samba - May 2017 - Cannot use Print Server functions in NT4 style domain

Hi list,

I have an NT4-style domain controller running on Samba 4.2.14-debian
(Debian Jessie) that is acting as a file server. I am reading through the
documentation, and attempting to use it as a print server as well. I have
added the share declarations that I believed I needed, and CUPS is working
properly with a test printer. Below is my smb.conf file (some sections
redacted):

[global]
        workgroup = REDACTED
        netbios name = REDACTED
        server string = REDACTED
        interfaces = eth1
        bind interfaces only = Yes
        security = USER
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *new*password* %n\n *new*password* %n\n *updated*
        unix password sync = Yes
        log file = /var/log/samba/log.%m
        client max protocol = NT1
        name resolve order = wins hosts bcast
        printcap name = /dev/null
        disable spoolss = Yes
        logon script = login.bat
        logon drive = h:
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        lock directory = /var/cache/samba
        idmap config * : range = 1000-1999999
        idmap config * : backend = tdb
        admin users =  @domainadmins
        write list = @domainadmins

[printers]
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No
[print$]
        path = /usr/local/share/print
        read only = No
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr
[KM-400]
        path = /var/spool/samba/
        printable = Yes
        print ok = Yes
        printer name = KM-400-Test

/var/spool/samba is owned by root:root, with 777 permissions, and the
sticky bit set. /usr/local/share/print is owned by root:domainadmins, with
the Windows ACLs on it.

I used Windows Explorer (from Windows 7) to navigate to \\Samba\print$, and
change the permissions from there. I have applied a local group policy to
allow me to connect to that server.

After reloading Samba's configuration, I open up Print Management, and add
the server to the list of servers. If I then try to interact with the
server in any way (i.e. add a print driver or a printer), it comes up with
an error message, "Failed to add driver. Double check the printer name and
make sure the printer is connected to the network."

What should I try next?

On Tue, 30 May 2017 11:57:54 -0700
Luke Barone via samba <samba at lists.samba.org> wrote:
> Hi list,
> 
> I have an NT4-style domain controller running on Samba 4.2.14-debian
> (Debian Jessie) that is acting as a file server. I am reading through
> the documentation, and attempting to use it as a print server as
> well. I have added the share declarations that I believed I needed,
> and CUPS is working properly with a test printer. Below is my
> smb.conf file (some sections redacted):
> 
> [global]
>         workgroup = REDACTED
>         netbios name = REDACTED
>         server string = REDACTED
>         interfaces = eth1
>         bind interfaces only = Yes
>         security = USER
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *new*password* %n\n *new*password* %n\n
> *updated* unix password sync = Yes
>         log file = /var/log/samba/log.%m
>         client max protocol = NT1
>         name resolve order = wins hosts bcast
>         printcap name = /dev/null
>         disable spoolss = Yes
>         logon script = login.bat
>         logon drive = h:
>         domain logons = Yes
>         os level = 255
>         preferred master = Yes
>         domain master = Yes
>         wins support = Yes
>         lock directory = /var/cache/samba
>         idmap config * : range = 1000-1999999
>         idmap config * : backend = tdb
>         admin users =  @domainadmins
>         write list = @domainadmins
> 
> [printers]
>         path = /var/spool/samba
>         printable = Yes
>         print ok = Yes
>         browseable = No
> [print$]
>         path = /usr/local/share/print
>         read only = No
>         map acl inherit = Yes
>         store dos attributes = Yes
>         vfs objects = acl_xattr
> [KM-400]
>         path = /var/spool/samba/
>         printable = Yes
>         print ok = Yes
>         printer name = KM-400-Test
> 
> /var/spool/samba is owned by root:root, with 777 permissions, and the
> sticky bit set. /usr/local/share/print is owned by root:domainadmins,
> with the Windows ACLs on it.
> 
> I used Windows Explorer (from Windows 7) to navigate to
> \\Samba\print$, and change the permissions from there. I have applied
> a local group policy to allow me to connect to that server.
> 
> After reloading Samba's configuration, I open up Print Management,
> and add the server to the list of servers. If I then try to interact
> with the server in any way (i.e. add a print driver or a printer), it
> comes up with an error message, "Failed to add driver. Double check
> the printer name and make sure the printer is connected to the
> network."
> 
> What should I try next?
Try removing the 'disable spoolss' line, you can also remove the
'idmap
config' lines, you only need them if winbindd is running and you don't
need winbindd running.

Rowland

On Tue, 30 May 2017 13:42:30 -0700
Luke Barone <lukebarone at gmail.com> wrote:
> Tried this. Reloaded Samba (and smbd and nmbd, just to be safe). Same
> issue.
> 
> Other thoughts?
> 
Have you tried following the Samba wiki ? :

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server

Rowland

Yes, down to a T:

# smbd -b | grep "HAVE_CUPS"
   HAVE_CUPS_CUPS_H
   HAVE_CUPS_LANGUAGE_H
   HAVE_CUPS

CUPS is setup, and I can print test pages from the web portal.

Created the spool directory, and applied permissions:
/var/spool# ls -lah
total 48K
drwxr-xr-x 10 root        root        4.0K Mar 17  2016 .
drwxr-xr-x 15 root        root        4.0K Jan 11  2016 ..
<CLIPPED>
drwxrwxrwt  2 root        root         12K May 30 14:48 samba

Turned off "load printers"

Created the share definition for the shared printer (same name as in CUPS).
Verified the permissions for managing the printers:
# net rpc rights list privileges SePrintOperatorPrivilege -U
"JMC\lbarone"
-S 192.168.0.3
Enter JMC\lbarone's password:
SePrintOperatorPrivilege:
  JMC\lbarone
  BUILTIN\Administrators
  JMC\Domain Admins

I setup the [printers], and [print$] shares, as per the Wiki @
https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients,
and even set up one printer share - [KM-400]. I can see the printer when I
browse with Windows Explorer to \\Samba, but I cannot connect to it
(Windows cannot connect to the printer. Operation failed with error
0x0000001f). Trying to manage anything through the Print Management utility
yields the original error in the first message.

On Tue, May 30, 2017 at 1:55 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 30 May 2017 13:42:30 -0700
> Luke Barone <lukebarone at gmail.com> wrote:
>
> > Tried this. Reloaded Samba (and smbd and nmbd, just to be safe). Same
> > issue.
> >
> > Other thoughts?
> >
>
> Have you tried following the Samba wiki ? :
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>