Thomas Keppler
2017-Oct-07 23:53 UTC
[Samba] RSAT Print Management won't show shared printers under the "Printers" section
Hello, currently I am trying to setup a Samba environment (Samba AD DC, Samba Fileserver, Samba Printserver) using Samba version 4.5.8-Debian and CUPS version 2.2.1-8 on Debian 9 "Stretch". I am trying to setup "Point'n'Print" atm. While my Active Directory domain and the fileserver work well with my Windows 7 clients, I am having some issues with the printserver. Config files will be down below. What I have so far in this setup and a quick rundown of what I've done already: 1.) Samba is configured for an AD membership and both the "printers" as well as the "print$" share are configured. Permissions seem OK. 2.) The printserver is properly joined to the domain ("net ads testjoin" and some other tests are OK) 3.) CUPS is installed and configure to accept global connections for administration 4.) A printer is configured in CUPS and is also listed using either smbclient or the "enumpriners" command 5.) I have RSAT tools installed on a domain joined Windows 7 client and I am logged in as such a Domain Admin 6.) The Domain Admins group (which my admin user is in) has the "SePrintOperator" privilege, the "Print Operator" group is shown using "Active Directory Users and Computers" in the "Member Of" tab in the "Domain Admins" group. 7.) The printer is listed in the Explorer when I browse to \\printserver and I can connect to it and also print with the printer if I set it up manually 8.) I can open up the Print Management tool and upload drivers just fine, they get listed (both in Windows and using the "enumdrivers" command) 9.) Under "Ports" I can see the "Samba Printer Port" that also has my configured printer under "Printer Name" 10.) Under "Printers", it's just empty, so I can never link up the driver with the printer or preconfigure the driver like I want to in Windows. However, if I do connect the driver from the shell on the printserver (using the "setdriver" command) itself, the command gets completed successfully and the driver gets installed on connection on a Windows client. 11.) Samba on log level 3 doesn't list any errors trying to access the "Printers" option in the Print Management tool. 12.) I get the same problem using Debian 8 "Jessie" with Samba 4.2.14-Debian and CUPS 1.0.61-5+deb8u3 in the same domain Here are screenshots from the Print Management tool on Windows 7 using a Domain Admin member account: https://imgur.com/a/iwtAh You will see that the printer is listed in "Ports" but not in "Printers". Screenshots of the "Domain Admins" group using "Active Directory Users and Computers", currently logged in user is "Administrator": https://imgur.com/a/fp9Ad You can see that everything seems to be alright. The articles I followed were from the German book "Samba 4 - Das Praxisbuch für Administratoren" (pp. 403 - 417) and the Samba Wiki and in both texts they get their printers listed. I honestly have no idea what to do next. No one on the net seems to have the same issue I am facing because either it work correctly or it doesn't work at all for most people. Are there any more places to look for errors or more places to check where I went wrong? Is an issue on the DC the main issue and is it only showing that way? Thanks for any suggestions. -- Best regards Thomas Additional information: smb.conf (on the printserver) ----------- 8< ------------ [global] security = ADS workgroup = EXAMPLE realm = AD.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 3 idmap config * : backend = tdb idmap config * : range = 10000 - 19999 idmap config EXAMPLE : backend = rid idmap config EXAMPLE : range = 1000000 - 1999999 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 rpc_server:spoolss = external rpc_daemon:spoolssd = fork [printers] comment = All printers path = /var/spool/samba browseable = yes printable = yes create mask = 0700 guest ok = no read only = no [print$] comment = Print drivers path = /var/lib/samba/drivers create mask = 0775 inherit permissions = yes guest ok = no read only = no ------------ >8 ------------ krb5.conf (on the printserver) ----------- 8< ------------ [libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true ------------ >8 ------------ cupsd.conf (on the printserver, the parts not shown here are left as is in the original distribution) ----------- 8< ------------ [...] Listen 192.168.0.251:631 [...] # Restrict access to the server... <Location /> Order allow,deny Allow from 192.168.0.* </Location> # Restrict access to the admin pages... <Location /admin> Order allow,deny Allow from 192.168.0.* </Location> # Restrict access to configuration files... <Location /admin/conf> AuthType Default Require user @SYSTEM Order allow,deny Allow from 192.168.0.* </Location> # Restrict access to log files... <Location /admin/log> AuthType Default Require user @SYSTEM Order allow,deny Allow from 192.168.0.* </Location> [...] ------------ >8 ------------ Checking permissions of the shares ----------- 8< ------------ root at printserver:~# ls -ld /var/spool/samba/ drwxrwxrwt 2 root domain admins 4096 Okt 7 23:18 /var/spool/samba root at printserver:~# ls -ld /var/lib/samba/drivers/ drwsrwsr-x 9 root domain admins 4096 Okt 7 19:33 /var/lib/samba/drivers/ ------------ >8 ------------ "smbclient -L printserver -U Administrator" ----------- 8< ------------- Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian] Sharename Type Comment --------- ---- ------- print$ Disk Print drivers IPC$ IPC IPC Service (Samba 4.5.8-Debian) Brother_HL-3040CN_series_MANUAL Printer Brother HL-3040CN manuell hinzugefuegt [...] ------------ >8 ------------ "rpcclient printserver -U Administrator -c enumprinters" ----------- 8< ------------- [...] flags:[0x800000] name:[\\PRINTSERVER\Brother_HL-3040CN_series_MANUAL] description:[\\PRINTSERVER\Brother_HL-3040CN_series_MANUAL,Brother HL-3040CN series,Brother HL-3040CN manuell hinzugefuegt] comment:[Brother HL-3040CN manuell hinzugefuegt] [...] ------------ >8 ------------ "rpcclient printserver -U Administrator -c enumdrivers" ----------- 8< ------------ [Windows NT x86] Printer Driver Info 1: Driver Name: [Brother HL-3040CN series] [Windows x64] Printer Driver Info 1: Driver Name: [Brother HL-3040CN series ------------ >8 ----------- "net rpc rights list accounts -U Administrator -S printserver" ----------- 8< ------------ EXAMPLE\Domain Admins SePrintOperatorPrivilege ------------ >8 ----------- How the samba domain was provisioned (on the DC) ----------- 8< ------------ samba-tool domain provision \ --use-rfc2307 \ --server-role=dc \ --dns-backend=BIND9_DLZ \ --realm="ad.example.com" \ --domain="example" \ --adminpass="Test1234" ------------ >8 -----------
Marc Muehlfeld
2017-Oct-08 08:54 UTC
[Samba] RSAT Print Management won't show shared printers under the "Printers" section
Hi Thomas, Am 08.10.2017 um 01:53 schrieb Thomas Keppler via samba:> 5.) I have RSAT tools installed on a domain joined > Windows 7 client and I am logged in as such a Domain AdminDoes this also happen on Win 8.1 or 10? Please try, if you did not already. Do the clients have all available updates applied?> smb.conf (on the printserver) > ----------- 8< ------------ > rpc_server:spoolss = external > rpc_daemon:spoolssd = forkCan you temporarily try it without spoolssd (remove the two lines). Don't forget to restart smbd (restart, not reload in this case).> [printers] > comment = All printers > path = /var/spool/samba > browseable = yes > printable = yes > create mask = 0700 > guest ok = no > read only = noCan you try it with the following [printers] section: [printers] path = /var/spool/samba printable = yes printing = CUPS The other parameters in your [printers] section are either not necessary or default. I don't see any problem in your smb.conf. However, just for testing purposes: Can you disable automatic printer sharing and manually share one of the printers? See: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server#Disabling_the_Automatic_Printer_Sharing https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server#Manual_Sharing_of_Printers Regards, Marc
Thomas Keppler
2017-Oct-08 14:15 UTC
[Samba] RSAT Print Management won't show shared printers under the "Printers" section
Hi Marc, thank you for your quick reply. Here are my results so far:> Does this also happen on Win 8.1 or 10? Please try, if you did not already.It actually works like it should on Windows 8.1. I can manage the printers here like I should be able to from Windows 7. But, even after configuration from Windows 8.1, it doesn't appear on Windows 7. Yet, Windows 7 is my target platform. Couldn't check Windows 10 as it refused to cooperate with me today. Was always stuck on updates and the RSAT link is broken, given up on that.> Do the clients have all available updates applied?Yup.> Can you temporarily try it without spoolssd (remove the two lines).I had it running the longest times without those lines and it didn't work. Taking them out or putting them in unfortunately doesn't change a thing.> Can you try it with the following [printers] section:Tried it, but still doesn't work.> Can you disable automatic printer sharing and manually share > one of the printers?I've shared one of the printers manually. While it works great (shown in Explorer, shown in the "Ports" section of Print Management), I can still not see the printer in the "Printers" section of Print Management. What I forgot to include yesterday was a log on level 3 of what I was seeing on the printserver when I refresh the "Printers" section in Print Management (on Windows 7), here it is: ------------ 8< ------------ ==> /var/log/samba/smbd.log.14 <=[2017/10/07 23:26:55.763928, 2] ../source3/printing/spoolssd.c:459(spoolss_handle_client) Spoolss preforked child 1002 got client connection! [2017/10/07 23:26:55.764894, 3] ../source3/rpc_server/srv_pipe.c:733(api_pipe_bind_req) api_pipe_bind_req: spoolss -> spoolss rpc service [2017/10/07 23:26:55.764919, 3] ../source3/rpc_server/srv_pipe.c:356(check_bind_req) check_bind_req for spoolss context_id=0 [2017/10/07 23:26:55.764928, 3] ../source3/rpc_server/srv_pipe.c:399(check_bind_req) check_bind_req: spoolss -> spoolss rpc service [2017/10/07 23:26:55.765600, 3] ../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP) api_rpcTNP: rpc command: SPOOLSS_ENUMPRINTERDRIVERS [2017/10/07 23:26:55.773494, 2] ../source3/rpc_server/rpc_server.c:537(named_pipe_packet_process) Fatal error(NT_STATUS_CONNECTION_DISCONNECTED). Terminating client(192.168.0.1) connection! [2017/10/07 23:26:55.790581, 2] ../source3/printing/spoolssd.c:459(spoolss_handle_client) Spoolss preforked child 1002 got client connection! [2017/10/07 23:26:55.791580, 3] ../source3/rpc_server/srv_pipe.c:733(api_pipe_bind_req) api_pipe_bind_req: spoolss -> spoolss rpc service [2017/10/07 23:26:55.791601, 3] ../source3/rpc_server/srv_pipe.c:356(check_bind_req) check_bind_req for spoolss context_id=0 [2017/10/07 23:26:55.791609, 3] ../source3/rpc_server/srv_pipe.c:399(check_bind_req) check_bind_req: spoolss -> spoolss rpc service [2017/10/07 23:26:55.793046, 3] ../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP) api_rpcTNP: rpc command: SPOOLSS_ENUMPRINTERDRIVERS [2017/10/07 23:26:55.805135, 2] ../source3/rpc_server/rpc_server.c:537(named_pipe_packet_process) Fatal error(NT_STATUS_CONNECTION_DISCONNECTED). Terminating client(192.168.0.1) connection! ------------ >8 ------------ -- Best regards Thomas
Thomas Keppler
2017-Oct-08 15:42 UTC
[Samba] RSAT Print Management won't show shared printers under the "Printers" section
A small update: Fiddled some more with Windows 10 and that works, too. Windows 7 still doesn't see the printer in Print Management, not even on a second, freshly installed client. I have set up the printer now from Windows 8.1 and configured some printer preferences and installed the printer on a Windows 7 client. That works. However, I would really like to configure the printer form Windows 7, if that's possible. -- Best regards Thomas