samba - Dec 2004 - problems with print$

Hi All,


I finally signed up for the list after years of using Samba successfully - 
a testament to the quality of Samba.  Yet now I have a problem with the 
point-and-print functionality.  I am able to authenticate against my server 
(Solaris 8, Samba 3.0.7, OpenLDAP 2.1.25) as user 'chuck' in my LDAP 
directory and browse the shares, but when I right-click on the printer and 
select Properties (on WinXP), I get a dialog:

Printer properties cannot be displayed. Access is denied.

And no properties dialog is shown.  I googled the above message and found 
exactly one reference, the advice of which I followed (chmod 1777 
/var/spool/samba), to no avail.  A bit of background information:

mansfield{79}# pwd
/usr/local/samba
mansfield{80}# bin/testparm
Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[printers]"
Processing section "[print$]"
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[htdocs]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

# Global parameters
[global]
         workgroup = LCNI-MAN
         server string = Mansfield Server
         passdb backend = ldapsam:ldap://mansfield.uoregon.edu
         password level = 8
         username level = 8
         log level = 2 winbind:10
         log file = /var/adm/samba/smblog.%m
         max log size = 500
         add user script = /usr/local/samba/sbin/smbldap-useradd -m
"%u"
         delete user script = /usr/local/samba/sbin/smbldap-userdel
"%u"
         add group script = /usr/local/samba/sbin/smbldap-groupadd -p
"%g"
         delete group script = /usr/local/samba/sbin/smbldap-groupdel
"%g"
         add user to group script = /usr/local/samba/sbin/smbldap-groupmod 
-m "%u" "%g"
         delete user from group script = 
/usr/local/samba/sbin/smbldap-groupmod -x "%u" "%g"
         set primary group script = /usr/local/samba/sbin/smbldap-usermod 
-g "%g" "%u"
         add machine script = /usr/local/samba/sbin/smbldap-useradd -w
"%u"
         domain logons = Yes
         os level = 33
         preferred master = Yes
         domain master = Yes
         dns proxy = No
         ldap admin dn = cn=smbadmin,ou=people,dc=lcni,dc=uoregon,dc=edu
         ldap delete dn = Yes
         ldap group suffix = ou=group
         ldap machine suffix = ou=people
         ldap passwd sync = Yes
         ldap suffix = dc=lcni,dc=uoregon,dc=edu
         ldap ssl = start tls
         ldap user suffix = ou=people
         printer admin = @sysadmin, chuck, root, LCNI-MAN\chuck
         printing = bsd
         print command = /usr/ucb/lpr -r -P'%p' %s
         lpq command = /usr/ucb/lpq -P'%p'
         lprm command = /usr/ucb/lprm -P'%p' %j

[printers]
         path = /var/spool/samba
         printable = Yes
         browseable = No

[print$]
         comment = Print Driver Area
         path = /usr/local/samba/lib/printers
         write list = @sysadmin, chuck, root, LCNI-MAN\chuck
         browseable = No

[homes]
         comment = Home Directories
         read only = No
         browseable = No

[netlogon]
         comment = Domain Logon
         path = /usr/local/samba/lib/netlogon
         browseable = No

[profiles]
         comment = Roaming Profiles
         path = /var/lib/samba/profiles
         read only = No
         create mask = 0600
         directory mask = 0700

[htdocs]
         comment = Web Server Files
         path = /var/www/htdocs
         read only = No

[data]
         comment = Basic Data Storage
         path = /data
         read only = No
mansfield{81}# ls -l /var/spool
total 14
drwxr-xr-x   4 root     sys          512 Oct  8  2003 cron
drwxr-xr-x   2 uucp     uucp         512 Nov 29 17:51 locks
drwxrwxr-x   7 lp       lp           512 Dec  6 16:20 lp
drwxr-x---   2 root     bin          512 Dec  7 15:55 mqueue
drwxrwxrwt   4 root     bin          512 Oct  9  2003 pkg
drwxr-xr-x   2 root     lp           512 Oct  8  2003 print
drwxrwxrwt   2 root     other        512 Dec  7 10:38 samba
mansfield{83}# ls -ld /usr/local/samba/lib/printers
drwxrwxr-x   4 root     sysadmin     512 Dec  7 14:42 
/usr/local/samba/lib/printers
mansfield{84}#

The sysadmin group is a native posix group on my server (not just an LDAP 
group), and chuck is listed as a user in /etc/group.  I am trying to work 
from chapter 17 of the Samba-3 HOW-TO, but so far little joy except that of 
knowing I am not dealing with M$AD.

I will try the above with a native Unix user and see how that goes.  Any 
advice on doing this with an LPAP user would be appreciated.

Thanks,

Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345

Chuck Theobald schrieb:
> Hi All,
>
>
> I finally signed up for the list after years of using Samba 
> successfully - a testament to the quality of Samba.  Yet now I have a 
> problem with the point-and-print functionality.  I am able to 
> authenticate against my server (Solaris 8, Samba 3.0.7, OpenLDAP 
> 2.1.25) as user 'chuck' in my LDAP directory and browse the shares,
> but when I right-click on the printer and select Properties (on 
> WinXP), I get a dialog:
>
> Printer properties cannot be displayed. Access is denied.
>
> And no properties dialog is shown.  I googled the above message and 
> found exactly one reference, the advice of which I followed (chmod 
> 1777 /var/spool/samba), to no avail.  A bit of background information:
>
> mansfield{79}# pwd
> /usr/local/samba
> mansfield{80}# bin/testparm
> Load smb config files from /usr/local/samba/lib/smb.conf
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[homes]"
> Processing section "[netlogon]"
> Processing section "[profiles]"
> Processing section "[htdocs]"
> Processing section "[data]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>         workgroup = LCNI-MAN
>         server string = Mansfield Server
>         passdb backend = ldapsam:ldap://mansfield.uoregon.edu
>         password level = 8
>         username level = 8
>         log level = 2 winbind:10
>         log file = /var/adm/samba/smblog.%m
>         max log size = 500
>         add user script = /usr/local/samba/sbin/smbldap-useradd -m
"%u"
>         delete user script = /usr/local/samba/sbin/smbldap-userdel
"%u"
>         add group script = /usr/local/samba/sbin/smbldap-groupadd -p
"%g"
>         delete group script = /usr/local/samba/sbin/smbldap-groupdel
"%g"
>         add user to group script = 
> /usr/local/samba/sbin/smbldap-groupmod -m "%u" "%g"
>         delete user from group script = 
> /usr/local/samba/sbin/smbldap-groupmod -x "%u" "%g"
>         set primary group script = 
> /usr/local/samba/sbin/smbldap-usermod -g "%g" "%u"
>         add machine script = /usr/local/samba/sbin/smbldap-useradd -w 
> "%u"
>         domain logons = Yes
>         os level = 33
>         preferred master = Yes
>         domain master = Yes
>         dns proxy = No
>         ldap admin dn = cn=smbadmin,ou=people,dc=lcni,dc=uoregon,dc=edu
>         ldap delete dn = Yes
>         ldap group suffix = ou=group
>         ldap machine suffix = ou=people
>         ldap passwd sync = Yes
>         ldap suffix = dc=lcni,dc=uoregon,dc=edu
>         ldap ssl = start tls
>         ldap user suffix = ou=people
>         printer admin = @sysadmin, chuck, root, LCNI-MAN\chuck
>         printing = bsd
>         print command = /usr/ucb/lpr -r -P'%p' %s
>         lpq command = /usr/ucb/lpq -P'%p'
>         lprm command = /usr/ucb/lprm -P'%p' %j
>
> [printers]
>         path = /var/spool/samba
>         printable = Yes
>         browseable = No
>
> [print$]
>         comment = Print Driver Area
>         path = /usr/local/samba/lib/printers
>         write list = @sysadmin, chuck, root, LCNI-MAN\chuck
>         browseable = No
>
> [homes]
>         comment = Home Directories
>         read only = No
>         browseable = No
>
> [netlogon]
>         comment = Domain Logon
>         path = /usr/local/samba/lib/netlogon
>         browseable = No
>
> [profiles]
>         comment = Roaming Profiles
>         path = /var/lib/samba/profiles
>         read only = No
>         create mask = 0600
>         directory mask = 0700
>
> [htdocs]
>         comment = Web Server Files
>         path = /var/www/htdocs
>         read only = No
>
> [data]
>         comment = Basic Data Storage
>         path = /data
>         read only = No
> mansfield{81}# ls -l /var/spool
> total 14
> drwxr-xr-x   4 root     sys          512 Oct  8  2003 cron
> drwxr-xr-x   2 uucp     uucp         512 Nov 29 17:51 locks
> drwxrwxr-x   7 lp       lp           512 Dec  6 16:20 lp
> drwxr-x---   2 root     bin          512 Dec  7 15:55 mqueue
> drwxrwxrwt   4 root     bin          512 Oct  9  2003 pkg
> drwxr-xr-x   2 root     lp           512 Oct  8  2003 print
> drwxrwxrwt   2 root     other        512 Dec  7 10:38 samba
> mansfield{83}# ls -ld /usr/local/samba/lib/printers
> drwxrwxr-x   4 root     sysadmin     512 Dec  7 14:42 
> /usr/local/samba/lib/printers
> mansfield{84}#
>
> The sysadmin group is a native posix group on my server (not just an 
> LDAP group), and chuck is listed as a user in /etc/group.  I am trying 
> to work from chapter 17 of the Samba-3 HOW-TO, but so far little joy 
> except that of knowing I am not dealing with M$AD.
>
> I will try the above with a native Unix user and see how that goes.  
> Any advice on doing this with an LPAP user would be appreciated.
>
> Thanks,
>
> Chuck Theobald
> System Administrator
> The Robert and Beverly Lewis Center for Neuroimaging
> University of Oregon
> P: 541-346-0343
> F: 541-346-0345
>
hi, to use the print dir you must have write permission to the spool dir 
on the native linux file system
use ls ,chmod to change it if needed
Regards

I have a copy of the printed HOWTO collection and it has the correct procedure
for this. Must have permissions to the print share, must have created the
correct dir on that share for the client
architecture, must be a printer admin who is logged into the workstation
uploading the print drivers, a few other minor things... like make sure you did
not set root as an invalid user in smb.conf.

Here is my print specific smb.conf stuff...

[global]
########## Printing ##########
    load printers = yes
    printcap name = CUPS
    printcap cache time = 180
    printing = CUPS
    use client driver = no
    printer admin = @domadmin

####### Print Shares ########
[printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    browseable = no
    public = yes
    guest ok = yes
    read only = yes
    printable = yes
    create mode = 0600

[print$]
    comment = Printer Driver Download Area
    path = /shares/print
    browsable = yes
    guest ok = yes
    read only = yes
    write list = @domadmin

#!/bin/bash
#
# initPrint.sh
#

mkdir /var/spool/samba
chmod 0777 /var/spool/samba
chmod o+t /var/spool/samba

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

Michael Lueck schrieb:
> I have a copy of the printed HOWTO collection and it has the correct 
> procedure for this. Must have permissions to the print share, must 
> have created the correct dir on that share for the client 
> architecture, must be a printer admin who is logged into the 
> workstation uploading the print drivers, a few other minor things... 
> like make sure you did not set root as an invalid user in smb.conf.
>
> Here is my print specific smb.conf stuff...
>
> [global]
> ########## Printing ##########
>    load printers = yes
>    printcap name = CUPS
>    printcap cache time = 180
>    printing = CUPS
>    use client driver = no
>    printer admin = @domadmin
>
> ####### Print Shares ########
> [printers]
>    comment = SMB Print Spool
>    path = /var/spool/samba
>    browseable = no
>    public = yes
>    guest ok = yes
>    read only = yes
>    printable = yes
>    create mode = 0600
>
> [print$]
>    comment = Printer Driver Download Area
>    path = /shares/print
>    browsable = yes
>    guest ok = yes
>    read only = yes
>    write list = @domadmin
>
> #!/bin/bash
> #
> # initPrint.sh
> #
>
> mkdir /var/spool/samba
> chmod 0777 /var/spool/samba
> chmod o+t /var/spool/samba
>
hi, ok
what is with the permissions of path = /shares/print
what are the logs saying?
Regards

Further information on this issue includes output from my smblog file:

[2004/12/08 11:48:13, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485)
   init_sam_from_ldap: Entry found for user: chuck
[2004/12/08 11:48:13, 2] passdb/pdb_ldap.c:init_ldap_from_sam(864)
   init_ldap_from_sam: Setting entry for user: chuck
[2004/12/08 11:48:13, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [chuck] -> [chuck] FAILED 
with error NT_STATUS_WRONG_PASSWORD
[2004/12/08 11:48:22, 2] smbd/server.c:exit_server(571)
   Closing connections

This is repeated ten times for each attempt to display the printer 
properties dialog.  I am able to see all other shares from the server, thus 
my NT and LM passwords are correct, so why the refusal?

See below for permissions I have set for the print spool and print driver 
directories.

Thanks,
Chuck


At 04:11 PM 12/7/2004, Chuck Theobald wrote:
>Hi All,
>
>
>I finally signed up for the list after years of using Samba successfully - 
>a testament to the quality of Samba.  Yet now I have a problem with the 
>point-and-print functionality.  I am able to authenticate against my 
>server (Solaris 8, Samba 3.0.7, OpenLDAP 2.1.25) as user 'chuck' in
my
>LDAP directory and browse the shares, but when I right-click on the 
>printer and select Properties (on WinXP), I get a dialog:
>
>Printer properties cannot be displayed. Access is denied.
>
>And no properties dialog is shown.  I googled the above message and found 
>exactly one reference, the advice of which I followed (chmod 1777 
>/var/spool/samba), to no avail.  A bit of background information:
>
>mansfield{79}# pwd
>/usr/local/samba
>mansfield{80}# bin/testparm
>Load smb config files from /usr/local/samba/lib/smb.conf
>Processing section "[printers]"
>Processing section "[print$]"
>Processing section "[homes]"
>Processing section "[netlogon]"
>Processing section "[profiles]"
>Processing section "[htdocs]"
>Processing section "[data]"
>Loaded services file OK.
>Server role: ROLE_DOMAIN_PDC
>Press enter to see a dump of your service definitions
>
># Global parameters
>[global]
>         workgroup = LCNI-MAN
>         server string = Mansfield Server
>         passdb backend = ldapsam:ldap://mansfield.uoregon.edu
>         password level = 8
>         username level = 8
>         log level = 2 winbind:10
>         log file = /var/adm/samba/smblog.%m
>         max log size = 500
>         add user script = /usr/local/samba/sbin/smbldap-useradd -m
"%u"
>         delete user script = /usr/local/samba/sbin/smbldap-userdel
"%u"
>         add group script = /usr/local/samba/sbin/smbldap-groupadd -p
"%g"
>         delete group script = /usr/local/samba/sbin/smbldap-groupdel
"%g"
>         add user to group script = /usr/local/samba/sbin/smbldap-groupmod 
> -m "%u" "%g"
>         delete user from group script = 
> /usr/local/samba/sbin/smbldap-groupmod -x "%u" "%g"
>         set primary group script = /usr/local/samba/sbin/smbldap-usermod 
> -g "%g" "%u"
>         add machine script = /usr/local/samba/sbin/smbldap-useradd -w
"%u"
>         domain logons = Yes
>         os level = 33
>         preferred master = Yes
>         domain master = Yes
>         dns proxy = No
>         ldap admin dn = cn=smbadmin,ou=people,dc=lcni,dc=uoregon,dc=edu
>         ldap delete dn = Yes
>         ldap group suffix = ou=group
>         ldap machine suffix = ou=people
>         ldap passwd sync = Yes
>         ldap suffix = dc=lcni,dc=uoregon,dc=edu
>         ldap ssl = start tls
>         ldap user suffix = ou=people
>         printer admin = @sysadmin, chuck, root, LCNI-MAN\chuck
>         printing = bsd
>         print command = /usr/ucb/lpr -r -P'%p' %s
>         lpq command = /usr/ucb/lpq -P'%p'
>         lprm command = /usr/ucb/lprm -P'%p' %j
>
>[printers]
>         path = /var/spool/samba
>         printable = Yes
>         browseable = No
>
>[print$]
>         comment = Print Driver Area
>         path = /usr/local/samba/lib/printers
>         write list = @sysadmin, chuck, root, LCNI-MAN\chuck
>         browseable = No
>
>[homes]
>         comment = Home Directories
>         read only = No
>         browseable = No
>
>[netlogon]
>         comment = Domain Logon
>         path = /usr/local/samba/lib/netlogon
>         browseable = No
>
>[profiles]
>         comment = Roaming Profiles
>         path = /var/lib/samba/profiles
>         read only = No
>         create mask = 0600
>         directory mask = 0700
>
>[htdocs]
>         comment = Web Server Files
>         path = /var/www/htdocs
>         read only = No
>
>[data]
>         comment = Basic Data Storage
>         path = /data
>         read only = No
>mansfield{81}# ls -l /var/spool
>total 14
>drwxr-xr-x   4 root     sys          512 Oct  8  2003 cron
>drwxr-xr-x   2 uucp     uucp         512 Nov 29 17:51 locks
>drwxrwxr-x   7 lp       lp           512 Dec  6 16:20 lp
>drwxr-x---   2 root     bin          512 Dec  7 15:55 mqueue
>drwxrwxrwt   4 root     bin          512 Oct  9  2003 pkg
>drwxr-xr-x   2 root     lp           512 Oct  8  2003 print
>drwxrwxrwt   2 root     other        512 Dec  7 10:38 samba
>mansfield{83}# ls -ld /usr/local/samba/lib/printers
>drwxrwxr-x   4 root     sysadmin     512 Dec  7 14:42 
>/usr/local/samba/lib/printers
>mansfield{84}#
>
>The sysadmin group is a native posix group on my server (not just an LDAP 
>group), and chuck is listed as a user in /etc/group.  I am trying to work 
>from chapter 17 of the Samba-3 HOW-TO, but so far little joy except that 
>of knowing I am not dealing with M$AD.
>
>I will try the above with a native Unix user and see how that goes.  Any 
>advice on doing this with an LPAP user would be appreciated.
>
>Thanks,
>
>Chuck Theobald
>System Administrator
>The Robert and Beverly Lewis Center for Neuroimaging
>University of Oregon
>P: 541-346-0343
>F: 541-346-0345
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345

Joy is me!  Upgrading to 3.0.9 (from 3.0.7) quashed the print properties 
dialog problem I was seeing.

FYI,

Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345