DJ
2003-Oct-08 05:20 UTC
[Samba] our windows APW can't add printer driver to samba domain member
Hi,
I'm part of an organization managing Windows clients with a couple of
GNU/Linux servers.
We're having some trouble configuring our Samba 3 Debian Linux server.
It's just a domain member with authentification done with a Windows AD
Domain Controller, it's supposed to be our new print server.
The printers have already been set up for lprng.
Whenever trying to add a driver to any printer throught the Add Printer
Driver Wizard on a Windows client, with a username part of
the 'print admin' group, we get this error message:
"Unable to install HP Lazerjet 4000 Series PCL 6, Windows 2000, Intel
Driver. Access denied"
All our printers are in /etc/printcap already.
There are no entries for any of them in smb.conf
gutenberg:/var/log/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = MYGROUP
realm = MYGROUP.MYREALM
server string = %h server (Samba %v)
security = ADS
password server = PWDSERV
syslog = 3
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
printer admin = root, @MYGROUP\Staff
[printers]
comment = All Printers
path = /var/spool/smbprint
create mask = 0700
printable = Yes
use client driver = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
write list = root, @MYGROUP\Staff
create mask = 0700
gutenberg:/var/log/samba#
We've read and re-read the chapters/section apropos in the doc, but
can't find what we're doing wrong.
Help or advice would be greatly appriciated :)
DJ
daniel.jarboe@custserv.com
2003-Oct-09 13:22 UTC
[Samba] our windows APW can't add printer driver to samba domain member
Hey DJ,> Driver Wizard on a Windows client, with a username part of > the 'print admin' group, we get this error message: > "Unable to install HP Lazerjet 4000 Series PCL 6, Windows 2000, Intel > Driver. Access denied"> [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > write list = root, @MYGROUP\Staff > create mask = 0700Can /var/lib/samba/printers be reached by a member of @MYGROUP\Staff? What does the ownership permissions of the subdirectories look like? i.e. W32X86... W32X86/2... W32X86/3? Your create mask of 0700 seems like it would be problematic for a few reasons, but mostly because your write list is group based, and other users will not be able to read files from print$. ~ Daniel ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
daniel.jarboe@custserv.com
2003-Oct-10 13:23 UTC
[Samba] our windows APW can't add printer driver to samba domain member
The problem is probably either permissions on /var/lib/samba/printers or the subdirectory you are writing to being so restrictive that the users who is connecting to add drivers via APW can't write the files to the subdirectory they need to. So fix that first... and clean up your create mask = 0700 line so that it doesn't happen the next time a subdirectory is created, and so that users will actually be able to read/retrieve the uploaded files. There's two layers of security you need to be concerned with... the first is samba's write list for the print$ share, which you have set up to allow anyone in the group MYGROUP\Staff. Once a user is found to be in that group, they can write files to the share IFF the filesystem allows the user connecting to samba to write to the filesystem. The reason your create mask is a problem, is because if a user passes both of these tests and uploads drivers, your create mask is set to 0700 so the files will be rwx------ (and owned by the user who uploaded the files). That means only the user who actually uploads the files (or root) will be able to ever do anything with them... like use them for point 'n print.> We've actually tried changing that. also we've tried different > permissions on the printers/W* directories, but still the > same error on APW.> >>[print$] > >> comment = Printer Drivers > >> path = /var/lib/samba/printers > >> write list = root, @MYGROUP\Staff > >> create mask = 0700 > >> > >> > > > >Can /var/lib/samba/printers be reached by a member of @MYGROUP\Staff? > >What does the ownership permissions of the subdirectories look like? > >i.e. W32X86... W32X86/2... W32X86/3? > > > >Your create mask of 0700 seems like it would be problematic for a few > >reasons, but mostly because your write list is group based, and other > >users will not be able to read files from print$.----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.