samba - Sep 2016 - Print driver deployment broken after KB3170455 on Windows 7

Hi,

Since recently printer deployment is broken on Windows 7 (and above?) 
due to KB3170455. This is probably the same problem 
https://lists.samba.org/archive/samba/2016-August/202078.html on Win 10.

After a lot of reading and investigating it appears that we now (after 
KB3170455) need:

- A Point & Print Restriction GPO enabled with FQDN of all Print Servers 
and "Do not show warning or elevation prompt" for instaling/updating 
drivers - this is easy
- "Packaged drivers" - this is not so easy

The problem is that either "Packaged Drivers" are not available from
the
vendor OR Samba does not support this(?).

For Windows Print Servers there is a workaround[1] around where you can 
"trick" the print server with a "regular" print driver and
making the
reg. key
HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windows 
x64\Drivers\...\Driver name\PrinterDriverAttributes odd.

When you apply this registry hack the Windows Print Server daemon will 
package the driver by itself into a single CAB file - this is probably 
what they call the "Packaged Driver" - and then Printer Deployment 
actually works.

This is what happens on a Windows Print Server now when you don't have 
packaged drivers available:

1) the normal printer driver installed into 
\\print-srv\print$\x64\3\<lots of DDL, cfg, chm files etc>
2) make reg key PrinterDriverAttributes odd
3) when you now try to deploy a Printer from this print server, Windows 
will package the driver into \\print-srv\print$\x64\PCC\<your 
printer>.inf_amd64_neutral_<some random number>.cab
4) client downloads this CAB file and load this driver into the local 
Driver Store (C:\Windows\System32\DriverStore\FileRepository)
5) printers deploy without problem

As a test i copied this packaged driver from 3) into my Samba print 
server in \\print-srv\print$\x64\PCC\ but it didn't make any difference.

4) is explained in a post[2] on Technet; quoted from Alan Morris:

 > The package drivers are copied to the client from the PCC share on 
the print server  \\Server\print$\x64\pcc
 > The cab file is copied to client , extracted , then staged to the 
filerepository.
 > At this point the spooler will install the print driver from the 
package and copy the file to the \system32\spool\drivers\x64\3 directory 
and loaded into the spooler process from there.
 > ...
 > The spooler does some secure validation using the asyncRPC protocols 
with package aware drivers

With a process monitor on the client I can confirm that when the print 
server is Windows the entire CAB is downloaded, but when the print 
server is Linux/Samba I only see a few requests to \\print-srv\print$\x64\3.
Maybe some RPC calls not implemented? I guess the client will send a 
request to the server to check which drivers are available on the server 
and then Samba returns a list of available drivers? (really no idea, 
just a guess!)
Or the "secure validation" does not work but I guess you need to at 
least make a single request to the CAB file - which is not happening. 
According to Sigcheck.exe the file is not signed.

In any case the problem is limited to the driver installation. As soon 
as the driver is installed in the local "Driver Store" everything
works
again.

As a workaround you can open \\print-srv -> view remote printers -> 
select properties of a printer, a warning will pop-up to download the 
printer driver, as soon as you click yes the printer driver will be 
installed and printers will deploy again without problem.
If you try to reproduce this make sure the driver is not yet present in 
both "Print Management" and "pnputil -e". As long as your
driver was
installed before July 2016 you will never hit this issue.

So basically my questions are:

- Does Samba support "\\print-srv\print$\x64\pcc" ?
- Anyone documents/info on "Packaged Drivers" - It seems hard to find?
- Anyone who got print (driver) deployment still working on Win 7with 
Samba ?

[1] 
https://www.reddit.com/r/sysadmin/comments/50gw1b/solved_deploying_nonpackaged_print_drivers_after/
[2] 
https://social.technet.microsoft.com/Forums/office/en-US/6cbdc0b0-761e-4b95-a7de-e9a9ca052f8d/w2k8-server-shared-printers-wont-install-if-drivers-not-in-win7?forum=winserverprint#f5205908-4f0a-4d52-8981-6e9ff0393495

Thx,
Geert

Am 09.09.2016 um 19:26 schrieb Geert Lorang via samba:
> Hi,
>
> Since recently printer deployment is broken on Windows 7 (and above?) 
> due to KB3170455. This is probably the same problem 
> https://lists.samba.org/archive/samba/2016-August/202078.html on Win 10.
>
> After a lot of reading and investigating it appears that we now (after 
> KB3170455) need:
>
> - A Point & Print Restriction GPO enabled with FQDN of all Print 
> Servers and "Do not show warning or elevation prompt" for 
> instaling/updating drivers - this is easy
> - "Packaged drivers" - this is not so easy
>
> The problem is that either "Packaged Drivers" are not available
from
> the vendor OR Samba does not support this(?).
>
> For Windows Print Servers there is a workaround[1] around where you 
> can "trick" the print server with a "regular" print
driver and making
> the reg. key
> HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windows 
> x64\Drivers\...\Driver name\PrinterDriverAttributes odd.
>
> When you apply this registry hack the Windows Print Server daemon will 
> package the driver by itself into a single CAB file - this is probably 
> what they call the "Packaged Driver" - and then Printer
Deployment
> actually works.
>
> This is what happens on a Windows Print Server now when you don't have 
> packaged drivers available:
>
> 1) the normal printer driver installed into 
> \\print-srv\print$\x64\3\<lots of DDL, cfg, chm files etc>
> 2) make reg key PrinterDriverAttributes odd
> 3) when you now try to deploy a Printer from this print server, 
> Windows will package the driver into \\print-srv\print$\x64\PCC\<your 
> printer>.inf_amd64_neutral_<some random number>.cab
> 4) client downloads this CAB file and load this driver into the local 
> Driver Store (C:\Windows\System32\DriverStore\FileRepository)
> 5) printers deploy without problem
>
> As a test i copied this packaged driver from 3) into my Samba print 
> server in \\print-srv\print$\x64\PCC\ but it didn't make any
difference.
>
> 4) is explained in a post[2] on Technet; quoted from Alan Morris:
>
> > The package drivers are copied to the client from the PCC share on 
> the print server  \\Server\print$\x64\pcc
> > The cab file is copied to client , extracted , then staged to the 
> filerepository.
> > At this point the spooler will install the print driver from the 
> package and copy the file to the \system32\spool\drivers\x64\3 
> directory and loaded into the spooler process from there.
> > ...
> > The spooler does some secure validation using the asyncRPC protocols 
> with package aware drivers
>
> With a process monitor on the client I can confirm that when the print 
> server is Windows the entire CAB is downloaded, but when the print 
> server is Linux/Samba I only see a few requests to 
> \\print-srv\print$\x64\3.
> Maybe some RPC calls not implemented? I guess the client will send a 
> request to the server to check which drivers are available on the 
> server and then Samba returns a list of available drivers? (really no 
> idea, just a guess!)
> Or the "secure validation" does not work but I guess you need to
at
> least make a single request to the CAB file - which is not happening. 
> According to Sigcheck.exe the file is not signed.
>
> In any case the problem is limited to the driver installation. As soon 
> as the driver is installed in the local "Driver Store" everything
> works again.
>
> As a workaround you can open \\print-srv -> view remote printers -> 
> select properties of a printer, a warning will pop-up to download the 
> printer driver, as soon as you click yes the printer driver will be 
> installed and printers will deploy again without problem.
> If you try to reproduce this make sure the driver is not yet present 
> in both "Print Management" and "pnputil -e". As long as
your driver
> was installed before July 2016 you will never hit this issue.
>
> So basically my questions are:
>
> - Does Samba support "\\print-srv\print$\x64\pcc" ?
> - Anyone documents/info on "Packaged Drivers" - It seems hard to
find?
> - Anyone who got print (driver) deployment still working on Win 7with 
> Samba ?
>
> [1] 
>
https://www.reddit.com/r/sysadmin/comments/50gw1b/solved_deploying_nonpackaged_print_drivers_after/
> [2] 
>
https://social.technet.microsoft.com/Forums/office/en-US/6cbdc0b0-761e-4b95-a7de-e9a9ca052f8d/w2k8-server-shared-printers-wont-install-if-drivers-not-in-win7?forum=winserverprint#f5205908-4f0a-4d52-8981-6e9ff0393495
>
> Thx,
> Geert
>
Very informative thanks for sharing. Was wondering about the warning 
when adding an new pc to our domain last week.

Seems the so called "Print System Asynchronous Remote Protocol" must
be
implemented to support packaged drivers. See here
https://bugzilla.redhat.com/show_bug.cgi?id=1369515

N'night

Achim

Is there any workaround for this problem at the moment?
We are using Windows 10 on our clients and can't rollout our printers
anymore.

Thx,
Julian
> Gesendet: Freitag, 09. September 2016 um 22:52 Uhr
> Von: "Achim Gottinger via samba" <samba at lists.samba.org>
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Print driver deployment broken after KB3170455 on
Windows 7
>
> 
> 
> Am 09.09.2016 um 19:26 schrieb Geert Lorang via samba:
> > Hi,
> >
> > Since recently printer deployment is broken on Windows 7 (and above?) 
> > due to KB3170455. This is probably the same problem 
> > https://lists.samba.org/archive/samba/2016-August/202078.html on Win
10.
> >
> > After a lot of reading and investigating it appears that we now (after
> > KB3170455) need:
> >
> > - A Point & Print Restriction GPO enabled with FQDN of all Print 
> > Servers and "Do not show warning or elevation prompt" for 
> > instaling/updating drivers - this is easy
> > - "Packaged drivers" - this is not so easy
> >
> > The problem is that either "Packaged Drivers" are not
available from
> > the vendor OR Samba does not support this(?).
> >
> > For Windows Print Servers there is a workaround[1] around where you 
> > can "trick" the print server with a "regular"
print driver and making
> > the reg. key
> > HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windows 
> > x64\Drivers\...\Driver name\PrinterDriverAttributes odd.
> >
> > When you apply this registry hack the Windows Print Server daemon will
> > package the driver by itself into a single CAB file - this is probably
> > what they call the "Packaged Driver" - and then Printer
Deployment
> > actually works.
> >
> > This is what happens on a Windows Print Server now when you don't
have
> > packaged drivers available:
> >
> > 1) the normal printer driver installed into 
> > \\print-srv\print$\x64\3\<lots of DDL, cfg, chm files etc>
> > 2) make reg key PrinterDriverAttributes odd
> > 3) when you now try to deploy a Printer from this print server, 
> > Windows will package the driver into
\\print-srv\print$\x64\PCC\<your
> > printer>.inf_amd64_neutral_<some random number>.cab
> > 4) client downloads this CAB file and load this driver into the local 
> > Driver Store (C:\Windows\System32\DriverStore\FileRepository)
> > 5) printers deploy without problem
> >
> > As a test i copied this packaged driver from 3) into my Samba print 
> > server in \\print-srv\print$\x64\PCC\ but it didn't make any
difference.
> >
> > 4) is explained in a post[2] on Technet; quoted from Alan Morris:
> >
> > > The package drivers are copied to the client from the PCC share
on
> > the print server  \\Server\print$\x64\pcc
> > > The cab file is copied to client , extracted , then staged to the
> > filerepository.
> > > At this point the spooler will install the print driver from the 
> > package and copy the file to the \system32\spool\drivers\x64\3 
> > directory and loaded into the spooler process from there.
> > > ...
> > > The spooler does some secure validation using the asyncRPC
protocols
> > with package aware drivers
> >
> > With a process monitor on the client I can confirm that when the print
> > server is Windows the entire CAB is downloaded, but when the print 
> > server is Linux/Samba I only see a few requests to 
> > \\print-srv\print$\x64\3.
> > Maybe some RPC calls not implemented? I guess the client will send a 
> > request to the server to check which drivers are available on the 
> > server and then Samba returns a list of available drivers? (really no 
> > idea, just a guess!)
> > Or the "secure validation" does not work but I guess you
need to at
> > least make a single request to the CAB file - which is not happening. 
> > According to Sigcheck.exe the file is not signed.
> >
> > In any case the problem is limited to the driver installation. As soon
> > as the driver is installed in the local "Driver Store"
everything
> > works again.
> >
> > As a workaround you can open \\print-srv -> view remote printers
->
> > select properties of a printer, a warning will pop-up to download the 
> > printer driver, as soon as you click yes the printer driver will be 
> > installed and printers will deploy again without problem.
> > If you try to reproduce this make sure the driver is not yet present 
> > in both "Print Management" and "pnputil -e". As
long as your driver
> > was installed before July 2016 you will never hit this issue.
> >
> > So basically my questions are:
> >
> > - Does Samba support "\\print-srv\print$\x64\pcc" ?
> > - Anyone documents/info on "Packaged Drivers" - It seems
hard to find?
> > - Anyone who got print (driver) deployment still working on Win 7with 
> > Samba ?
> >
> > [1] 
> >
https://www.reddit.com/r/sysadmin/comments/50gw1b/solved_deploying_nonpackaged_print_drivers_after/
> > [2] 
> >
https://social.technet.microsoft.com/Forums/office/en-US/6cbdc0b0-761e-4b95-a7de-e9a9ca052f8d/w2k8-server-shared-printers-wont-install-if-drivers-not-in-win7?forum=winserverprint#f5205908-4f0a-4d52-8981-6e9ff0393495
> >
> > Thx,
> > Geert
> >
> Very informative thanks for sharing. Was wondering about the warning 
> when adding an new pc to our domain last week.
> 
> Seems the so called "Print System Asynchronous Remote Protocol"
must be
> implemented to support packaged drivers. See here
> https://bugzilla.redhat.com/show_bug.cgi?id=1369515
> 
> N'night
> 
> Achim
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Yes, 

Read : 
https://www.spinics.net/lists/samba/msg137225.html
what you need to know is all there. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Julian Timm via
> samba
> Verzonden: woensdag 28 september 2016 12:52
> Aan: Samba Mailinglist
> Onderwerp: Re: [Samba] Print driver deployment broken after KB3170455 on
> Windows 7
> 
> Is there any workaround for this problem at the moment?
> We are using Windows 10 on our clients and can't rollout our printers
> anymore.
> 
> Thx,
> Julian
> 
> > Gesendet: Freitag, 09. September 2016 um 22:52 Uhr
> > Von: "Achim Gottinger via samba" <samba at
lists.samba.org>
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] Print driver deployment broken after KB3170455 on
> Windows 7
> >
> >
> >
> > Am 09.09.2016 um 19:26 schrieb Geert Lorang via samba:
> > > Hi,
> > >
> > > Since recently printer deployment is broken on Windows 7 (and
above?)
> > > due to KB3170455. This is probably the same problem
> > > https://lists.samba.org/archive/samba/2016-August/202078.html on
Win
> 10.
> > >
> > > After a lot of reading and investigating it appears that we now
(after
> > > KB3170455) need:
> > >
> > > - A Point & Print Restriction GPO enabled with FQDN of all
Print
> > > Servers and "Do not show warning or elevation prompt"
for
> > > instaling/updating drivers - this is easy
> > > - "Packaged drivers" - this is not so easy
> > >
> > > The problem is that either "Packaged Drivers" are not
available from
> > > the vendor OR Samba does not support this(?).
> > >
> > > For Windows Print Servers there is a workaround[1] around where
you
> > > can "trick" the print server with a "regular"
print driver and making
> > > the reg. key
> > > HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windows
> > > x64\Drivers\...\Driver name\PrinterDriverAttributes odd.
> > >
> > > When you apply this registry hack the Windows Print Server daemon
will
> > > package the driver by itself into a single CAB file - this is
probably
> > > what they call the "Packaged Driver" - and then Printer
Deployment
> > > actually works.
> > >
> > > This is what happens on a Windows Print Server now when you
don't have
> > > packaged drivers available:
> > >
> > > 1) the normal printer driver installed into
> > > \\print-srv\print$\x64\3\<lots of DDL, cfg, chm files etc>
> > > 2) make reg key PrinterDriverAttributes odd
> > > 3) when you now try to deploy a Printer from this print server,
> > > Windows will package the driver into
\\print-srv\print$\x64\PCC\<your
> > > printer>.inf_amd64_neutral_<some random number>.cab
> > > 4) client downloads this CAB file and load this driver into the
local
> > > Driver Store (C:\Windows\System32\DriverStore\FileRepository)
> > > 5) printers deploy without problem
> > >
> > > As a test i copied this packaged driver from 3) into my Samba
print
> > > server in \\print-srv\print$\x64\PCC\ but it didn't make any
> difference.
> > >
> > > 4) is explained in a post[2] on Technet; quoted from Alan Morris:
> > >
> > > > The package drivers are copied to the client from the PCC
share on
> > > the print server  \\Server\print$\x64\pcc
> > > > The cab file is copied to client , extracted , then staged
to the
> > > filerepository.
> > > > At this point the spooler will install the print driver from
the
> > > package and copy the file to the \system32\spool\drivers\x64\3
> > > directory and loaded into the spooler process from there.
> > > > ...
> > > > The spooler does some secure validation using the asyncRPC
protocols
> > > with package aware drivers
> > >
> > > With a process monitor on the client I can confirm that when the
print
> > > server is Windows the entire CAB is downloaded, but when the
print
> > > server is Linux/Samba I only see a few requests to
> > > \\print-srv\print$\x64\3.
> > > Maybe some RPC calls not implemented? I guess the client will
send a
> > > request to the server to check which drivers are available on the
> > > server and then Samba returns a list of available drivers?
(really no
> > > idea, just a guess!)
> > > Or the "secure validation" does not work but I guess
you need to at
> > > least make a single request to the CAB file - which is not
happening.
> > > According to Sigcheck.exe the file is not signed.
> > >
> > > In any case the problem is limited to the driver installation. As
soon
> > > as the driver is installed in the local "Driver Store"
everything
> > > works again.
> > >
> > > As a workaround you can open \\print-srv -> view remote
printers ->
> > > select properties of a printer, a warning will pop-up to download
the
> > > printer driver, as soon as you click yes the printer driver will
be
> > > installed and printers will deploy again without problem.
> > > If you try to reproduce this make sure the driver is not yet
present
> > > in both "Print Management" and "pnputil -e".
As long as your driver
> > > was installed before July 2016 you will never hit this issue.
> > >
> > > So basically my questions are:
> > >
> > > - Does Samba support "\\print-srv\print$\x64\pcc" ?
> > > - Anyone documents/info on "Packaged Drivers" - It
seems hard to find?
> > > - Anyone who got print (driver) deployment still working on Win
7with
> > > Samba ?
> > >
> > > [1]
> > >
> https://www.reddit.com/r/sysadmin/comments/50gw1b/solved_deploying_nonpack
> aged_print_drivers_after/
> > > [2]
> > >
https://social.technet.microsoft.com/Forums/office/en-US/6cbdc0b0-
> 761e-4b95-a7de-e9a9ca052f8d/w2k8-server-shared-printers-wont-install-if-
> drivers-not-in-win7?forum=winserverprint#f5205908-4f0a-4d52-8981-
> 6e9ff0393495
> > >
> > > Thx,
> > > Geert
> > >
> > Very informative thanks for sharing. Was wondering about the warning
> > when adding an new pc to our domain last week.
> >
> > Seems the so called "Print System Asynchronous Remote
Protocol" must be
> > implemented to support packaged drivers. See here
> > https://bugzilla.redhat.com/show_bug.cgi?id=1369515
> >
> > N'night
> >
> > Achim
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba