I have been trying to setup a new print server on Fedora 12 based around
samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks
good except for the ability for printer administrators to manage
printers. Whether I specify users in a system group using the
deprecated printer admin option, or specifically using net rpc rights
and the SePrinterOperatorPrivilege, it does not matter. This is against
an NT4 domain on samba-3.4.2.
Interestingly, I have one user who can manage printers, whether or not
he is in the group or has the privilege. Also, the printer admin pieces
work correctly on an existing samba-3.0.28a print server against that
same domain controller.
I have been looking at level 10 logs to compare two users, the mystery
adminuser, and the feckless denieduser, when running the following
command (again, both are members of the printer admin group):
rpcclient -c 'setdriver ZZZ "HP LaserJet 4000 Series PS"' -U
<user>
localhost
Following are log snippets, both beginning with SPOOLSS_OPENPRINTEREX
and ending when printer access is either granted as
PRINTER_ACCESS_ADMINISTER or denied outright. Whether or not in the
proper printer admin group or given the privilege, the outcome does not
change for either user.
First the user for whom administrative access is granted:
--------------------------------------------
[2010/03/31 13:43:35, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command:
SPOOLSS_OPENPRINTEREX
[2010/03/31 13:43:35, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
api_rpc_cmds[69].fn == 0x7f0e2d66c890
[2010/03/31 13:43:35, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
in: struct spoolss_OpenPrinterEx
printername : *
printername : '\\LOCALHOST\ZZZ'
datatype : NULL
devmode_ctr: struct spoolss_DevmodeContainer
_ndr_size : 0x00000000 (0)
devmode : NULL
access_mask : 0x000f000c (983052)
0: SERVER_ACCESS_ADMINISTER
0: SERVER_ACCESS_ENUMERATE
1: PRINTER_ACCESS_ADMINISTER
1: PRINTER_ACCESS_USE
0: JOB_ACCESS_ADMINISTER
0: JOB_ACCESS_READ
level : 0x00000001 (1)
userlevel : union spoolss_UserLevel(case 1)
level1 : *
level1: struct spoolss_UserLevel1
size : 0x0000001c (28)
client : *
client : '\\TKNEW'
user : *
user : 'adminuser'
build : 0x00000565 (1381)
major : UNKNOWN_ENUM_VALUE (2)
minor :
SPOOLSS_MINOR_VERSION_0 (0)
processor :
PROCESSOR_ARCHITECTURE_INTEL (0)
checking name: \\LOCALHOST\ZZZ
[2010/03/31 13:43:35, 10] rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
open_printer_hnd: name [\\LOCALHOST\ZZZ]
[2010/03/31 13:43:35, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B C7 89 ........ .....K..
[0010] F9 54 00 00 .T..
[2010/03/31 13:43:35, 3]
rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
Setting printer type=\\LOCALHOST\ZZZ
Printer is a printer
[2010/03/31 13:43:35, 4]
rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
Setting printer name=\\LOCALHOST\ZZZ (len=15)
[2010/03/31 13:43:35, 8] lib/util.c:1879(is_myname)
is_myname("LOCALHOST") returns 0
searching for [ZZZ]
[2010/03/31 13:43:35, 10]
printing/nt_printing.c:4630(get_a_printer_internal)
get_a_printer: [printers] level 2
[2010/03/31 13:43:35, 10]
printing/nt_printing.c:3917(get_a_printer_2_default)
get_a_printer_2_default: driver name set to []
printername: printers
[2010/03/31 13:43:35, 10]
printing/nt_printing.c:3917(get_a_printer_2_default)
get_a_printer_2_default: driver name set to []
printername: CRBSTD-P
set_printer_hnd_name: Printer found: ZZZ -> ZZZ
[2010/03/31 13:43:35, 5] rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
1 printer handles active
[2010/03/31 13:43:35, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B C7 89 ........ .....K..
[0010] F9 54 00 00 .T..
[2010/03/31 13:43:35, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B C7 89 ........ .....K..
[0010] F9 54 00 00 .T..
[2010/03/31 13:43:35, 4] rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
short name:ZZZ
[2010/03/31 13:43:35, 3] lib/access.c:362(only_ipaddrs_in_list)
only_ipaddrs_in_list: list has non-ip address (127.)
[2010/03/31 13:43:35, 3] lib/access.c:396(check_access)
check_access: hostnames in host allow/deny list.
[2010/03/31 13:43:35, 2] lib/access.c:406(check_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2010/03/31 13:43:35, 10] smbd/share_access.c:234(user_ok_token)
user_ok_token: share ZZZ is ok for unix user adminuser
[2010/03/31 13:43:35, 4]
rpc_server/srv_spoolss_nt.c:1726(_spoolss_OpenPrinterEx)
Setting printer access = PRINTER_ACCESS_ADMINISTER
[2010/03/31 13:43:35, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
out: struct spoolss_OpenPrinterEx
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000002-0000-0000-b34b-c789f9540000
result : WERR_OK
--------------------------------------------
And now for a user who is denied access:
--------------------------------------------
[2010/03/31 13:44:33, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command:
SPOOLSS_OPENPRINTEREX
[2010/03/31 13:44:33, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
api_rpc_cmds[69].fn == 0x7f0e2d66c890
[2010/03/31 13:44:33, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
in: struct spoolss_OpenPrinterEx
printername : *
printername : '\\LOCALHOST\ZZZ'
datatype : NULL
devmode_ctr: struct spoolss_DevmodeContainer
_ndr_size : 0x00000000 (0)
devmode : NULL
access_mask : 0x000f000c (983052)
0: SERVER_ACCESS_ADMINISTER
0: SERVER_ACCESS_ENUMERATE
1: PRINTER_ACCESS_ADMINISTER
1: PRINTER_ACCESS_USE
0: JOB_ACCESS_ADMINISTER
0: JOB_ACCESS_READ
level : 0x00000001 (1)
userlevel : union spoolss_UserLevel(case 1)
level1 : *
level1: struct spoolss_UserLevel1
size : 0x0000001c (28)
client : *
client : '\\TKNEW'
user : *
user : 'denieduser'
build : 0x00000565 (1381)
major : UNKNOWN_ENUM_VALUE (2)
minor :
SPOOLSS_MINOR_VERSION_0 (0)
processor :
PROCESSOR_ARCHITECTURE_INTEL (0)
checking name: \\LOCALHOST\ZZZ
[2010/03/31 13:44:33, 10] rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
open_printer_hnd: name [\\LOCALHOST\ZZZ]
[2010/03/31 13:44:33, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 3]
rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
Setting printer type=\\LOCALHOST\ZZZ
Printer is a printer
[2010/03/31 13:44:33, 4]
rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
Setting printer name=\\LOCALHOST\ZZZ (len=15)
[2010/03/31 13:44:33, 8] lib/util.c:1879(is_myname)
is_myname("LOCALHOST") returns 0
searching for [ZZZ]
[2010/03/31 13:44:33, 10]
printing/nt_printing.c:4630(get_a_printer_internal)
get_a_printer: [printers] level 2
[2010/03/31 13:44:33, 10]
printing/nt_printing.c:3917(get_a_printer_2_default)
get_a_printer_2_default: driver name set to []
printername: printers
[2010/03/31 13:44:33, 10]
printing/nt_printing.c:3917(get_a_printer_2_default)
get_a_printer_2_default: driver name set to []
printername: CRBSTD-P
set_printer_hnd_name: Printer found: ZZZ -> ZZZ
[2010/03/31 13:44:33, 5] rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
1 printer handles active
[2010/03/31 13:44:33, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 4] rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
short name:ZZZ
[2010/03/31 13:44:33, 3] lib/access.c:362(only_ipaddrs_in_list)
only_ipaddrs_in_list: list has non-ip address (127.)
[2010/03/31 13:44:33, 3] lib/access.c:396(check_access)
check_access: hostnames in host allow/deny list.
[2010/03/31 13:44:33, 2] lib/access.c:406(check_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2010/03/31 13:44:33, 10] smbd/share_access.c:234(user_ok_token)
user_ok_token: share ZZZ is ok for unix user denieduser
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x20020008 to 0x00020008
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 4] printing/nt_printing.c:5733(print_access_check)
access check was FAILURE
[2010/03/31 13:44:33, 3]
rpc_server/srv_spoolss_nt.c:1707(_spoolss_OpenPrinterEx)
access DENIED for printer open
[2010/03/31 13:44:33, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 3] rpc_server/srv_lsa_hnd.c:218(close_policy_hnd)
Closed policy
[2010/03/31 13:44:33, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
out: struct spoolss_OpenPrinterEx
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000000-0000-0000-0000-000000000000
result : WERR_ACCESS_DENIED
--------------------------------------------
The only discernible difference to my eye is that for the denieduser,
se_map_generic() is called before ultimately denying the user.
Finally, here is testparm output:
--------------------------------------------
[global]
workgroup = POTSDAM
server string = Printing Server
security = DOMAIN
password server = MEGA
restrict anonymous = 2
log level = 1
log file = /var/log/samba/%m.log
max log size = 10000
time server = Yes
unix extensions = No
deadtime = 5
printcap name = cups
wins server = 192.168.0.1
printer admin = @printeradmins
hosts allow = 127., 192.168.
cups options = raw
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers for Windows
path = /usr/share/samba/print
write list = @printeradmins
[drivers]
comment = Vendor Printer Driver Paks
path = /usr/share/samba/drivers
write list = @printeradmins
create mask = 0775
directory mask = 0775
--------------------------------------------
If anyone could shed light on this issue, it would be much appreciated.
Thank you.
-Jeff
--
Jeffrey M Hardy
Systems Analyst
hardyjm at potsdam.edu
Might be simpler to assign users to the builtin administrators group. see if you have better luck: #net sam list builtin #net sam createbuiltingroup administrators #net sam addmem administrators #net sam listmem administrators # net rpc rights list administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Jeff Hardy wrote:> I have been trying to setup a new print server on Fedora 12 based > around samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All > looks good except for the ability for printer administrators to manage > printers. Whether I specify users in a system group using the > deprecated printer admin option, or specifically using net rpc rights > and the SePrinterOperatorPrivilege, it does not matter. This is > against an NT4 domain on samba-3.4.2. > > Interestingly, I have one user who can manage printers, whether or not > he is in the group or has the privilege. Also, the printer admin > pieces work correctly on an existing samba-3.0.28a print server > against that same domain controller. > > I have been looking at level 10 logs to compare two users, the mystery > adminuser, and the feckless denieduser, when running the following > command (again, both are members of the printer admin group): > > rpcclient -c 'setdriver ZZZ "HP LaserJet 4000 Series PS"' -U <user> > localhost > > Following are log snippets, both beginning with SPOOLSS_OPENPRINTEREX > and ending when printer access is either granted as > PRINTER_ACCESS_ADMINISTER or denied outright. Whether or not in the > proper printer admin group or given the privilege, the outcome does > not change for either user. > > First the user for whom administrative access is granted: > > -------------------------------------------- > [2010/03/31 13:43:35, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP) > api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: > SPOOLSS_OPENPRINTEREX > [2010/03/31 13:43:35, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP) > api_rpc_cmds[69].fn == 0x7f0e2d66c890 > [2010/03/31 13:43:35, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx > in: struct spoolss_OpenPrinterEx > printername : * > printername : '\\LOCALHOST\ZZZ' > datatype : NULL > devmode_ctr: struct spoolss_DevmodeContainer > _ndr_size : 0x00000000 (0) > devmode : NULL > access_mask : 0x000f000c (983052) > 0: SERVER_ACCESS_ADMINISTER > 0: SERVER_ACCESS_ENUMERATE > 1: PRINTER_ACCESS_ADMINISTER > 1: PRINTER_ACCESS_USE > 0: JOB_ACCESS_ADMINISTER > 0: JOB_ACCESS_READ > level : 0x00000001 (1) > userlevel : union spoolss_UserLevel(case 1) > level1 : * > level1: struct spoolss_UserLevel1 > size : 0x0000001c (28) > client : * > client : '\\TKNEW' > user : * > user : 'adminuser' > build : 0x00000565 (1381) > major : UNKNOWN_ENUM_VALUE (2) > minor : > SPOOLSS_MINOR_VERSION_0 (0) > processor : > PROCESSOR_ARCHITECTURE_INTEL (0) > checking name: \\LOCALHOST\ZZZ > [2010/03/31 13:43:35, 10] > rpc_server/srv_spoolss_nt.c:560(open_printer_hnd) > open_printer_hnd: name [\\LOCALHOST\ZZZ] > [2010/03/31 13:43:35, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd) > Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B C7 89 ........ .....K.. > [0010] F9 54 00 00 .T.. > [2010/03/31 13:43:35, 3] > rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype) > Setting printer type=\\LOCALHOST\ZZZ > Printer is a printer > [2010/03/31 13:43:35, 4] > rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name) > Setting printer name=\\LOCALHOST\ZZZ (len=15) > [2010/03/31 13:43:35, 8] lib/util.c:1879(is_myname) > is_myname("LOCALHOST") returns 0 > searching for [ZZZ] > [2010/03/31 13:43:35, 10] > printing/nt_printing.c:4630(get_a_printer_internal) > get_a_printer: [printers] level 2 > [2010/03/31 13:43:35, 10] > printing/nt_printing.c:3917(get_a_printer_2_default) > get_a_printer_2_default: driver name set to [] > printername: printers > [2010/03/31 13:43:35, 10] > printing/nt_printing.c:3917(get_a_printer_2_default) > get_a_printer_2_default: driver name set to [] > printername: CRBSTD-P > set_printer_hnd_name: Printer found: ZZZ -> ZZZ > [2010/03/31 13:43:35, 5] > rpc_server/srv_spoolss_nt.c:590(open_printer_hnd) > 1 printer handles active > [2010/03/31 13:43:35, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B C7 89 ........ .....K.. > [0010] F9 54 00 00 .T.. > [2010/03/31 13:43:35, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B C7 89 ........ .....K.. > [0010] F9 54 00 00 .T.. > [2010/03/31 13:43:35, 4] > rpc_server/srv_spoolss_nt.c:377(get_printer_snum) > short name:ZZZ > [2010/03/31 13:43:35, 3] lib/access.c:362(only_ipaddrs_in_list) > only_ipaddrs_in_list: list has non-ip address (127.) > [2010/03/31 13:43:35, 3] lib/access.c:396(check_access) > check_access: hostnames in host allow/deny list. > [2010/03/31 13:43:35, 2] lib/access.c:406(check_access) > Allowed connection from 127.0.0.1 (127.0.0.1) > [2010/03/31 13:43:35, 10] smbd/share_access.c:234(user_ok_token) > user_ok_token: share ZZZ is ok for unix user adminuser > [2010/03/31 13:43:35, 4] > rpc_server/srv_spoolss_nt.c:1726(_spoolss_OpenPrinterEx) > Setting printer access = PRINTER_ACCESS_ADMINISTER > [2010/03/31 13:43:35, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx > out: struct spoolss_OpenPrinterEx > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : > 00000002-0000-0000-b34b-c789f9540000 > result : WERR_OK > > -------------------------------------------- > > And now for a user who is denied access: > > -------------------------------------------- > [2010/03/31 13:44:33, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP) > api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: > SPOOLSS_OPENPRINTEREX > [2010/03/31 13:44:33, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP) > api_rpc_cmds[69].fn == 0x7f0e2d66c890 > [2010/03/31 13:44:33, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx > in: struct spoolss_OpenPrinterEx > printername : * > printername : '\\LOCALHOST\ZZZ' > datatype : NULL > devmode_ctr: struct spoolss_DevmodeContainer > _ndr_size : 0x00000000 (0) > devmode : NULL > access_mask : 0x000f000c (983052) > 0: SERVER_ACCESS_ADMINISTER > 0: SERVER_ACCESS_ENUMERATE > 1: PRINTER_ACCESS_ADMINISTER > 1: PRINTER_ACCESS_USE > 0: JOB_ACCESS_ADMINISTER > 0: JOB_ACCESS_READ > level : 0x00000001 (1) > userlevel : union spoolss_UserLevel(case 1) > level1 : * > level1: struct spoolss_UserLevel1 > size : 0x0000001c (28) > client : * > client : '\\TKNEW' > user : * > user : 'denieduser' > build : 0x00000565 (1381) > major : UNKNOWN_ENUM_VALUE (2) > minor : > SPOOLSS_MINOR_VERSION_0 (0) > processor : > PROCESSOR_ARCHITECTURE_INTEL (0) > checking name: \\LOCALHOST\ZZZ > [2010/03/31 13:44:33, 10] > rpc_server/srv_spoolss_nt.c:560(open_printer_hnd) > open_printer_hnd: name [\\LOCALHOST\ZZZ] > [2010/03/31 13:44:33, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd) > Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 3] > rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype) > Setting printer type=\\LOCALHOST\ZZZ > Printer is a printer > [2010/03/31 13:44:33, 4] > rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name) > Setting printer name=\\LOCALHOST\ZZZ (len=15) > [2010/03/31 13:44:33, 8] lib/util.c:1879(is_myname) > is_myname("LOCALHOST") returns 0 > searching for [ZZZ] > [2010/03/31 13:44:33, 10] > printing/nt_printing.c:4630(get_a_printer_internal) > get_a_printer: [printers] level 2 > [2010/03/31 13:44:33, 10] > printing/nt_printing.c:3917(get_a_printer_2_default) > get_a_printer_2_default: driver name set to [] > printername: printers > [2010/03/31 13:44:33, 10] > printing/nt_printing.c:3917(get_a_printer_2_default) > get_a_printer_2_default: driver name set to [] > printername: CRBSTD-P > set_printer_hnd_name: Printer found: ZZZ -> ZZZ > [2010/03/31 13:44:33, 5] > rpc_server/srv_spoolss_nt.c:590(open_printer_hnd) > 1 printer handles active > [2010/03/31 13:44:33, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 4] > rpc_server/srv_spoolss_nt.c:377(get_printer_snum) > short name:ZZZ > [2010/03/31 13:44:33, 3] lib/access.c:362(only_ipaddrs_in_list) > only_ipaddrs_in_list: list has non-ip address (127.) > [2010/03/31 13:44:33, 3] lib/access.c:396(check_access) > check_access: hostnames in host allow/deny list. > [2010/03/31 13:44:33, 2] lib/access.c:406(check_access) > Allowed connection from 127.0.0.1 (127.0.0.1) > [2010/03/31 13:44:33, 10] smbd/share_access.c:234(user_ok_token) > user_ok_token: share ZZZ is ok for unix user denieduser > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x20020008 to 0x00020008 > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x100f000c to 0x000f000c > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x100f000c to 0x000f000c > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x100f000c to 0x000f000c > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x100f000c to 0x000f000c > [2010/03/31 13:44:33, 4] printing/nt_printing.c:5733(print_access_check) > access check was FAILURE > [2010/03/31 13:44:33, 3] > rpc_server/srv_spoolss_nt.c:1707(_spoolss_OpenPrinterEx) > access DENIED for printer open > [2010/03/31 13:44:33, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 3] rpc_server/srv_lsa_hnd.c:218(close_policy_hnd) > Closed policy > [2010/03/31 13:44:33, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx > out: struct spoolss_OpenPrinterEx > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : > 00000000-0000-0000-0000-000000000000 > result : WERR_ACCESS_DENIED > -------------------------------------------- > > The only discernible difference to my eye is that for the denieduser, > se_map_generic() is called before ultimately denying the user. > > Finally, here is testparm output: > > -------------------------------------------- > [global] > workgroup = POTSDAM > server string = Printing Server > security = DOMAIN > password server = MEGA > restrict anonymous = 2 > log level = 1 > log file = /var/log/samba/%m.log > max log size = 10000 > time server = Yes > unix extensions = No > deadtime = 5 > printcap name = cups > wins server = 192.168.0.1 > printer admin = @printeradmins > hosts allow = 127., 192.168. > cups options = raw > veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > browsable = No > > [print$] > comment = Printer Drivers for Windows > path = /usr/share/samba/print > write list = @printeradmins > > [drivers] > comment = Vendor Printer Driver Paks > path = /usr/share/samba/drivers > write list = @printeradmins > create mask = 0775 > directory mask = 0775 > -------------------------------------------- > > If anyone could shed light on this issue, it would be much > appreciated. Thank you. > > -Jeff > > -- > Jeffrey M Hardy > Systems Analyst > hardyjm at potsdam.edu
On 04/01/2010 05:39 PM, Jeff Hardy wrote:> I have been trying to setup a new print server on Fedora 12 based around > samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks good > except for the ability for printer administrators to manage printers. > Whether I specify users in a system group using the deprecated printer > admin option, or specifically using net rpc rights and the > SePrinterOperatorPrivilege, it does not matter. This is against an NT4 > domain on samba-3.4.2.After a tdb wipe, I ended up with no users who can manage printers. This at least made the behavior consistently broken. I ended up trying samba 3.3 and 3.2 seeking some way to manage printers. Only by going back to samba-3.2.15 built from a Fedora 10 source RPM was I able to restore functionality by way of the printer admin option. The SePrinterOperatorPrivilege did not seem to work in any version no matter what I did. Surely other folks are managing printers with sambas later than 3.2.x I would think. Anyone have any experience like this? -Jeff -- Jeffrey M Hardy Systems Analyst hardyjm at potsdam.edu
Hi Jeff, Jeff Hardy wrote:> On 04/01/2010 05:39 PM, Jeff Hardy wrote: >> I have been trying to setup a new print server on Fedora 12 based around >> samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks good >> except for the ability for printer administrators to manage printers. >> Whether I specify users in a system group using the deprecated printer >> admin option, or specifically using net rpc rights and the >> SePrinterOperatorPrivilege, it does not matter. This is against an NT4 >> domain on samba-3.4.2. > > After a tdb wipe, I ended up with no users who can manage printers. > This at least made the behavior consistently broken. I ended up > trying samba 3.3 and 3.2 seeking some way to manage printers. Only by > going back to samba-3.2.15 built from a Fedora 10 source RPM was I > able to restore functionality by way of the printer admin option. The > SePrinterOperatorPrivilege did not seem to work in any version no > matter what I did. Surely other folks are managing printers with > sambas later than 3.2.x I would think. Anyone have any experience > like this?How about adding users as members to the BUILTIN\administrators group on the newer version of samba to see if that works?
Hi Jeff,
I fiddled around for a while with this too ;)
Looks broken to me, anyway I did put it like this and it worked for me
then:
in smb.conf:
username map = /opt/samba/smbusers.map
admin users = root
[print$]
path = /opt/samba/samba_drivers
write list = root
uid at host:~$ cat /opt/samba/smbusers.map
!root = <my win uid>
!root = <WIN DOMAIN\uid>
This worked for me only with the root account while in earlier versions I
used the same mechanism with the uid lp and it worked fine ...
good luck
christoph
On Thu, 6 May 2010, Ryan Suarez wrote:
> Hi Jeff,
>
> Jeff Hardy wrote:
>> On 04/01/2010 05:39 PM, Jeff Hardy wrote:
>> > I have been trying to setup a new print server on Fedora 12 based
around
>> > samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All
looks good
>> > except for the ability for printer administrators to manage
printers.
>> > Whether I specify users in a system group using the deprecated
printer
>> > admin option, or specifically using net rpc rights and the
>> > SePrinterOperatorPrivilege, it does not matter. This is against
an NT4
>> > domain on samba-3.4.2.
>>
>> After a tdb wipe, I ended up with no users who can manage printers.
This
>> at least made the behavior consistently broken. I ended up trying
samba
>> 3.3 and 3.2 seeking some way to manage printers. Only by going back
to
>> samba-3.2.15 built from a Fedora 10 source RPM was I able to restore
>> functionality by way of the printer admin option. The
>> SePrinterOperatorPrivilege did not seem to work in any version no
matter
>> what I did. Surely other folks are managing printers with sambas
later
>> than 3.2.x I would think. Anyone have any experience like this?
>
> How about adding users as members to the BUILTIN\administrators group on
the
> newer version of samba to see if that works?
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
best regards
~christoph
--
/* Christoph Beyer | Office: Building 2b / 23 *\
* DESY | Phone: 040-8998-2317 *
* - IT - | Fax: 040-8998-4060 *
\* 22603 Hamburg | http://www.desy.de */