samba - Feb 2008 - Still unresolved: adding printers as a non admin domain user doesn't work

Hello list,

I use samba-3.0.10 from RHEL4, with an smbldap-tools backend (version 0.9.2a).

Everything works fine: domain logons work OK, I can join machines to the 
domain, "unjoin" them, add users (from the samba server only though,
but
that's not important), submit drivers for printers as a printer admin, etc.

The only thing that does NOT work is adding printers as a non admin user with 
Windows XP (Professional). It worked under Win2k!

When I use XP, the only option I have is to first add the printer as either 
the local administrator of the machine, or the domain administrator, and only 
then I can add this printer as a normal, unpriviledged domain user. Uh.

And I have NOTHING in the Samba logs. As my smb.conf is relatively long,
I'll
put only what I think is relevant below. Any hints appreciated, I've been 
stuck with this problem for six months, and not a hint of a solution yet :(

---
        printcap name = cups
        load printers = yes
        printcap cache time = 300
        printing = cups
[...]
        ldap passwd sync = yes

        passdb backend = ldapsam:ldap://127.0.0.1/
        #
        # FIXME: why commented in the HOWTO?
        #
        #ldap filter = (&(objectClass=sambaSAMAccount)(uid=%u))
        ldap admin dn = cn=samba,ou=DSA,dc=one2team,dc=lan
        ldap suffix = dc=one2team,dc=lan
	[blah, blah]
[...]
[homes]
        comment = User home directories (NOT the profiles)
        valid users = %U
        create mask = 0640
        directory mask = 0750
        browseable = no
        veto files = /*.mp3/*.m4a/*.mpg/*.mpeg/*.avi/*.wmv/*.wma
        read only = no

[profiles]
        path = /var/lib/samba/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = no
        guest ok = yes
        profile acls = yes
        veto files = /*.mp3/*.m4a/*.mpg/*.mpeg/*.avi/*.wmv/*.wma
        csc policy = disable
        force user = %U
        valid users = %U @"Domain Admins"

[netlogon]
        path = /var/lib/samba/netlogon
        browseable = no
        read only = yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = yes
        guest ok = no
        writable = no
        printable = yes
        create mode = 0600
        printer admin = root, @o2tadm

[print$]
        path = /var/lib/samba/printers
        browseable = yes
        write list = root
        guest ok = yes
        read only = yes

[...]
---
-- 
Francis Galiegue, One2team - fg@one2team.com
[ATTENTION : CHANGEMENT DE COORDONN?ES !]
+33178945552, +33683877875, http://www.one2team.com
40 avenue Raymond Poincar? - 75116 PARIS

On Wednesday 27 February 2008, Francis Galiegue wrote:
> When I use XP, the only option I have is to first add the printer as
> either the local administrator of the machine, or the domain
> administrator, and only then I can add this printer as a normal,
> unpriviledged domain user. Uh.
This is not a Samba issue, it's normal Windows operation. You need to 
sufficient privileges to install the driver. Once installed a normal 
user can connect to the printer. It has always worked the same way for 
me with both Win2k and XP.

-- 
Chris

On Thu Feb 28 12:58 , Francis Galiegue sent:
> OK, I can't say I relate to what you say (obviously), but here goes
anyway.
> It _was_ indeed a Windows centric problem. The solution I found was to run 
> gpedit.msc (located in system32/ from the root Windows directory) and
change
> the relevant parameter. For each machine.
It was pretty obvious that it was a local policy problem after reading the first
reply on that web page you linked us.
> Which reminds me that I read many times of a central "policy"
available
> as "soon" as Samba 3.x, therefore NT-style domains, which can
enforce such
> settings at a whole domain level (a file edited with poledit). I've
never
> tried that (never needed it actually - until now, it seems).
> Does it cover such stuff as the "point and print restrictions"
that I editer
> with gpedit.msc?
If I'm understanding your question correctly (it = central policy?), this is
not a Samba feature.  Samba can push out group policies, but configuring them is
done using Windows utilities.