Howdy all,
I'm setting up a print server machine to serve hosts in an Active
Directory domain. Debian GNU/Linux ("sarge", current testing branch),
Samba 3.0.0beta2-1.
Success so far:
- All steps in the current DIAGNOSIS document
<http://au1.samba.org/samba/devel/docs/html/diagnosis.html>
- Sharing printer drivers from the [print$] share (yay!)
- Connecting to the Samba server from a Win2000 host
- Connecting to individual printer shares from a Win2000 host
Failure:
- Printing anything to said printer shares.
The Win2000 client, when attempting to print a test page to the
printer, immediately responds with "Access denied" and an offer to
lead me through the printer troubleshooting help.
Selected portions of 'testparm -vs':
====Processing section "[printers]"
Processing section "[print$]"
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
# Global parameters
[global]
workgroup = TGGLOCAL
realm netbios name = TGGSPS001
interfaces bind interfaces only = No
security = DOMAIN
auth methods encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Never
null passwords = No
obey pam restrictions = Yes
password server = tggad001, tggad002, *
private dir = /var/lib/samba
passdb backend = tdbsam, guest
guest account = nobody
restrict anonymous = 0
lanman auth = Yes
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes
protocol = NT1
acl compatibility paranoid server security = Yes
load printers = Yes
printcap name = cups
disable spoolss = No
idmap only = No
idmap backend idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind cache time = 600
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
printer admin = @lpadmin, TGGLOCAL+Domain Admins
[printers]
comment = All printers
path = /var/local/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
print command = lp -c -d %p -o raw; rm %s
lpq command = lpstat -o %p
lprm command = cancel %p-%j
browseable = No
[print$]
comment = Printer drivers
path = /var/lib/samba/printers
write list = root, @lpadmin, TGGLOCAL+Domain Admins
guest ok = Yes
====
The frustrating part is that this was working briefly a week ago, but
is not currently and I can't determine why. This is small comfort of
course; but it does show that it's at least possible to get this
working :-)
--
Ben Finney <benfinney@thegoodguys.com.au>
IT Technical Support Officer
Support Centre, The Muir Electrical Company
ph: +61 3 9338 4300 web: <http://www.thegoodguys.com.au/>
Ben Finney
2003-Aug-14 02:59 UTC
[Samba] Re: Access denied when printing to Samba printers
Ben Finney wrote:> The Win2000 client, when attempting to print a test page to the printer, > immediately responds with "Access denied" and an offer to lead me > through the printer troubleshooting help.Some other points that may be relevant: At one point I was using "security = ads" in an attempt to get things working; however, the (brief) success was had with "security = domain". I'm still seeing krb5 messages though; is it possible to authenticate against a Win2000 Active Directory domain, in "mixed" mode, without using kerberos? I'm using winbindd via PAM, and set up /etc/pam.d/login and /etc/pam.d/samba such that authentication appears to be working. I'm happy to be told that this may be affecting it, if only someone can help me diagnose it. -- Ben Finney <benfinney@thegoodguys.com.au> IT Technical Support Officer Support Centre, The Muir Electrical Company ph: +61 3 9338 4300 web: <http://www.thegoodguys.com.au/>
Ben Finney
2003-Aug-14 04:48 UTC
[Samba] Re: Access denied when printing to Samba printers
Ben Finney wrote:> Failure: > - Printing anything to said printer shares. > [...] > [printers] > comment = All printers > path = /var/local/spool/samba > create mask = 0700 > guest ok = Yes > printable = YesCorey Hart asked me (off-list) to check the permissions on the spool directory. They are: $ ls -ld /var/local/samba/spool/ drwxrwxrwt 2 root nogroup 4096 Aug 7 13:24 /var/local/samba/spool/ (This is based on advice to make a separate spool directory, with the same permissions as /tmp has.) -- Ben Finney <benfinney@thegoodguys.com.au> IT Technical Support Officer Support Centre, The Muir Electrical Company ph: +61 3 9338 4300 web: <http://www.thegoodguys.com.au/>
Ben Finney
2003-Aug-14 05:05 UTC
[Samba] Re: Access denied when printing to Samba printers
benfinney@thegoodguys.com.au wrote:>> Failure: >> - Printing anything to said printer shares. >> [...] >> [printers] >> comment = All printers >> path = /var/local/spool/samba > [...] > $ ls -ld /var/local/samba/spool/ > drwxrwxrwt 2 root nogroup 4096 Aug 7 13:24 > /var/local/samba/spool/OMFG. The spool directory Samba was looking for was not the same as the directory I created. Correct that error, and it's all fine now. Thank you to the samba list, and Corey Hart in particular, for assisting me in seeing what was right in front of my face :-) -- Ben Finney <benfinney@thegoodguys.com.au> IT Technical Support Officer Support Centre, The Muir Electrical Company ph: +61 3 9338 4300 web: <http://www.thegoodguys.com.au/>
Ben Finney benfinney at thegoodguys.com.au> Thu Aug 14 10:46:41 GMT 2003 > > > Howdy all, > > I'm setting up a print server machine to serve hosts in an Active > Directory domain. Debian GNU/Linux ("sarge", current testing branch), > Samba 3.0.0beta2-1. > > Success so far: > - All steps in the current DIAGNOSIS document > <http://au1.samba.org/samba/devel/docs/html/diagnosis.html> > - Sharing printer drivers from the [print$] share (yay!) > - Connecting to the Samba server from a Win2000 host > - Connecting to individual printer shares from a Win2000 host >What exactly do you mean by "Connectiong to individual printer share", but failure "printing anything"??> Failure: > - Printing anything to said printer shares. > > The Win2000 client, when attempting to print a test page to the > printer, immediately responds with "Access denied" and an offer to > lead me through the printer troubleshooting help. >Have you increased "debuglevel" to 3 or 5 and watched out for the exact messages *Samba* is logging around that "Access denied" event? You may find it usefull to also set "debug timestamp = no" for easier readability of log.smbd....> Selected portions of 'testparm -vs': >And what's the output of a simple 'testparm'?> ====> Processing section "[printers]" > Processing section "[print$]" > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > 'winbind separator = +' might cause problems with group membership. > # Global parameters > [global] > workgroup = TGGLOCAL > realm > netbios name = TGGSPS001 > interfaces > bind interfaces only = No > security = DOMAIN > auth methods > encrypt passwords = Yes > update encrypted = No > client schannel = Auto > server schannel = Auto > allow trusted domains = Yes > map to guest = Never > null passwords = No > obey pam restrictions = Yes > password server = tggad001, tggad002, * > private dir = /var/lib/samba > passdb backend = tdbsam, guest > guest account = nobody > restrict anonymous = 0 > lanman auth = Yes > ntlm auth = Yes > client NTLMv2 auth = No > client lanman auth = Yes > client plaintext auth = Yes > protocol = NT1 > acl compatibility > paranoid server security = Yes > load printers = Yes > printcap name = cupsHave you really CUPS as your Unix print subsystem? In this case there should be an additional setting of printing = cups in your smb.conf..... But your "selected portions of 'testparm -vs'" doesn't show up *any* setting for the printing. (So samba might be defaulting to "bsd"....)> disable spoolss = No > idmap only = No > idmap backend > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind separator = + > winbind cache time = 600 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = No > printer admin = @lpadmin, TGGLOCAL+Domain Admins > > > [printers] > comment = All printers > path = /var/local/spool/samba > create mask = 0700 > guest ok = Yes > printable = Yes > print command = lp -c -d %p -o raw; rm %s > lpq command = lpstat -o %p > lprm command = cancel %p-%jThese commands will not be used if you have both, "printing = cups" and "printcap = cups"....> browseable = No > > [print$] > comment = Printer drivers > path = /var/lib/samba/printers > write list = root, @lpadmin, TGGLOCAL+Domain Admins > guest ok = Yes > > ====> > The frustrating part is that this was working briefly a week ago, but > is not currently and I can't determine why. This is small comfort of > course; but it does show that it's at least possible to get this > working :-) >So *what* did you change during that time, to the best of your memory? Settings, updates, hardware, clients, ....? Cheers, Kurt
Kurt Pfeifle
2003-Aug-14 06:10 UTC
[Samba] Re: Access denied when printing to Samba printers
Ben Finney benfinney at thegoodguys.com.au> Thu Aug 14 14:48:23 GMT 2003 > > > Ben Finney wrote: >> Failure: >> - Printing anything to said printer shares. >> [...] >> [printers] >> comment = All printers >> path = /var/local/spool/samba >> create mask = 0700 >> guest ok = Yes >> printable = Yes > > Corey Hart asked me (off-list) to check the permissions on the spool > directory. They are: > > $ ls -ld /var/local/samba/spool/ > drwxrwxrwt 2 root nogroup 4096 Aug 7 13:24 /var/local/samba/spool/ >Well -- but your "path" in smb.conf points to "/var/local/spool/samba" and *not* "/var/local/samba/spool/"....> (This is based on advice to make a separate spool directory, with the > same permissions as /tmp has.) >Cheers, Kurt