samba - Dec 2022 - Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks printing

Printing is still borked in 2:4.17.3+dfsg-3~bpo11+1. Unfortunately I can no
longer roll back to 2:4.13.13+dfsg-1~deb11u4 which was working.

Documents spool to the printer and the Windows print queue has a status of
"Printing". The documents are huge. A simple test page is 5.99 MB
instead of the more typical "several KB".

Strangely, if I connect to a printer and the print queue window is up, it will
stay up for ~30-60 seconds, then the window simply disappears.

Nothing shows up in the CUPS page, error, or access logs when printing.

Sending a test page directly from the CUPS interface prints just fine.

I disabled apparmor everywhere and restarted winbind, samba, and CUPS to make
sure that wasn't interfering.

According to CUPS debug logging, nothing is being submitted. Not even a blip
when I submit a test page from Windows.

When I submit from the CUPS interface, it prints just fine.

There's definitely something wrong between Samba and CUPS.

The only evidence I can find is in log.rpcd_spoolss:
[2022/12/27 11:47:15, 0]
../../source3/printing/printer_list.c:58(get_printer_list_db)
get_printer_list_db: Failed to open printer_list.tdb

The printer_list.tdb file doesn't exist.

I'm not sure what re-creates that file, but I've double-checked that
apparmor is disabled and I even tried chmodding /var/cache/samba/printing to
777.

I do notice that /var/cache/samba/printing contains 'printers.tdb'. Is
it possible the file name changed in recent versions from printer_list.tdb to
printers.tdb?

-A

On Sat Dec 24, 2022, 11:14 PM GMT, Aaron de Bruyn <mailto:aaron at
heyaaron.com> wrote:
> I've been fighting with this for a few months now.
>
> I removed the Louis' repos because there are starting to have more and
more dependency issues, and updated to 2:4.17.3+dfsg-3~bpo11+1 from the Debian
repos.
> Printing was still gorked, but for a different reason.
>
> Windows would still pull up the printer and submit jobs, but new clients
couldn't connect to the printers or install drivers.
>
> After a bit of digging, I found the changes discussed earlier in the thread
about vfs_full_audit (open vs openat, etc...) were hitting me.
> I temporarily disabled auditing and printing started working.
>
> I re-enabled auditing and corrected the success/failure names and
everything appears to be working now.
>
> We'll see on Tuesday when everyone returns to the offices. ?
>
> I hope Louis is doing well. I haven't seen any signs of him being
online for a few months.
>
> -A
>
> On Wed Oct 19, 2022, 01:53 PM GMT, Aaron de Bruyn <mailto:aaron at
heyaaron.com> wrote:
>> Apologies for the very very late reply Louis.
>>
>> I didn't get a chance to enable debugging before the network got
busy this morning, but here's is a lightly redacted smbd.conf showing my
global section along with the two printer sections:
>>
>> [global]
>> workgroup = REDACTED
>> server string = uslogsdnas01
>> netbios name = USLOGSDNAS01
>> disable netbios = yes
>> interfaces = lo vmbr0
>> map archive = False
>> map readonly = False
>> map system = False
>> map to guest = Never
>> realm = REDACTED.LOCAL
>> usershare path >> local master = False
>> socket options = TCP_NODELAY
>> security = ADS
>> idmap config * : backend = tdb
>> idmap config * : range = 10000-50000
>> winbind enum groups = yes
>> winbind enum users = yes
>> winbind nss info = template
>> winbind cache time = 300
>> template shell = /usr/bin/bash
>> template homedir = /tank/users/%U
>> obey pam restrictions = no
>> client ldap sasl wrapping = seal
>> server schannel = True
>> client schannel = True
>> winbind use default domain = yes
>> winbind expand groups = 1
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind refresh tickets = True
>> min protocol = SMB2
>> max protocol = SMB3
>> server signing = mandatory
>> client signing = mandatory
>> smb encrypt = desired
>> store dos attributes = False
>> winbind offline logon = yes
>> rpc_server:spoolss = external
>> rpc_daemon:spoolssd = fork
>> load printers = False
>> printing = CUPS
>> printcap = cups
>> spoolss: architecture = Windows x64
>>
>> [printers]
>> comment = Printer Drivers Share
>> path = /var/spool/samba/
>> write list = redacted-printer-admin-user
>> printable = True
>>
>> available = yes
>> hide dot files = yes
>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>> browseable = yes
>> force create mode = 0666
>> force directory mode = 0777
>> recycle:repository = .recycle/%U
>> recycle:keeptree = yes
>> recycle:versions = yes
>> recycle:touch = yes
>> recycle:directory_mode = 0777
>> recycle:subdir_mode = 0700
>> shadow:snapdir = .zfs/snapshot
>> shadow:sort = desc
>> shadow:format = _%Y-%m-%d_%H:%M:%S
>> shadow:snapprefix = ^autosnap
>> shadow:delimiter = _
>> shadow:localtime = no
>> full_audit:prefix = %I|%u|%m|%S
>> full_audit:facility = LOCAL6
>> full_audit:priority = ALERT
>> full_audit:success = connect disconnect renameat read write pwrite
sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock
kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat
get_dfs_referrals
>> full_audit:failure = connect disconnect renameat read write pwrite
sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock
kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat
get_dfs_referrals
>> vfs objects = shadow_copy2 full_audit
>>
>> [print$]
>> comment = Printer Driver Share
>> path = /tank/print
>> guest ok = False
>> write list = redacted-printer-admin-user
>>
>> available = yes
>> hide dot files = yes
>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>> browseable = yes
>> force create mode = 0666
>> force directory mode = 0777
>> recycle:repository = .recycle/%U
>> recycle:keeptree = yes
>> recycle:versions = yes
>> recycle:touch = yes
>> recycle:directory_mode = 0777
>> recycle:subdir_mode = 0700
>> shadow:snapdir = .zfs/snapshot
>> shadow:sort = desc
>> shadow:format = _%Y-%m-%d_%H:%M:%S
>> shadow:snapprefix = ^autosnap
>> shadow:delimiter = _
>> shadow:localtime = no
>> full_audit:prefix = %I|%u|%m|%S
>> full_audit:facility = LOCAL6
>> full_audit:priority = ALERT
>> full_audit:success = connect disconnect renameat read write pwrite
sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock
kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat
get_dfs_referrals
>> full_audit:failure = connect disconnect renameat read write pwrite
sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock
kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat
get_dfs_referrals
>> vfs objects = shadow_copy2 full_audit
>>
>> I just tested this morning with the newer releases of Samba
(2:4.16.2+dfsg-1nmu1~deb11.1) and the printing issue still exists.
>> I did try after disabling apparmor for Samba and cups with no success.
>>
>> I rolled back to 2:4.13.13+dfsg-1~deb11u5.
>>
>> -A
>>
>> On Thu Sep 1, 2022, 07:20 AM GMT, L. van Belle via samba
<mailto:samba at lists.samba.org> wrote:
>>> Hm,,
>>>
>>> i've been reading the thread, On this.
>>>>> Absolutely nothing prints except a test page submitted
directly through
>>> the CUPS web GUI
>>>
>>> So, then yes, this has to be the link between samba and cups.
>>> so, I suggest to enable debugging and to not get overloaded in it.
>>>
>>> Read these first.
>>> https://wiki.samba.org/index.php/Client_specific_logging
>>> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>>> And enable debugging for 1 client, makes debugging bit more easy.
>>>
>>> Can you also share a smb.conf and/or compare it to mine,
>>> as im also running with this version : 2:4.16.2+dfsg-1nmu1~deb11.1
and no
>>> problems here.
>>>
>>> I use backend AD with point and print setup.
>>> All printer shares are pushed through AD with \\FQ.DN.TLD\printer
>>> And my printer had A and PTR dns records.
>>>
>>> [global]
>>>
>>> # Workaround *na laatste CVE update.
>>> min domain uid = 0
>>>
>>> #log level = 1 auth_audit:3
>>> #log level = 0 full_audit:2@/var/log/samba_audit.log
>>> log level = 0
>>>
>>> workgroup = ADDOM
>>> security = ADS
>>> realm = ADDOM.DOMAIN.TLD
>>> netbios name = PRINT1
>>>
>>> preferred master = no
>>> domain master = no
>>> host msdfs = no
>>>
>>> interfaces = 192.168.1.11 127.0.0.1
>>> bind interfaces only = yes
>>>
>>> dns proxy = yes
>>>
>>> # Add and Update TLS Key
>>> tls enabled = yes
>>> tls keyfile = /etc/ssl/local/private/XXXXXXX.key
>>> tls certfile = /etc/ssl/local/certs/XXXXXXX.crt
>>> tls cafile = /etc/ssl/local/XXXXXXX_CA_Intermediate.crt
>>>
>>>
>>> ## map id's outside to domain to tdb files.
>>> idmap config * :backend = tdb
>>> idmap config * :range = 2000-9999
>>>
>>> ## map ids from the domain the range may not overlap !
>>> idmap config ADDOM : backend = ad
>>> idmap config ADDOM : schema_mode = rfc2307
>>> idmap config ADDOM : range = 10000-3999999
>>> idmap config ADDOM : unix_primary_group = yes
>>> idmap config ADDOM : unix_nss_info = yes
>>>
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> # Renew the kerberos ticket
>>> winbind refresh tickets = yes
>>>
>>> # show domain prefix
>>> # set to no, dont use the default domain, output shows: DOMAIN\user
>>> # set to yes, use the default domain, output shows: user
>>> winbind use default domain = yes
>>>
>>> # show users with getent passwd
>>> winbind enum users = no
>>> winbind enum groups = no
>>>
>>> # enable offline logins
>>> winbind offline logon = yes
>>>
>>> # check depth of nested groups, ! slows down you samba, if to much
>>> groups depth
>>> winbind expand groups = 1
>>>
>>> # user Administrator workaround, without it you are unable to set
>>> privileges
>>> username map = /etc/samba/samba_usermapping
>>>
>>> # disable usershares creating, when set empty no error log
messages.
>>> usershare path >>>
>>> # For Windows ACL support on member file server, enabled globaly,
>>> OBLIGATED
>>> # For a mixed setup of rights, put this per share!
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> store dos attributes = yes
>>>
>>> # Share Setting Globally
>>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>> hide unreadable = yes
>>>
>>> ##### PRINT SERVER PART #######
>>> #enable asu support = yes
>>>
>>> ## Enabling spoolssd
>>> rpc_server:spoolss = external
>>> rpc_daemon:spoolssd = fork
>>> spoolss:architecture = Windows x64
>>> spoolssd:prefork_min_children = 5 # Minimum number of child
>>> processes
>>> spoolssd:prefork_max_children = 25 # Maximum number of child
>>> processes
>>> spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs
>>> if one connection comes in (up to prefork_max_children)
>>> spoolssd:prefork_max_allowed_clients = 100 # Number of clients, a
child
>>> process should be responsible for
>>> spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a
>>> child process (60 seconds
>>>
>>> # is the minimum, even a lower value has been configured)
>>> load printers = yes
>>>
>>>
>>> # Windows clients look for this share name as a source of
downloadable
>>> # printer drivers
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/printers
>>> acl_xattr:ignore system acl = yes
>>> browseable = yes
>>> writable = yes
>>> guest ok = no
>>> # Uncomment to allow remote administration of Windows print
drivers.
>>> # You may need to replace 'lpadmin' with the name of the
group your
>>> # admin users are members of.
>>> # Please note that you also need to set appropriate Unix
permissions
>>> # to the drivers directory for these users to have write rights in
it
>>> write list = root, administrator, @"Domain Admins",
@lpadmin, @"Print
>>> Operators"
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/lib/samba/printing/spool
>>> acl_xattr:ignore system acl = yes
>>> browseable = yes
>>> printable = yes
>>> printing = CUPS
>>>
>>>
>>>
>>> So far,
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba <samba-bounces at lists.samba.org> Namens
Aaron de Bruyn via
>>>> samba
>>>> Verzonden: woensdag 31 augustus 2022 21:33
>>>> Aan: Rowland penny <rpenny at samba.org>; samba at
lists.samba.org
>>>> Onderwerp: Re: [Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1
borks
>>>> printing
>>>>
>>>> These machines are all domain members, not DCs.
>>>>
>>>> I'll do some more troubleshooting tonight and enable
debugging when the
>>>> network is quiet and see if I can find anything.
>>>>
>>>> -A
>>>>
>>>> On Wed Aug 31, 2022, 06:06 PM GMT, Rowland Penny via samba
>>>> <mailto:samba at lists.samba.org> wrote:
>>>> > On Wed, 2022-08-31 at 17:52 +0000, Aaron de Bruyn wrote:
>>>> >> Hey Rowland,
>>>> >>
>>>> >> I did see that thread.
>>>> >> I don't have a /var/cache/samba/printer_list.tdb.
>>>> >
>>>> > Funny that, I don't print, but I have, but only on
Unix domain member.
>>>> >>
>>>> >> # find /var/cache/samba -iname '*print*'
>>>> >> /var/cache/samba/printing
>>>> >> /var/cache/samba/printing/printers.tdb
>>>> >> #
>>>> >>
>>>> >> I did try stopping Samba and CUPS at one site and I
removed the
>>>> >> printers.tdb file, then started Samba and CUPS. That
didn't resolve
>>>> >> the issue.
>>>> >
>>>> > The fix was posted by Andreas and he should know, he
writes some of
>>>> > the code. I wouldn't have a clue about printing.
>>>> >
>>>> > Rowland
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > To unsubscribe from this list go to the following URL and
read the
>>>> > instructions:
https://lists.samba.org/mailman/options/samba
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba

Finally got it working.
Nothing useful in the error logs.

/var/spool/samba does not exist.
Creating it and chmoding it to 777 along with using tdbtool to create
/var/cache/samba/printer_list.tdb seems to do the trick.

27 locations are printing again.

You'd think something would complain about /var/spool/samba not existing or
try to create it. Maybe I just missed it in the mass of logs. ?

-A

On Tue Dec 27, 2022, 07:49 PM GMT, Aaron de Bruyn <mailto:aaron at
heyaaron.com> wrote:
> Printing is still borked in 2:4.17.3+dfsg-3~bpo11+1. Unfortunately I can no
longer roll back to 2:4.13.13+dfsg-1~deb11u4 which was working.
>
> Documents spool to the printer and the Windows print queue has a status of
"Printing". The documents are huge. A simple test page is 5.99 MB
instead of the more typical "several KB".
>
> Strangely, if I connect to a printer and the print queue window is up, it
will stay up for ~30-60 seconds, then the window simply disappears.
>
> Nothing shows up in the CUPS page, error, or access logs when printing.
>
> Sending a test page directly from the CUPS interface prints just fine.
>
> I disabled apparmor everywhere and restarted winbind, samba, and CUPS to
make sure that wasn't interfering.
>
> According to CUPS debug logging, nothing is being submitted. Not even a
blip when I submit a test page from Windows.
>
> When I submit from the CUPS interface, it prints just fine.
>
> There's definitely something wrong between Samba and CUPS.
>
> The only evidence I can find is in log.rpcd_spoolss:
> [2022/12/27 11:47:15, 0]
../../source3/printing/printer_list.c:58(get_printer_list_db)
> get_printer_list_db: Failed to open printer_list.tdb
>
> The printer_list.tdb file doesn't exist.
>
> I'm not sure what re-creates that file, but I've double-checked
that apparmor is disabled and I even tried chmodding /var/cache/samba/printing
to 777.
>
> I do notice that /var/cache/samba/printing contains 'printers.tdb'.
Is it possible the file name changed in recent versions from printer_list.tdb to
printers.tdb?
>
> -A
>
> On Sat Dec 24, 2022, 11:14 PM GMT, Aaron de Bruyn <mailto:aaron at
heyaaron.com> wrote:
>> I've been fighting with this for a few months now.
>>
>> I removed the Louis' repos because there are starting to have more
and more dependency issues, and updated to 2:4.17.3+dfsg-3~bpo11+1 from the
Debian repos.
>> Printing was still gorked, but for a different reason.
>>
>> Windows would still pull up the printer and submit jobs, but new
clients couldn't connect to the printers or install drivers.
>>
>> After a bit of digging, I found the changes discussed earlier in the
thread about vfs_full_audit (open vs openat, etc...) were hitting me.
>> I temporarily disabled auditing and printing started working.
>>
>> I re-enabled auditing and corrected the success/failure names and
everything appears to be working now.
>>
>> We'll see on Tuesday when everyone returns to the offices. ?
>>
>> I hope Louis is doing well. I haven't seen any signs of him being
online for a few months.
>>
>> -A
>>
>> On Wed Oct 19, 2022, 01:53 PM GMT, Aaron de Bruyn <mailto:aaron at
heyaaron.com> wrote:
>>> Apologies for the very very late reply Louis.
>>>
>>> I didn't get a chance to enable debugging before the network
got busy this morning, but here's is a lightly redacted smbd.conf showing my
global section along with the two printer sections:
>>>
>>> [global]
>>> workgroup = REDACTED
>>> server string = uslogsdnas01
>>> netbios name = USLOGSDNAS01
>>> disable netbios = yes
>>> interfaces = lo vmbr0
>>> map archive = False
>>> map readonly = False
>>> map system = False
>>> map to guest = Never
>>> realm = REDACTED.LOCAL
>>> usershare path >>> local master = False
>>> socket options = TCP_NODELAY
>>> security = ADS
>>> idmap config * : backend = tdb
>>> idmap config * : range = 10000-50000
>>> winbind enum groups = yes
>>> winbind enum users = yes
>>> winbind nss info = template
>>> winbind cache time = 300
>>> template shell = /usr/bin/bash
>>> template homedir = /tank/users/%U
>>> obey pam restrictions = no
>>> client ldap sasl wrapping = seal
>>> server schannel = True
>>> client schannel = True
>>> winbind use default domain = yes
>>> winbind expand groups = 1
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> winbind refresh tickets = True
>>> min protocol = SMB2
>>> max protocol = SMB3
>>> server signing = mandatory
>>> client signing = mandatory
>>> smb encrypt = desired
>>> store dos attributes = False
>>> winbind offline logon = yes
>>> rpc_server:spoolss = external
>>> rpc_daemon:spoolssd = fork
>>> load printers = False
>>> printing = CUPS
>>> printcap = cups
>>> spoolss: architecture = Windows x64
>>>
>>> [printers]
>>> comment = Printer Drivers Share
>>> path = /var/spool/samba/
>>> write list = redacted-printer-admin-user
>>> printable = True
>>>
>>> available = yes
>>> hide dot files = yes
>>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>>> browseable = yes
>>> force create mode = 0666
>>> force directory mode = 0777
>>> recycle:repository = .recycle/%U
>>> recycle:keeptree = yes
>>> recycle:versions = yes
>>> recycle:touch = yes
>>> recycle:directory_mode = 0777
>>> recycle:subdir_mode = 0700
>>> shadow:snapdir = .zfs/snapshot
>>> shadow:sort = desc
>>> shadow:format = _%Y-%m-%d_%H:%M:%S
>>> shadow:snapprefix = ^autosnap
>>> shadow:delimiter = _
>>> shadow:localtime = no
>>> full_audit:prefix = %I|%u|%m|%S
>>> full_audit:facility = LOCAL6
>>> full_audit:priority = ALERT
>>> full_audit:success = connect disconnect renameat read write pwrite
sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock
kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat
get_dfs_referrals
>>> full_audit:failure = connect disconnect renameat read write pwrite
sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock
kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat
get_dfs_referrals
>>> vfs objects = shadow_copy2 full_audit
>>>
>>> [print$]
>>> comment = Printer Driver Share
>>> path = /tank/print
>>> guest ok = False
>>> write list = redacted-printer-admin-user
>>>
>>> available = yes
>>> hide dot files = yes
>>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>>> browseable = yes
>>> force create mode = 0666
>>> force directory mode = 0777
>>> recycle:repository = .recycle/%U
>>> recycle:keeptree = yes
>>> recycle:versions = yes
>>> recycle:touch = yes
>>> recycle:directory_mode = 0777
>>> recycle:subdir_mode = 0700
>>> shadow:snapdir = .zfs/snapshot
>>> shadow:sort = desc
>>> shadow:format = _%Y-%m-%d_%H:%M:%S
>>> shadow:snapprefix = ^autosnap
>>> shadow:delimiter = _
>>> shadow:localtime = no
>>> full_audit:prefix = %I|%u|%m|%S
>>> full_audit:facility = LOCAL6
>>> full_audit:priority = ALERT
>>> full_audit:success = connect disconnect renameat read write pwrite
sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock
kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat
get_dfs_referrals
>>> full_audit:failure = connect disconnect renameat read write pwrite
sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock
kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat
get_dfs_referrals
>>> vfs objects = shadow_copy2 full_audit
>>>
>>> I just tested this morning with the newer releases of Samba
(2:4.16.2+dfsg-1nmu1~deb11.1) and the printing issue still exists.
>>> I did try after disabling apparmor for Samba and cups with no
success.
>>>
>>> I rolled back to 2:4.13.13+dfsg-1~deb11u5.
>>>
>>> -A
>>>
>>> On Thu Sep 1, 2022, 07:20 AM GMT, L. van Belle via samba
<mailto:samba at lists.samba.org> wrote:
>>>> Hm,,
>>>>
>>>> i've been reading the thread, On this.
>>>>>> Absolutely nothing prints except a test page submitted
directly through
>>>> the CUPS web GUI
>>>>
>>>> So, then yes, this has to be the link between samba and cups.
>>>> so, I suggest to enable debugging and to not get overloaded in
it.
>>>>
>>>> Read these first.
>>>> https://wiki.samba.org/index.php/Client_specific_logging
>>>> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>>>> And enable debugging for 1 client, makes debugging bit more
easy.
>>>>
>>>> Can you also share a smb.conf and/or compare it to mine,
>>>> as im also running with this version :
2:4.16.2+dfsg-1nmu1~deb11.1 and no
>>>> problems here.
>>>>
>>>> I use backend AD with point and print setup.
>>>> All printer shares are pushed through AD with
\\FQ.DN.TLD\printer
>>>> And my printer had A and PTR dns records.
>>>>
>>>> [global]
>>>>
>>>> # Workaround *na laatste CVE update.
>>>> min domain uid = 0
>>>>
>>>> #log level = 1 auth_audit:3
>>>> #log level = 0 full_audit:2@/var/log/samba_audit.log
>>>> log level = 0
>>>>
>>>> workgroup = ADDOM
>>>> security = ADS
>>>> realm = ADDOM.DOMAIN.TLD
>>>> netbios name = PRINT1
>>>>
>>>> preferred master = no
>>>> domain master = no
>>>> host msdfs = no
>>>>
>>>> interfaces = 192.168.1.11 127.0.0.1
>>>> bind interfaces only = yes
>>>>
>>>> dns proxy = yes
>>>>
>>>> # Add and Update TLS Key
>>>> tls enabled = yes
>>>> tls keyfile = /etc/ssl/local/private/XXXXXXX.key
>>>> tls certfile = /etc/ssl/local/certs/XXXXXXX.crt
>>>> tls cafile = /etc/ssl/local/XXXXXXX_CA_Intermediate.crt
>>>>
>>>>
>>>> ## map id's outside to domain to tdb files.
>>>> idmap config * :backend = tdb
>>>> idmap config * :range = 2000-9999
>>>>
>>>> ## map ids from the domain the range may not overlap !
>>>> idmap config ADDOM : backend = ad
>>>> idmap config ADDOM : schema_mode = rfc2307
>>>> idmap config ADDOM : range = 10000-3999999
>>>> idmap config ADDOM : unix_primary_group = yes
>>>> idmap config ADDOM : unix_nss_info = yes
>>>>
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>>
>>>> # Renew the kerberos ticket
>>>> winbind refresh tickets = yes
>>>>
>>>> # show domain prefix
>>>> # set to no, dont use the default domain, output shows:
DOMAIN\user
>>>> # set to yes, use the default domain, output shows: user
>>>> winbind use default domain = yes
>>>>
>>>> # show users with getent passwd
>>>> winbind enum users = no
>>>> winbind enum groups = no
>>>>
>>>> # enable offline logins
>>>> winbind offline logon = yes
>>>>
>>>> # check depth of nested groups, ! slows down you samba, if to
much
>>>> groups depth
>>>> winbind expand groups = 1
>>>>
>>>> # user Administrator workaround, without it you are unable to
set
>>>> privileges
>>>> username map = /etc/samba/samba_usermapping
>>>>
>>>> # disable usershares creating, when set empty no error log
messages.
>>>> usershare path >>>>
>>>> # For Windows ACL support on member file server, enabled
globaly,
>>>> OBLIGATED
>>>> # For a mixed setup of rights, put this per share!
>>>> vfs objects = acl_xattr
>>>> map acl inherit = yes
>>>> store dos attributes = yes
>>>>
>>>> # Share Setting Globally
>>>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>>> hide unreadable = yes
>>>>
>>>> ##### PRINT SERVER PART #######
>>>> #enable asu support = yes
>>>>
>>>> ## Enabling spoolssd
>>>> rpc_server:spoolss = external
>>>> rpc_daemon:spoolssd = fork
>>>> spoolss:architecture = Windows x64
>>>> spoolssd:prefork_min_children = 5 # Minimum number of child
>>>> processes
>>>> spoolssd:prefork_max_children = 25 # Maximum number of child
>>>> processes
>>>> spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs
>>>> if one connection comes in (up to prefork_max_children)
>>>> spoolssd:prefork_max_allowed_clients = 100 # Number of clients,
a child
>>>> process should be responsible for
>>>> spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a
>>>> child process (60 seconds
>>>>
>>>> # is the minimum, even a lower value has been configured)
>>>> load printers = yes
>>>>
>>>>
>>>> # Windows clients look for this share name as a source of
downloadable
>>>> # printer drivers
>>>> [print$]
>>>> comment = Printer Drivers
>>>> path = /var/lib/samba/printers
>>>> acl_xattr:ignore system acl = yes
>>>> browseable = yes
>>>> writable = yes
>>>> guest ok = no
>>>> # Uncomment to allow remote administration of Windows print
drivers.
>>>> # You may need to replace 'lpadmin' with the name of
the group your
>>>> # admin users are members of.
>>>> # Please note that you also need to set appropriate Unix
permissions
>>>> # to the drivers directory for these users to have write rights
in it
>>>> write list = root, administrator, @"Domain Admins",
@lpadmin, @"Print
>>>> Operators"
>>>>
>>>> [printers]
>>>> comment = All Printers
>>>> path = /var/lib/samba/printing/spool
>>>> acl_xattr:ignore system acl = yes
>>>> browseable = yes
>>>> printable = yes
>>>> printing = CUPS
>>>>
>>>>
>>>>
>>>> So far,
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba <samba-bounces at lists.samba.org> Namens
Aaron de Bruyn via
>>>>> samba
>>>>> Verzonden: woensdag 31 augustus 2022 21:33
>>>>> Aan: Rowland penny <rpenny at samba.org>; samba at
lists.samba.org
>>>>> Onderwerp: Re: [Samba] Upgrade to
2:4.16.2+dfsg-1nmu1~deb11.1 borks
>>>>> printing
>>>>>
>>>>> These machines are all domain members, not DCs.
>>>>>
>>>>> I'll do some more troubleshooting tonight and enable
debugging when the
>>>>> network is quiet and see if I can find anything.
>>>>>
>>>>> -A
>>>>>
>>>>> On Wed Aug 31, 2022, 06:06 PM GMT, Rowland Penny via samba
>>>>> <mailto:samba at lists.samba.org> wrote:
>>>>> > On Wed, 2022-08-31 at 17:52 +0000, Aaron de Bruyn
wrote:
>>>>> >> Hey Rowland,
>>>>> >>
>>>>> >> I did see that thread.
>>>>> >> I don't have a
/var/cache/samba/printer_list.tdb.
>>>>> >
>>>>> > Funny that, I don't print, but I have, but only on
Unix domain member.
>>>>> >>
>>>>> >> # find /var/cache/samba -iname '*print*'
>>>>> >> /var/cache/samba/printing
>>>>> >> /var/cache/samba/printing/printers.tdb
>>>>> >> #
>>>>> >>
>>>>> >> I did try stopping Samba and CUPS at one site and
I removed the
>>>>> >> printers.tdb file, then started Samba and CUPS.
That didn't resolve
>>>>> >> the issue.
>>>>> >
>>>>> > The fix was posted by Andreas and he should know, he
writes some of
>>>>> > the code. I wouldn't have a clue about printing.
>>>>> >
>>>>> > Rowland
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > To unsubscribe from this list go to the following URL
and read the
>>>>> > instructions:
https://lists.samba.org/mailman/options/samba
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba