samba - Oct 2017 - RSAT Print Management won't show shared printers under the "Printers" section

Hello,

currently I am trying to setup a Samba environment (Samba AD DC, Samba
Fileserver, Samba Printserver) using Samba version 4.5.8-Debian and CUPS version
2.2.1-8 on Debian 9 "Stretch". I am trying to setup
"Point'n'Print" atm.
While my Active Directory domain and the fileserver work well with my Windows 7
clients, I am having some issues with the printserver. Config files will be down
below.

What I have so far in this setup and a quick rundown of what I've done
already:
1.) Samba is configured for an AD membership and both the "printers"
as well as the "print$" share are configured. Permissions seem OK.
2.) The printserver is properly joined to the domain ("net ads
testjoin" and some other tests are OK)
3.) CUPS is installed and configure to accept global connections for
administration
4.) A printer is configured in CUPS and is also listed using either smbclient or
the "enumpriners" command
5.) I have RSAT tools installed on a domain joined Windows 7 client and I am
logged in as such a Domain Admin
6.) The Domain Admins group (which my admin user is in) has the
"SePrintOperator" privilege, the "Print Operator" group is
shown using "Active Directory Users and Computers" in the "Member
Of" tab in the "Domain Admins" group.
7.) The printer is listed in the Explorer when I browse to \\printserver and I
can connect to it and also print with the printer if I set it up manually
8.) I can open up the Print Management tool and upload drivers just fine, they
get listed (both in Windows and using the "enumdrivers" command)
9.) Under "Ports" I can see the "Samba Printer Port" that
also has my configured printer under "Printer Name"
10.) Under "Printers", it's just empty, so I can never link up the
driver with the printer or preconfigure the driver like I want to in Windows.
However, if I do connect the driver from the shell on the printserver (using the
"setdriver" command) itself, the command gets completed successfully
and the driver gets installed on connection on a Windows client.
11.) Samba on log level 3 doesn't list any errors trying to access the
"Printers" option in the Print Management tool.
12.) I get the same problem using Debian 8 "Jessie" with Samba
4.2.14-Debian and CUPS 1.0.61-5+deb8u3 in the same domain

Here are screenshots from the Print Management tool on Windows 7 using a Domain
Admin member account: https://imgur.com/a/iwtAh
You will see that the printer is listed in "Ports" but not in
"Printers".

Screenshots of the "Domain Admins" group using "Active Directory
Users and Computers", currently logged in user is
"Administrator": https://imgur.com/a/fp9Ad
You can see that everything seems to be alright.

The articles I followed were from the German book "Samba 4 - Das Praxisbuch
für Administratoren" (pp. 403 - 417) and the Samba Wiki and in both texts
they get their printers listed.

I honestly have no idea what to do next. No one on the net seems to have the
same issue I am facing because either it work correctly or it doesn't work
at all for most people. Are there any more places to look for errors or more
places to check where I went wrong? Is an issue on the DC the main issue and is
it only showing that way?

Thanks for any suggestions.

--
Best regards
Thomas

Additional information:

smb.conf (on the printserver)
----------- 8< ------------
[global]
security = ADS
workgroup = EXAMPLE
realm = AD.EXAMPLE.COM

log file = /var/log/samba/%m.log
log level = 3

idmap config * : backend = tdb
idmap config * : range = 10000 - 19999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 1000000 - 1999999

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes

template homedir = /home/%D/%U
template shell = /bin/bash

client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2

domain master = no
local master = no
preferred master = no

os level = 0

rpc_server:spoolss = external
rpc_daemon:spoolssd = fork

[printers]
comment = All printers
path = /var/spool/samba
browseable = yes
printable = yes
create mask = 0700
guest ok = no
read only = no

[print$]
comment = Print drivers
path = /var/lib/samba/drivers
create mask = 0775
inherit permissions = yes
guest ok = no
read only = no
------------ >8 ------------

krb5.conf (on the printserver)
----------- 8< ------------
[libdefaults]
   default_realm = AD.EXAMPLE.COM
   dns_lookup_realm = false
   dns_lookup_kdc = true
------------ >8 ------------

cupsd.conf (on the printserver, the parts not shown here are left as is in the
original distribution)
----------- 8< ------------
[...]
Listen 192.168.0.251:631
[...]
# Restrict access to the server...
<Location />
 Order allow,deny
 Allow from 192.168.0.*
</Location>

# Restrict access to the admin pages...
<Location /admin>
 Order allow,deny
 Allow from 192.168.0.*
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
 AuthType Default
 Require user @SYSTEM
 Order allow,deny
 Allow from 192.168.0.*
</Location>

# Restrict access to log files...
<Location /admin/log>
 AuthType Default
 Require user @SYSTEM
 Order allow,deny
 Allow from 192.168.0.*
</Location>
[...]
------------ >8 ------------

Checking permissions of the shares
----------- 8< ------------
root at printserver:~# ls -ld /var/spool/samba/
drwxrwxrwt 2 root domain admins 4096 Okt  7 23:18 /var/spool/samba

root at printserver:~# ls -ld /var/lib/samba/drivers/
drwsrwsr-x 9 root domain admins 4096 Okt  7 19:33 /var/lib/samba/drivers/
------------ >8 ------------

"smbclient -L printserver -U Administrator"
----------- 8< -------------
Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Print drivers
	IPC$            IPC       IPC Service (Samba 4.5.8-Debian)
	Brother_HL-3040CN_series_MANUAL Printer   Brother HL-3040CN manuell
hinzugefuegt
[...]
------------ >8 ------------

"rpcclient printserver -U Administrator -c enumprinters"
----------- 8< -------------
[...]
	flags:[0x800000]
	name:[\\PRINTSERVER\Brother_HL-3040CN_series_MANUAL]
	description:[\\PRINTSERVER\Brother_HL-3040CN_series_MANUAL,Brother HL-3040CN
series,Brother HL-3040CN manuell hinzugefuegt]
	comment:[Brother HL-3040CN manuell hinzugefuegt]
[...]
------------ >8 ------------

"rpcclient printserver -U Administrator -c enumdrivers"
----------- 8< ------------
[Windows NT x86]
Printer Driver Info 1:
	Driver Name: [Brother HL-3040CN series]


[Windows x64]
Printer Driver Info 1:
	Driver Name: [Brother HL-3040CN series
------------ >8 -----------

"net rpc rights list accounts -U Administrator -S printserver"
----------- 8< ------------
EXAMPLE\Domain Admins
SePrintOperatorPrivilege
------------ >8 -----------

How the samba domain was provisioned (on the DC)
----------- 8< ------------
samba-tool domain provision \
                   --use-rfc2307 \
                   --server-role=dc \
                   --dns-backend=BIND9_DLZ \
                   --realm="ad.example.com" \
                   --domain="example" \
                   --adminpass="Test1234"
------------ >8 -----------

Hi Thomas,


Am 08.10.2017 um 01:53 schrieb Thomas Keppler via samba:
> 5.) I have RSAT tools installed on a domain joined
> Windows 7 client and I am logged in as such a Domain Admin
Does this also happen on Win 8.1 or 10? Please try, if you did not already.
Do the clients have all available updates applied?


> smb.conf (on the printserver)
> ----------- 8< ------------
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
Can you temporarily try it without spoolssd (remove the two lines).
Don't forget to restart smbd (restart, not reload in this case).


> [printers]
> comment = All printers
> path = /var/spool/samba
> browseable = yes
> printable = yes
> create mask = 0700
> guest ok = no
> read only = no
Can you try it with the following [printers] section:
[printers]
       path = /var/spool/samba
       printable = yes
       printing = CUPS

The other parameters in your [printers] section are either not necessary
or default.



I don't see any problem in your smb.conf. However, just for testing
purposes: Can you disable automatic printer sharing and manually share
one of the printers? See:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server#Disabling_the_Automatic_Printer_Sharing
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server#Manual_Sharing_of_Printers



Regards,
Marc

Hi Marc,

thank you for your quick reply. Here are my results so far:
> Does this also happen on Win 8.1 or 10? Please try, if you did not already.
It actually works like it should on Windows 8.1. I can manage the printers here
like I should be able to from Windows 7.
But, even after configuration from Windows 8.1, it doesn't appear on Windows
7. Yet, Windows 7 is my target platform.
Couldn't check Windows 10 as it refused to cooperate with me today. Was
always stuck on updates and the RSAT link is broken, given up on that.
> Do the clients have all available updates applied?
Yup.
> Can you temporarily try it without spoolssd (remove the two lines).
I had it running the longest times without those lines and it didn't work.
Taking them out or putting them in unfortunately doesn't change a thing.
> Can you try it with the following [printers] section:
Tried it, but still doesn't work.
> Can you disable automatic printer sharing and manually share
> one of the printers?
I've shared one of the printers manually. While it works great (shown in
Explorer, shown in the "Ports" section of Print Management), I can
still not see the printer in the "Printers" section of Print
Management.

What I forgot to include yesterday was a log on level 3 of what I was seeing on
the printserver when I refresh the "Printers" section in Print
Management (on Windows 7), here it is:
------------ 8< ------------
==> /var/log/samba/smbd.log.14 <=[2017/10/07 23:26:55.763928,  2]
../source3/printing/spoolssd.c:459(spoolss_handle_client)
  Spoolss preforked child 1002 got client connection!
[2017/10/07 23:26:55.764894,  3]
../source3/rpc_server/srv_pipe.c:733(api_pipe_bind_req)
  api_pipe_bind_req: spoolss -> spoolss rpc service
[2017/10/07 23:26:55.764919,  3]
../source3/rpc_server/srv_pipe.c:356(check_bind_req)
  check_bind_req for spoolss context_id=0
[2017/10/07 23:26:55.764928,  3]
../source3/rpc_server/srv_pipe.c:399(check_bind_req)
  check_bind_req: spoolss -> spoolss rpc service
[2017/10/07 23:26:55.765600,  3]
../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP)
  api_rpcTNP: rpc command: SPOOLSS_ENUMPRINTERDRIVERS
[2017/10/07 23:26:55.773494,  2]
../source3/rpc_server/rpc_server.c:537(named_pipe_packet_process)
  Fatal error(NT_STATUS_CONNECTION_DISCONNECTED). Terminating
client(192.168.0.1) connection!
[2017/10/07 23:26:55.790581,  2]
../source3/printing/spoolssd.c:459(spoolss_handle_client)
  Spoolss preforked child 1002 got client connection!
[2017/10/07 23:26:55.791580,  3]
../source3/rpc_server/srv_pipe.c:733(api_pipe_bind_req)
  api_pipe_bind_req: spoolss -> spoolss rpc service
[2017/10/07 23:26:55.791601,  3]
../source3/rpc_server/srv_pipe.c:356(check_bind_req)
  check_bind_req for spoolss context_id=0
[2017/10/07 23:26:55.791609,  3]
../source3/rpc_server/srv_pipe.c:399(check_bind_req)
  check_bind_req: spoolss -> spoolss rpc service
[2017/10/07 23:26:55.793046,  3]
../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP)
  api_rpcTNP: rpc command: SPOOLSS_ENUMPRINTERDRIVERS
[2017/10/07 23:26:55.805135,  2]
../source3/rpc_server/rpc_server.c:537(named_pipe_packet_process)
  Fatal error(NT_STATUS_CONNECTION_DISCONNECTED). Terminating
client(192.168.0.1) connection!
------------ >8 ------------

--
Best regards
Thomas

A small update:

Fiddled some more with Windows 10 and that works, too. Windows 7 still
doesn't see the printer in Print Management, not even on a second, freshly
installed client.

I have set up the printer now from Windows 8.1 and configured some printer
preferences and installed the printer on a Windows 7 client. That works.
However, I would really like to configure the printer form Windows 7, if
that's possible.

--
Best regards
Thomas