> On Mon, 21 Nov 2016 13:42:57 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> Hi, >> >> Yes thats correct. >> But try the following. >> Make sure you use the usermapping. >> >> username map = /etc/samba/samba_usermapping >> containing: >> !root = NTDOM\Administrator NTDOM\administrator Administrator >> administrator >> >> And according to the wiki. >> (https://wiki.samba.org/index.php/Configuring_Point%27n%27Print_automatic_printer_driver_deployment) >> >> For POSIX ACLs: >> # chgrp -R "SAMDOM\Domain Admins" /srv/samba/Printer_drivers/ >> # chmod -R 2755 /srv/samba/Printer_drivers/ >> Is wrong in my opinion. >> >> # chmod -R 2775 /srv/samba/Printer_drivers/ >> Looks better to me. >> >> How else are "members of domain admins" allowed to write in >> the /srv/samba/Printer_drivers/ folder? >> >> Rowland, can you confirm this? > Fixed >i also thought the permissions looked odd but resisted going against the wiki until advised by more knowledgeable minds.>> But i use the >> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs setup. > This is my share setup: > [print$] > comment = Printer Drivers > path = /home/samba/printing/drivers > acl_xattr:ignore system acl = yes > writable = yes > guest ok = nodoes acl_xattr:ignore system acl = yes mean ignore posix acls ?> Perhaps we need to also add a note that it is better to use windows ACLs > last tip. ( for win64 drivers ) > cd /smb/Printer_drivers > ln -s x64 X64 > > i noticed some drivers used capital X in the X64 > > > > Greetz, > > Louisi have tried using rsat to alter the windows acl permissions a couple of times because i didn't get the permissions right on the previous attempts i ended up with permission denied when trying to alter permissions on the print$ share so i reset the acl's with the following commands $ sudo setfacl -b -R /smb/Printer_drivers/* $ sudo setfacl -b -R /smb/Printer_drivers/ $ sudo setfacl -R -m default:group:"Domain Admins":rwx /smb/Printer_drivers/ $ ls -al /smb/Printer_drivers/ total 8 drwxrwsr-x+ 1 root domain admins 84 Nov 22 01:47 . drwxr-xr-x 7 root root 4096 Nov 14 03:18 .. drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 IA64 drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 W32ALPHA drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 W32MIPS drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 W32PPC drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 W32X86 drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 WIN40 drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 x64 lrwxrwxrwx 1 root domain admins 3 Nov 22 01:47 X64 -> x64 $ sudo getfacl /smb/Printer_drivers/ getfacl: Removing leading '/' from absolute path names # file: smb/Printer_drivers/ # owner: root # group: domain\040admins # flags: -s- user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:group:domain\040admins:rwx default:mask::rwx default:other::r-x i still get the followig errors. Computer Management(TARDIS)\System Tools\SharedFolders\Shares\print$ share permission tab ======================an error occurred while applying security information to \\TARDIS.AD.TISSISAT.COUK\print$ failed to enumerate object in the container. access denied if i press continue i get unable to save permission changes on print$ \\TARDIS.AD.TISSISAT.COUK\print$ access is denied if i press cancel i get if you stop the propergation of permission settings, it might lead to a inconsistent state where objects have different settings. if you made this change by mistake you should apply the correct permission settings immediately. print management/print servers/TARDIS/drivers/add Driver =================================================error failed to add driver access denied
Rowland Penny
2016-Nov-27 16:32 UTC
[Samba] point n print driver deployment for canon ip7250
See inline comments: Sun, 27 Nov 2016 14:31:44 +0000 niya levi via samba <samba at lists.samba.org> wrote:> > On Mon, 21 Nov 2016 13:42:57 +0100 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> Yes thats correct. > >> But try the following. > >> Make sure you use the usermapping. > >> > >> username map = /etc/samba/samba_usermapping > >> containing: > >> !root = NTDOM\Administrator NTDOM\administrator Administrator > >> administrator > >> > >> And according to the wiki. > >> (https://wiki.samba.org/index.php/Configuring_Point%27n%27Print_automatic_printer_driver_deployment) > >> > >> For POSIX ACLs: > >> # chgrp -R "SAMDOM\Domain Admins" /srv/samba/Printer_drivers/ > >> # chmod -R 2755 /srv/samba/Printer_drivers/ > >> Is wrong in my opinion. > >> > >> # chmod -R 2775 /srv/samba/Printer_drivers/ > >> Looks better to me. > >> > >> How else are "members of domain admins" allowed to write in > >> the /srv/samba/Printer_drivers/ folder? > >> > >> Rowland, can you confirm this? > > Fixed > > > i also thought the permissions looked odd > but resisted going against the wiki > until advised by more knowledgeable minds. > >> But i use the > >> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs setup. > > This is my share setup: > > [print$] > > comment = Printer Drivers > > path = /home/samba/printing/drivers > > acl_xattr:ignore system acl = yes > > writable = yes > > guest ok = no > does acl_xattr:ignore system acl = yes mean ignore posix acls ?If you mean ignore the Unix ACLs, then yes.> > Perhaps we need to also add a note that it is better to use windows > > ACLsDone.> last tip. ( for win64 drivers ) > > cd /smb/Printer_drivers > > ln -s x64 X64 > > > > i noticed some drivers used capital X in the X64 > > > > > > > > Greetz, > > > > Louis > > i have tried using rsat to alter the windows acl permissions a couple > of times > because i didn't get the permissions right on the previous attempts > i ended up with permission denied when trying to alter permissions on > the print$ share > so i reset the acl's with the following commands > > $ sudo setfacl -b -R /smb/Printer_drivers/* > $ sudo setfacl -b -R /smb/Printer_drivers/ > $ sudo setfacl -R -m default:group:"Domain > Admins":rwx /smb/Printer_drivers/ > > $ ls -al /smb/Printer_drivers/ > total 8 > drwxrwsr-x+ 1 root domain admins 84 Nov 22 01:47 . > drwxr-xr-x 7 root root 4096 Nov 14 03:18 .. > drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 IA64 > drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 W32ALPHA > drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 W32MIPS > drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 W32PPC > drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 W32X86 > drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 WIN40 > drwxrwsr-x+ 1 root domain admins 0 Oct 30 15:25 x64 > lrwxrwxrwx 1 root domain admins 3 Nov 22 01:47 X64 -> x64 > > $ sudo getfacl /smb/Printer_drivers/ > getfacl: Removing leading '/' from absolute path names > # file: smb/Printer_drivers/ > # owner: root > # group: domain\040admins > # flags: -s- > user::rwx > group::rwx > other::r-x > default:user::rwx > default:group::rwx > default:group:domain\040admins:rwx > default:mask::rwx > default:other::r-x > > i still get the followig errors. > > Computer Management(TARDIS)\System Tools\SharedFolders\Shares\print$ > share permission tab > > ======================> an error occurred while applying security information to > \\TARDIS.AD.TISSISAT.COUK\print$ > failed to enumerate object in the container. access denied > if i press continue i get > unable to save permission changes on print$ > \\TARDIS.AD.TISSISAT.COUK\print$ > access is denied > > if i press cancel i get > if you stop the propergation of permission settings, > it might lead to a inconsistent state where objects have different > settings. if you made this change by mistake you should apply the > correct permission settings immediately. > > print management/print servers/TARDIS/drivers/add Driver > =================================================> error > failed to add driver > access denied > > > >I think you must be mixing up Windows and Posix ACLs, if I follow the wiki, I get this: root at devstation:/home/rowland# ls -la /var/lib/samba/Printer_drivers/ total 40 drwxrwx---+ 9 root root 4096 Nov 27 15:45 . drwxr-xr-x 3 root root 4096 Nov 27 15:44 .. drwxr-xr-x 2 root root 4096 Nov 27 15:45 IA64 drwxr-xr-x 2 root root 4096 Nov 27 15:45 W32ALPHA drwxr-xr-x 2 root root 4096 Nov 27 15:45 W32MIPS drwxr-xr-x 2 root root 4096 Nov 27 15:45 W32PPC drwxr-xr-x 2 root root 4096 Nov 27 15:45 W32X86 drwxr-xr-x 2 root root 4096 Nov 27 15:45 WIN40 drwxr-xr-x 2 root root 4096 Nov 27 15:45 x64 getfacl /var/lib/samba/Printer_drivers/ getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/Printer_drivers/ # owner: root # group: root user::rwx user:root:rwx group::r-x group:root:r-x group:2004:r-x group:2005:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:2004:r-x default:group:2005:rwx default:mask::rwx default:other::--- Rowland