_default)
   get_a_printer_2_default: driver name set to []
   printername: CRBSTD-P
   set_printer_hnd_name: Printer found: ZZZ -> ZZZ
[2010/03/31 13:43:35,  5] rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
   1 printer handles active
[2010/03/31 13:43:35,  4] 
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B C7 89   ........ .....K..
   [0010] F9 54 00 00                                       .T..
[2010/03/31 13:43:35,  4] 
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B C7 89   ........ .....K..
   [0010] F9 54 00 00                                       .T..
[2010/03/31 13:43:35,  4] rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
   short name:ZZZ
[2010/03/31 13:43:35,  3] lib/access.c:362(only_ipaddrs_in_list)
   only_ipaddrs_in_list: list has non-ip address (127.)
[2010/03/31 13:43:35,  3] lib/access.c:396(check_access)
   check_access: hostnames in host allow/deny list.
[2010/03/31 13:43:35,  2] lib/access.c:406(check_access)
   Allowed connection from 127.0.0.1 (127.0.0.1)
[2010/03/31 13:43:35, 10] smbd/share_access.c:234(user_ok_token)
   user_ok_token: share ZZZ is ok for unix user adminuser
[2010/03/31 13:43:35,  4] 
rpc_server/srv_spoolss_nt.c:1726(_spoolss_OpenPrinterEx)
   Setting printer access = PRINTER_ACCESS_ADMINISTER
[2010/03/31 13:43:35,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
        spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
           out: struct spoolss_OpenPrinterEx
               handle                   : *
                   handle: struct policy_handle
                       handle_type              : 0x00000000 (0)
                       uuid                     : 
00000002-0000-0000-b34b-c789f9540000
               result                   : WERR_OK

--------------------------------------------

And now for a user who is denied access:

--------------------------------------------
[2010/03/31 13:44:33,  4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
   api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: 
SPOOLSS_OPENPRINTEREX
[2010/03/31 13:44:33,  6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
   api_rpc_cmds[69].fn == 0x7f0e2d66c890
[2010/03/31 13:44:33,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
        spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
           in: struct spoolss_OpenPrinterEx
               printername              : *
                   printername              : '\\LOCALHOST\ZZZ'
               datatype                 : NULL
               devmode_ctr: struct spoolss_DevmodeContainer
                   _ndr_size                : 0x00000000 (0)
                   devmode                  : NULL
               access_mask              : 0x000f000c (983052)
                      0: SERVER_ACCESS_ADMINISTER
                      0: SERVER_ACCESS_ENUMERATE
                      1: PRINTER_ACCESS_ADMINISTER
                      1: PRINTER_ACCESS_USE
                      0: JOB_ACCESS_ADMINISTER
                      0: JOB_ACCESS_READ
               level                    : 0x00000001 (1)
               userlevel                : union spoolss_UserLevel(case 1)
               level1                   : *
                   level1: struct spoolss_UserLevel1
                       size                     : 0x0000001c (28)
                       client                   : *
                           client                   : '\\TKNEW'
                       user                     : *
                           user                     : 'denieduser'
                       build                    : 0x00000565 (1381)
                       major                    : UNKNOWN_ENUM_VALUE (2)
                       minor                    : 
SPOOLSS_MINOR_VERSION_0 (0)
                       processor                : 
PROCESSOR_ARCHITECTURE_INTEL (0)
   checking name: \\LOCALHOST\ZZZ
[2010/03/31 13:44:33, 10] rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
   open_printer_hnd: name [\\LOCALHOST\ZZZ]
[2010/03/31 13:44:33,  4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
   Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B 01 8A   ........ .....K..
   [0010] FF 54 00 00                                       .T..
[2010/03/31 13:44:33,  3] 
rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
   Setting printer type=\\LOCALHOST\ZZZ
   Printer is a printer
[2010/03/31 13:44:33,  4] 
rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
   Setting printer name=\\LOCALHOST\ZZZ (len=15)
[2010/03/31 13:44:33,  8] lib/util.c:1879(is_myname)
   is_myname("LOCALHOST") returns 0
   searching for [ZZZ]
[2010/03/31 13:44:33, 10] 
printing/nt_printing.c:4630(get_a_printer_internal)
   get_a_printer: [printers] level 2
[2010/03/31 13:44:33, 10] 
printing/nt_printing.c:3917(get_a_printer_2_default)
   get_a_printer_2_default: driver name set to []
   printername: printers
[2010/03/31 13:44:33, 10] 
printing/nt_printing.c:3917(get_a_printer_2_default)
   get_a_printer_2_default: driver name set to []
   printername: CRBSTD-P
   set_printer_hnd_name: Printer found: ZZZ -> ZZZ
[2010/03/31 13:44:33,  5] rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
   1 printer handles active
[2010/03/31 13:44:33,  4] 
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B 01 8A   ........ .....K..
   [0010] FF 54 00 00                                       .T..
[2010/03/31 13:44:33,  4] 
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B 01 8A   ........ .....K..
   [0010] FF 54 00 00                                       .T..
[2010/03/31 13:44:33,  4] rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
   short name:ZZZ
[2010/03/31 13:44:33,  3] lib/access.c:362(only_ipaddrs_in_list)
   only_ipaddrs_in_list: list has non-ip address (127.)
[2010/03/31 13:44:33,  3] lib/access.c:396(check_access)
   check_access: hostnames in host allow/deny list.
[2010/03/31 13:44:33,  2] lib/access.c:406(check_access)
   Allowed connection from 127.0.0.1 (127.0.0.1)
[2010/03/31 13:44:33, 10] smbd/share_access.c:234(user_ok_token)
   user_ok_token: share ZZZ is ok for unix user denieduser
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
   se_map_generic(): mapped mask 0x20020008 to 0x00020008
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
   se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
   se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
   se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
   se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33,  4] printing/nt_printing.c:5733(print_access_check)
   access check was FAILURE
[2010/03/31 13:44:33,  3] 
rpc_server/srv_spoolss_nt.c:1707(_spoolss_OpenPrinterEx)
   access DENIED for printer open
[2010/03/31 13:44:33,  4] 
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B 01 8A   ........ .....K..
   [0010] FF 54 00 00                                       .T..
[2010/03/31 13:44:33,  4] 
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B 01 8A   ........ .....K..
   [0010] FF 54 00 00                                       .T..
[2010/03/31 13:44:33,  3] rpc_server/srv_lsa_hnd.c:218(close_policy_hnd)
   Closed policy
[2010/03/31 13:44:33,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
        spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
           out: struct spoolss_OpenPrinterEx
               handle                   : *
                   handle: struct policy_handle
                       handle_type              : 0x00000000 (0)
                       uuid                     : 
00000000-0000-0000-0000-000000000000
               result                   : WERR_ACCESS_DENIED
--------------------------------------------

The only discernible difference to my eye is that for the denieduser, 
se_map_generic() is called before ultimately denying the user.

Finally, here is testparm output:

--------------------------------------------
[global]
	workgroup = POTSDAM
	server string = Printing Server
	security = DOMAIN
	password server = MEGA
	restrict anonymous = 2
	log level = 1
	log file = /var/log/samba/%m.log
	max log size = 10000
	time server = Yes
	unix extensions = No
	deadtime = 5
	printcap name = cups
	wins server = 192.168.0.1
	printer admin = @printeradmins
	hosts allow = 127., 192.168.
	cups options = raw
	veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No
	browsable = No

[print$]
	comment = Printer Drivers for Windows
	path = /usr/share/samba/print
	write list = @printeradmins

[drivers]
	comment = Vendor Printer Driver Paks
	path = /usr/share/samba/drivers
	write list = @printeradmins
	create mask = 0775
	directory mask = 0775
--------------------------------------------

If anyone could shed light on this issue, it would be much appreciated. 
  Thank you.

-Jeff

--
Jeffrey M Hardy
Systems Analyst
hardyjm at potsdam.edu

Might be simpler to assign users to the builtin administrators group.  
see if you have better luck:

#net sam list builtin
#net sam createbuiltingroup administrators
#net sam addmem administrators
#net sam listmem administrators
# net rpc rights list administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege


Jeff Hardy wrote:
> I have been trying to setup a new print server on Fedora 12 based 
> around samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64.  All 
> looks good except for the ability for printer administrators to manage 
> printers.  Whether I specify users in a system group using the 
> deprecated printer admin option, or specifically using net rpc rights 
> and the SePrinterOperatorPrivilege, it does not matter.  This is 
> against an NT4 domain on samba-3.4.2.
>
> Interestingly, I have one user who can manage printers, whether or not 
> he is in the group or has the privilege.  Also, the printer admin 
> pieces work correctly on an existing samba-3.0.28a print server 
> against that same domain controller.
>
> I have been looking at level 10 logs to compare two users, the mystery 
> adminuser, and the feckless denieduser, when running the following 
> command (again, both are members of the printer admin group):
>
> rpcclient -c 'setdriver ZZZ "HP LaserJet 4000 Series PS"'
-U <user>
> localhost
>
> Following are log snippets, both beginning with SPOOLSS_OPENPRINTEREX 
> and ending when printer access is either granted as 
> PRINTER_ACCESS_ADMINISTER or denied outright.  Whether or not in the 
> proper printer admin group or given the privilege, the outcome does 
> not change for either user.
>
> First the user for whom administrative access is granted:
>
> --------------------------------------------
> [2010/03/31 13:43:35,  4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
>   api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: 
> SPOOLSS_OPENPRINTEREX
> [2010/03/31 13:43:35,  6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
>   api_rpc_cmds[69].fn == 0x7f0e2d66c890
> [2010/03/31 13:43:35,  1] 
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>        spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
>           in: struct spoolss_OpenPrinterEx
>               printername              : *
>                   printername              : '\\LOCALHOST\ZZZ'
>               datatype                 : NULL
>               devmode_ctr: struct spoolss_DevmodeContainer
>                   _ndr_size                : 0x00000000 (0)
>                   devmode                  : NULL
>               access_mask              : 0x000f000c (983052)
>                      0: SERVER_ACCESS_ADMINISTER
>                      0: SERVER_ACCESS_ENUMERATE
>                      1: PRINTER_ACCESS_ADMINISTER
>                      1: PRINTER_ACCESS_USE
>                      0: JOB_ACCESS_ADMINISTER
>                      0: JOB_ACCESS_READ
>               level                    : 0x00000001 (1)
>               userlevel                : union spoolss_UserLevel(case 1)
>               level1                   : *
>                   level1: struct spoolss_UserLevel1
>                       size                     : 0x0000001c (28)
>                       client                   : *
>                           client                   : '\\TKNEW'
>                       user                     : *
>                           user                     : 'adminuser'
>                       build                    : 0x00000565 (1381)
>                       major                    : UNKNOWN_ENUM_VALUE (2)
>                       minor                    : 
> SPOOLSS_MINOR_VERSION_0 (0)
>                       processor                : 
> PROCESSOR_ARCHITECTURE_INTEL (0)
>   checking name: \\LOCALHOST\ZZZ
> [2010/03/31 13:43:35, 10] 
> rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
>   open_printer_hnd: name [\\LOCALHOST\ZZZ]
> [2010/03/31 13:43:35,  4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
>   Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
> 4B C7 89   ........ .....K..
>   [0010] F9 54 00 00                                       .T..
> [2010/03/31 13:43:35,  3] 
> rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
>   Setting printer type=\\LOCALHOST\ZZZ
>   Printer is a printer
> [2010/03/31 13:43:35,  4] 
> rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
>   Setting printer name=\\LOCALHOST\ZZZ (len=15)
> [2010/03/31 13:43:35,  8] lib/util.c:1879(is_myname)
>   is_myname("LOCALHOST") returns 0
>   searching for [ZZZ]
> [2010/03/31 13:43:35, 10] 
> printing/nt_printing.c:4630(get_a_printer_internal)
>   get_a_printer: [printers] level 2
> [2010/03/31 13:43:35, 10] 
> printing/nt_printing.c:3917(get_a_printer_2_default)
>   get_a_printer_2_default: driver name set to []
>   printername: printers
> [2010/03/31 13:43:35, 10] 
> printing/nt_printing.c:3917(get_a_printer_2_default)
>   get_a_printer_2_default: driver name set to []
>   printername: CRBSTD-P
>   set_printer_hnd_name: Printer found: ZZZ -> ZZZ
> [2010/03/31 13:43:35,  5] 
> rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
>   1 printer handles active
> [2010/03/31 13:43:35,  4] 
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
>   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
> 4B C7 89   ........ .....K..
>   [0010] F9 54 00 00                                       .T..
> [2010/03/31 13:43:35,  4] 
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
>   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
> 4B C7 89   ........ .....K..
>   [0010] F9 54 00 00                                       .T..
> [2010/03/31 13:43:35,  4] 
> rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
>   short name:ZZZ
> [2010/03/31 13:43:35,  3] lib/access.c:362(only_ipaddrs_in_list)
>   only_ipaddrs_in_list: list has non-ip address (127.)
> [2010/03/31 13:43:35,  3] lib/access.c:396(check_access)
>   check_access: hostnames in host allow/deny list.
> [2010/03/31 13:43:35,  2] lib/access.c:406(check_access)
>   Allowed connection from 127.0.0.1 (127.0.0.1)
> [2010/03/31 13:43:35, 10] smbd/share_access.c:234(user_ok_token)
>   user_ok_token: share ZZZ is ok for unix user adminuser
> [2010/03/31 13:43:35,  4] 
> rpc_server/srv_spoolss_nt.c:1726(_spoolss_OpenPrinterEx)
>   Setting printer access = PRINTER_ACCESS_ADMINISTER
> [2010/03/31 13:43:35,  1] 
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>        spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
>           out: struct spoolss_OpenPrinterEx
>               handle                   : *
>                   handle: struct policy_handle
>                       handle_type              : 0x00000000 (0)
>                       uuid                     : 
> 00000002-0000-0000-b34b-c789f9540000
>               result                   : WERR_OK
>
> --------------------------------------------
>
> And now for a user who is denied access:
>
> --------------------------------------------
> [2010/03/31 13:44:33,  4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
>   api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: 
> SPOOLSS_OPENPRINTEREX
> [2010/03/31 13:44:33,  6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
>   api_rpc_cmds[69].fn == 0x7f0e2d66c890
> [2010/03/31 13:44:33,  1] 
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>        spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
>           in: struct spoolss_OpenPrinterEx
>               printername              : *
>                   printername              : '\\LOCALHOST\ZZZ'
>               datatype                 : NULL
>               devmode_ctr: struct spoolss_DevmodeContainer
>                   _ndr_size                : 0x00000000 (0)
>                   devmode                  : NULL
>               access_mask              : 0x000f000c (983052)
>                      0: SERVER_ACCESS_ADMINISTER
>                      0: SERVER_ACCESS_ENUMERATE
>                      1: PRINTER_ACCESS_ADMINISTER
>                      1: PRINTER_ACCESS_USE
>                      0: JOB_ACCESS_ADMINISTER
>                      0: JOB_ACCESS_READ
>               level                    : 0x00000001 (1)
>               userlevel                : union spoolss_UserLevel(case 1)
>               level1                   : *
>                   level1: struct spoolss_UserLevel1
>                       size                     : 0x0000001c (28)
>                       client                   : *
>                           client                   : '\\TKNEW'
>                       user                     : *
>                           user                     : 'denieduser'
>                       build                    : 0x00000565 (1381)
>                       major                    : UNKNOWN_ENUM_VALUE (2)
>                       minor                    : 
> SPOOLSS_MINOR_VERSION_0 (0)
>                       processor                : 
> PROCESSOR_ARCHITECTURE_INTEL (0)
>   checking name: \\LOCALHOST\ZZZ
> [2010/03/31 13:44:33, 10] 
> rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
>   open_printer_hnd: name [\\LOCALHOST\ZZZ]
> [2010/03/31 13:44:33,  4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
>   Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
> 4B 01 8A   ........ .....K..
>   [0010] FF 54 00 00                                       .T..
> [2010/03/31 13:44:33,  3] 
> rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
>   Setting printer type=\\LOCALHOST\ZZZ
>   Printer is a printer
> [2010/03/31 13:44:33,  4] 
> rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
>   Setting printer name=\\LOCALHOST\ZZZ (len=15)
> [2010/03/31 13:44:33,  8] lib/util.c:1879(is_myname)
>   is_myname("LOCALHOST") returns 0
>   searching for [ZZZ]
> [2010/03/31 13:44:33, 10] 
> printing/nt_printing.c:4630(get_a_printer_internal)
>   get_a_printer: [printers] level 2
> [2010/03/31 13:44:33, 10] 
> printing/nt_printing.c:3917(get_a_printer_2_default)
>   get_a_printer_2_default: driver name set to []
>   printername: printers
> [2010/03/31 13:44:33, 10] 
> printing/nt_printing.c:3917(get_a_printer_2_default)
>   get_a_printer_2_default: driver name set to []
>   printername: CRBSTD-P
>   set_printer_hnd_name: Printer found: ZZZ -> ZZZ
> [2010/03/31 13:44:33,  5] 
> rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
>   1 printer handles active
> [2010/03/31 13:44:33,  4] 
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
>   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
> 4B 01 8A   ........ .....K..
>   [0010] FF 54 00 00                                       .T..
> [2010/03/31 13:44:33,  4] 
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
>   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
> 4B 01 8A   ........ .....K..
>   [0010] FF 54 00 00                                       .T..
> [2010/03/31 13:44:33,  4] 
> rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
>   short name:ZZZ
> [2010/03/31 13:44:33,  3] lib/access.c:362(only_ipaddrs_in_list)
>   only_ipaddrs_in_list: list has non-ip address (127.)
> [2010/03/31 13:44:33,  3] lib/access.c:396(check_access)
>   check_access: hostnames in host allow/deny list.
> [2010/03/31 13:44:33,  2] lib/access.c:406(check_access)
>   Allowed connection from 127.0.0.1 (127.0.0.1)
> [2010/03/31 13:44:33, 10] smbd/share_access.c:234(user_ok_token)
>   user_ok_token: share ZZZ is ok for unix user denieduser
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
>   se_map_generic(): mapped mask 0x20020008 to 0x00020008
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
>   se_map_generic(): mapped mask 0x100f000c to 0x000f000c
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
>   se_map_generic(): mapped mask 0x100f000c to 0x000f000c
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
>   se_map_generic(): mapped mask 0x100f000c to 0x000f000c
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
>   se_map_generic(): mapped mask 0x100f000c to 0x000f000c
> [2010/03/31 13:44:33,  4] printing/nt_printing.c:5733(print_access_check)
>   access check was FAILURE
> [2010/03/31 13:44:33,  3] 
> rpc_server/srv_spoolss_nt.c:1707(_spoolss_OpenPrinterEx)
>   access DENIED for printer open
> [2010/03/31 13:44:33,  4] 
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
>   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
> 4B 01 8A   ........ .....K..
>   [0010] FF 54 00 00                                       .T..
> [2010/03/31 13:44:33,  4] 
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
>   Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
> 4B 01 8A   ........ .....K..
>   [0010] FF 54 00 00                                       .T..
> [2010/03/31 13:44:33,  3] rpc_server/srv_lsa_hnd.c:218(close_policy_hnd)
>   Closed policy
> [2010/03/31 13:44:33,  1] 
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>        spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
>           out: struct spoolss_OpenPrinterEx
>               handle                   : *
>                   handle: struct policy_handle
>                       handle_type              : 0x00000000 (0)
>                       uuid                     : 
> 00000000-0000-0000-0000-000000000000
>               result                   : WERR_ACCESS_DENIED
> --------------------------------------------
>
> The only discernible difference to my eye is that for the denieduser, 
> se_map_generic() is called before ultimately denying the user.
>
> Finally, here is testparm output:
>
> --------------------------------------------
> [global]
>     workgroup = POTSDAM
>     server string = Printing Server
>     security = DOMAIN
>     password server = MEGA
>     restrict anonymous = 2
>     log level = 1
>     log file = /var/log/samba/%m.log
>     max log size = 10000
>     time server = Yes
>     unix extensions = No
>     deadtime = 5
>     printcap name = cups
>     wins server = 192.168.0.1
>     printer admin = @printeradmins
>     hosts allow = 127., 192.168.
>     cups options = raw
>     veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
>
> [printers]
>     comment = All Printers
>     path = /var/spool/samba
>     printable = Yes
>     browseable = No
>     browsable = No
>
> [print$]
>     comment = Printer Drivers for Windows
>     path = /usr/share/samba/print
>     write list = @printeradmins
>
> [drivers]
>     comment = Vendor Printer Driver Paks
>     path = /usr/share/samba/drivers
>     write list = @printeradmins
>     create mask = 0775
>     directory mask = 0775
> --------------------------------------------
>
> If anyone could shed light on this issue, it would be much 
> appreciated.  Thank you.
>
> -Jeff
>
> -- 
> Jeffrey M Hardy
> Systems Analyst
> hardyjm at potsdam.edu

On 04/01/2010 05:39 PM, Jeff Hardy wrote:
> I have been trying to setup a new print server on Fedora 12 based around
> samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks good
> except for the ability for printer administrators to manage printers.
> Whether I specify users in a system group using the deprecated printer
> admin option, or specifically using net rpc rights and the
> SePrinterOperatorPrivilege, it does not matter. This is against an NT4
> domain on samba-3.4.2.
After a tdb wipe, I ended up with no users who can manage printers. 
This at least made the behavior consistently broken.  I ended up trying 
samba 3.3 and 3.2 seeking some way to manage printers.  Only by going 
back to samba-3.2.15 built from a Fedora 10 source RPM was I able to 
restore functionality by way of the printer admin option.  The 
SePrinterOperatorPrivilege did not seem to work in any version no matter 
what I did.  Surely other folks are managing printers with sambas later 
than 3.2.x I would think.  Anyone have any experience like this?

-Jeff

--
Jeffrey M Hardy
Systems Analyst
hardyjm at potsdam.edu

Hi Jeff,

Jeff Hardy wrote:
> On 04/01/2010 05:39 PM, Jeff Hardy wrote:
>> I have been trying to setup a new print server on Fedora 12 based
around
>> samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks
good
>> except for the ability for printer administrators to manage printers.
>> Whether I specify users in a system group using the deprecated printer
>> admin option, or specifically using net rpc rights and the
>> SePrinterOperatorPrivilege, it does not matter. This is against an NT4
>> domain on samba-3.4.2.
>
> After a tdb wipe, I ended up with no users who can manage printers. 
> This at least made the behavior consistently broken.  I ended up 
> trying samba 3.3 and 3.2 seeking some way to manage printers.  Only by 
> going back to samba-3.2.15 built from a Fedora 10 source RPM was I 
> able to restore functionality by way of the printer admin option.  The 
> SePrinterOperatorPrivilege did not seem to work in any version no 
> matter what I did.  Surely other folks are managing printers with 
> sambas later than 3.2.x I would think.  Anyone have any experience 
> like this?
How about adding users as members to the BUILTIN\administrators group on 
the newer version of samba to see if that works?

Hi Jeff,

I fiddled around for a while with this too ;)

Looks broken to me, anyway I did put it like this and it  worked for me 
then:

in smb.conf:

username map = /opt/samba/smbusers.map
admin users = root

[print$]
         path = /opt/samba/samba_drivers
         write list = root

uid at host:~$ cat /opt/samba/smbusers.map
!root = <my win uid>
!root = <WIN DOMAIN\uid>

This worked for me only with the root account while in earlier versions I 
used the same mechanism with the uid lp and it worked fine ...

good luck

christoph





On Thu, 6 May 2010, Ryan Suarez wrote:
> Hi Jeff,
>
> Jeff Hardy wrote:
>>  On 04/01/2010 05:39 PM, Jeff Hardy wrote:
>> >  I have been trying to setup a new print server on Fedora 12 based
around
>> >  samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All
looks good
>> >  except for the ability for printer administrators to manage
printers.
>> >  Whether I specify users in a system group using the deprecated
printer
>> >  admin option, or specifically using net rpc rights and the
>> >  SePrinterOperatorPrivilege, it does not matter. This is against
an NT4
>> >  domain on samba-3.4.2.
>>
>>  After a tdb wipe, I ended up with no users who can manage printers.
This
>>  at least made the behavior consistently broken.  I ended up trying
samba
>>  3.3 and 3.2 seeking some way to manage printers.  Only by going back
to
>>  samba-3.2.15 built from a Fedora 10 source RPM was I able to restore
>>  functionality by way of the printer admin option.  The
>>  SePrinterOperatorPrivilege did not seem to work in any version no
matter
>>  what I did.  Surely other folks are managing printers with sambas
later
>>  than 3.2.x I would think.  Anyone have any experience like this?
>
> How about adding users as members to the BUILTIN\administrators group on
the
> newer version of samba to see if that works?
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
best regards
 	~christoph


-- 
/*   Christoph Beyer     |   Office: Building 2b / 23     *\
  *   DESY                |    Phone: 040-8998-2317        *
  *   - IT -              |      Fax: 040-8998-4060        *
\*   22603 Hamburg       |     http://www.desy.de         */