samba - Nov 2006 - Only admin user can print?

Hi all,

after upgrading a FC3 box to FC4 which comes with Samba 3.0.23a rpm's, I
have the really strange effect that /only/ "admin users" can print to
printers shared by the Samba server.  Even a double click on the printer
in Win gives an "access denied".

The access to "normal" shares (homes etc.) still works fine.  Any idea
what went wrong?  How could I debug this condition???  The contents of
the config as reported by testparm is below.

Thanks in advance,
Albrecht


--output from testparm--------------------------------------------------
[global]
        workgroup = xxxx
        realm = xxxx.xxxx.xxx
        security = ADS
        password server = xxx.xxx.xxx.xxx:389, *
        log level = 1
        log file = /var/log/samba/%m.log
        max log size = 0
        load printers = No
        printcap name = cups
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        wins server = xxx.xxx.xxx.xxx, xxx.xxx.xxx.yyy
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind separator = _
        winbind enum users = Yes
        winbind enum groups = Yes
        printer admin = @DOM_grp
        hosts allow = xxx.xxx.xxx., xxx.xxx.yyy

[printers]
        comment = Drucker auf xxx-xxxxx
        path = /opt/samba/printers
        valid users = @DOM_grp
        printable = Yes
        browseable = No

[print$]
        comment = Druckertreiber
        path = /opt/samba/printer-drivers
        valid users = @DOM_grp
        guest ok = Yes
        browseable = No

[ps2pdf]
        comment = Umwandlung in PDF
        path = /opt/samba/ps2pdf
        valid users = @DOM_grp
        guest ok = Yes
        printable = Yes
--end testparm output---------------------------------------------------

All users are reported as member of the DOM_grp group by 'getent group
DOM_grp'.  The spool folders /opt/samba/printers and /opt/samba/ps2pdf
are owned by nobody.nobody and have permissions rwxrwxrwt.

-- 
LIOS Technology GmbH
Dr. Albrecht Dre?
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 K?ln
Germany

Phone +49 221 676 2742
Fax   +49 221 676 2069

The "valid users" directive was broken in 23a and 23b.  You will need
to
upgrade to 23c or find another method of controlling access to your shares.
Also, the 23-series requires FQDN - "@DOM_grp" becomes
"@DOMAIN\DOM_grp".
See http://us1.samba.org/samba/history/samba-3.0.23c.html for all the 
things that recently changed.

Good luck,
Dale

Albrecht Dre? wrote:
> Hi all,
>
> after upgrading a FC3 box to FC4 which comes with Samba 3.0.23a rpm's,
I
> have the really strange effect that /only/ "admin users" can
print to
> printers shared by the Samba server.  Even a double click on the printer
> in Win gives an "access denied".
>
> The access to "normal" shares (homes etc.) still works fine.  Any
idea
> what went wrong?  How could I debug this condition???  The contents of
> the config as reported by testparm is below.
>
> Thanks in advance,
> Albrecht
>
>
> --output from testparm--------------------------------------------------
> [global]
>         workgroup = xxxx
>         realm = xxxx.xxxx.xxx
>         security = ADS
>         password server = xxx.xxx.xxx.xxx:389, *
>         log level = 1
>         log file = /var/log/samba/%m.log
>         max log size = 0
>         load printers = No
>         printcap name = cups
>         os level = 0
>         preferred master = No
>         local master = No
>         domain master = No
>         wins server = xxx.xxx.xxx.xxx, xxx.xxx.xxx.yyy
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template shell = /bin/bash
>         winbind separator = _
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         printer admin = @DOM_grp
>         hosts allow = xxx.xxx.xxx., xxx.xxx.yyy
>
> [printers]
>         comment = Drucker auf xxx-xxxxx
>         path = /opt/samba/printers
>         valid users = @DOM_grp
>         printable = Yes
>         browseable = No
>
> [print$]
>         comment = Druckertreiber
>         path = /opt/samba/printer-drivers
>         valid users = @DOM_grp
>         guest ok = Yes
>         browseable = No
>
> [ps2pdf]
>         comment = Umwandlung in PDF
>         path = /opt/samba/ps2pdf
>         valid users = @DOM_grp
>         guest ok = Yes
>         printable = Yes
> --end testparm output---------------------------------------------------
>
> All users are reported as member of the DOM_grp group by 'getent group
> DOM_grp'.  The spool folders /opt/samba/printers and /opt/samba/ps2pdf
> are owned by nobody.nobody and have permissions rwxrwxrwt.
>
>

Hi Dale:

I grabbed version 23c, built and installed it, but had no success so far...

Dale Schroeder <dale@BriannasSaladDressing.com> wrote:
> The "valid users" directive was broken in 23a and 23b.  You will
need to
> upgrade to 23c or find another method of controlling access to your shares.
> Also, the 23-series requires FQDN - "@DOM_grp" becomes
"@DOMAIN\DOM_grp".
Maybe you can clarify this a little bit - When I log in into Winbloze, I use the
domain MYDOM.  In reality, this domain is called MYDOM.MYORG.COM.  The domain
has a group called mygroup.  From this, winbindd (using "_" as
separator)
created the group "MYDOM_mygroup" which I used in the config file. 
With the new
scheme, do I have to use "@MYDOM.MYORG.COM\mygroup", or is
"@MYDOM\mygroup"
sufficient?

Apart from that, what is the /default/ access mode to the printers?  Maybe it
would be interesting to see where the printer access fails.  Any help is welcome
- this is really a show-stopper, and I don't want to make everybody an
admin!

Cheers,
Albrecht

-- 
LIOS Technology GmbH
Dr. Albrecht Dre?
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 K?ln
Germany

Phone +49 221 676 2742
Fax   +49 221 676 2069
mailto:albrecht.dress@lios-tech.com