CentOS 6.4 x86_64, Samba 3.6.9 on member servers, joined to a Samba 4.0.3
AD domain.
I am attempting to use the Samba3 member server ("TS-1") as a print
server. While CUPS works well, I cannot upload any drivers ("access
denied"), and I cannot see any drivers in the [print$] share, even though
I have populated these from a functioning Samba3 domain. I can map the
\\ts-1\print$ share and write to it, and I have sePrintOperatorPrivilege
(but in any event I am logged in as a Domain Admin). "net rpc rights"
etc
all work properly, and show the privileges that I expect.
>From a level 10 log, I see the print server system doing a lot of:
smbldap_search_ext: base => [DC=europa,DC=icse,DC=cornell,DC=edu],
filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))],
scope => [2]
which is obviously not going to work, since sambaGroupMapping and sambaSID
are appropriate for a Samba3 domain. The end result is:
[2013/04/18 15:00:56.781729, 3]
rpc_server/spoolss/srv_spoolss_nt.c:1840(_spoolss_OpenPrinterEx)
access DENIED as user is not root, has no printoperator privilege, not a
member of the printoperator builtin group and is not in printer admin list
which is not expected.
Since I have security=ads, how do I coerce Samba3 in this situation to do
proper lookups? Or is this not the problem?
If I manually load drivers on clients, printing works just fine, but I
want clients to load drivers from the print server. I tried the samba4
RPM's for CentOS, but there's no ldapsam support in there.
Steve
