[Samba] Printer Admin Difficulties
Ryan Suarez
ryan.suarez at sheridanc.on.ca
Fri Apr 9 14:33:21 MDT 2010
Might be simpler to assign users to the builtin administrators group.
see if you have better luck:
#net sam list builtin
#net sam createbuiltingroup administrators
#net sam addmem administrators
#net sam listmem administrators
# net rpc rights list administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
Jeff Hardy wrote:
> I have been trying to setup a new print server on Fedora 12 based
> around samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All
> looks good except for the ability for printer administrators to manage
> printers. Whether I specify users in a system group using the
> deprecated printer admin option, or specifically using net rpc rights
> and the SePrinterOperatorPrivilege, it does not matter. This is
> against an NT4 domain on samba-3.4.2.
>
> Interestingly, I have one user who can manage printers, whether or not
> he is in the group or has the privilege. Also, the printer admin
> pieces work correctly on an existing samba-3.0.28a print server
> against that same domain controller.
>
> I have been looking at level 10 logs to compare two users, the mystery
> adminuser, and the feckless denieduser, when running the following
> command (again, both are members of the printer admin group):
>
> rpcclient -c 'setdriver ZZZ "HP LaserJet 4000 Series PS"' -U <user>
> localhost
>
> Following are log snippets, both beginning with SPOOLSS_OPENPRINTEREX
> and ending when printer access is either granted as
> PRINTER_ACCESS_ADMINISTER or denied outright. Whether or not in the
> proper printer admin group or given the privilege, the outcome does
> not change for either user.
>
> First the user for whom administrative access is granted:
>
> --------------------------------------------
> [2010/03/31 13:43:35, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
> api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command:
> SPOOLSS_OPENPRINTEREX
> [2010/03/31 13:43:35, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
> api_rpc_cmds[69].fn == 0x7f0e2d66c890
> [2010/03/31 13:43:35, 1]
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
> spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
> in: struct spoolss_OpenPrinterEx
> printername : *
> printername : '\\LOCALHOST\ZZZ'
> datatype : NULL
> devmode_ctr: struct spoolss_DevmodeContainer
> _ndr_size : 0x00000000 (0)
> devmode : NULL
> access_mask : 0x000f000c (983052)
> 0: SERVER_ACCESS_ADMINISTER
> 0: SERVER_ACCESS_ENUMERATE
> 1: PRINTER_ACCESS_ADMINISTER
> 1: PRINTER_ACCESS_USE
> 0: JOB_ACCESS_ADMINISTER
> 0: JOB_ACCESS_READ
> level : 0x00000001 (1)
> userlevel : union spoolss_UserLevel(case 1)
> level1 : *
> level1: struct spoolss_UserLevel1
> size : 0x0000001c (28)
> client : *
> client : '\\TKNEW'
> user : *
> user : 'adminuser'
> build : 0x00000565 (1381)
> major : UNKNOWN_ENUM_VALUE (2)
> minor :
> SPOOLSS_MINOR_VERSION_0 (0)
> processor :
> PROCESSOR_ARCHITECTURE_INTEL (0)
> checking name: \\LOCALHOST\ZZZ
> [2010/03/31 13:43:35, 10]
> rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
> open_printer_hnd: name [\\LOCALHOST\ZZZ]
> [2010/03/31 13:43:35, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
> Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
> 4B C7 89 ........ .....K..
> [0010] F9 54 00 00 .T..
> [2010/03/31 13:43:35, 3]
> rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
> Setting printer type=\\LOCALHOST\ZZZ
> Printer is a printer
> [2010/03/31 13:43:35, 4]
> rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
> Setting printer name=\\LOCALHOST\ZZZ (len=15)
> [2010/03/31 13:43:35, 8] lib/util.c:1879(is_myname)
> is_myname("LOCALHOST") returns 0
> searching for [ZZZ]
> [2010/03/31 13:43:35, 10]
> printing/nt_printing.c:4630(get_a_printer_internal)
> get_a_printer: [printers] level 2
> [2010/03/31 13:43:35, 10]
> printing/nt_printing.c:3917(get_a_printer_2_default)
> get_a_printer_2_default: driver name set to []
> printername: printers
> [2010/03/31 13:43:35, 10]
> printing/nt_printing.c:3917(get_a_printer_2_default)
> get_a_printer_2_default: driver name set to []
> printername: CRBSTD-P
> set_printer_hnd_name: Printer found: ZZZ -> ZZZ
> [2010/03/31 13:43:35, 5]
> rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
> 1 printer handles active
> [2010/03/31 13:43:35, 4]
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
> Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
> 4B C7 89 ........ .....K..
> [0010] F9 54 00 00 .T..
> [2010/03/31 13:43:35, 4]
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
> Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
> 4B C7 89 ........ .....K..
> [0010] F9 54 00 00 .T..
> [2010/03/31 13:43:35, 4]
> rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
> short name:ZZZ
> [2010/03/31 13:43:35, 3] lib/access.c:362(only_ipaddrs_in_list)
> only_ipaddrs_in_list: list has non-ip address (127.)
> [2010/03/31 13:43:35, 3] lib/access.c:396(check_access)
> check_access: hostnames in host allow/deny list.
> [2010/03/31 13:43:35, 2] lib/access.c:406(check_access)
> Allowed connection from 127.0.0.1 (127.0.0.1)
> [2010/03/31 13:43:35, 10] smbd/share_access.c:234(user_ok_token)
> user_ok_token: share ZZZ is ok for unix user adminuser
> [2010/03/31 13:43:35, 4]
> rpc_server/srv_spoolss_nt.c:1726(_spoolss_OpenPrinterEx)
> Setting printer access = PRINTER_ACCESS_ADMINISTER
> [2010/03/31 13:43:35, 1]
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
> spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
> out: struct spoolss_OpenPrinterEx
> handle : *
> handle: struct policy_handle
> handle_type : 0x00000000 (0)
> uuid :
> 00000002-0000-0000-b34b-c789f9540000
> result : WERR_OK
>
> --------------------------------------------
>
> And now for a user who is denied access:
>
> --------------------------------------------
> [2010/03/31 13:44:33, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
> api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command:
> SPOOLSS_OPENPRINTEREX
> [2010/03/31 13:44:33, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
> api_rpc_cmds[69].fn == 0x7f0e2d66c890
> [2010/03/31 13:44:33, 1]
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
> spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
> in: struct spoolss_OpenPrinterEx
> printername : *
> printername : '\\LOCALHOST\ZZZ'
> datatype : NULL
> devmode_ctr: struct spoolss_DevmodeContainer
> _ndr_size : 0x00000000 (0)
> devmode : NULL
> access_mask : 0x000f000c (983052)
> 0: SERVER_ACCESS_ADMINISTER
> 0: SERVER_ACCESS_ENUMERATE
> 1: PRINTER_ACCESS_ADMINISTER
> 1: PRINTER_ACCESS_USE
> 0: JOB_ACCESS_ADMINISTER
> 0: JOB_ACCESS_READ
> level : 0x00000001 (1)
> userlevel : union spoolss_UserLevel(case 1)
> level1 : *
> level1: struct spoolss_UserLevel1
> size : 0x0000001c (28)
> client : *
> client : '\\TKNEW'
> user : *
> user : 'denieduser'
> build : 0x00000565 (1381)
> major : UNKNOWN_ENUM_VALUE (2)
> minor :
> SPOOLSS_MINOR_VERSION_0 (0)
> processor :
> PROCESSOR_ARCHITECTURE_INTEL (0)
> checking name: \\LOCALHOST\ZZZ
> [2010/03/31 13:44:33, 10]
> rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
> open_printer_hnd: name [\\LOCALHOST\ZZZ]
> [2010/03/31 13:44:33, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
> Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
> 4B 01 8A ........ .....K..
> [0010] FF 54 00 00 .T..
> [2010/03/31 13:44:33, 3]
> rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
> Setting printer type=\\LOCALHOST\ZZZ
> Printer is a printer
> [2010/03/31 13:44:33, 4]
> rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
> Setting printer name=\\LOCALHOST\ZZZ (len=15)
> [2010/03/31 13:44:33, 8] lib/util.c:1879(is_myname)
> is_myname("LOCALHOST") returns 0
> searching for [ZZZ]
> [2010/03/31 13:44:33, 10]
> printing/nt_printing.c:4630(get_a_printer_internal)
> get_a_printer: [printers] level 2
> [2010/03/31 13:44:33, 10]
> printing/nt_printing.c:3917(get_a_printer_2_default)
> get_a_printer_2_default: driver name set to []
> printername: printers
> [2010/03/31 13:44:33, 10]
> printing/nt_printing.c:3917(get_a_printer_2_default)
> get_a_printer_2_default: driver name set to []
> printername: CRBSTD-P
> set_printer_hnd_name: Printer found: ZZZ -> ZZZ
> [2010/03/31 13:44:33, 5]
> rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
> 1 printer handles active
> [2010/03/31 13:44:33, 4]
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
> Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
> 4B 01 8A ........ .....K..
> [0010] FF 54 00 00 .T..
> [2010/03/31 13:44:33, 4]
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
> Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
> 4B 01 8A ........ .....K..
> [0010] FF 54 00 00 .T..
> [2010/03/31 13:44:33, 4]
> rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
> short name:ZZZ
> [2010/03/31 13:44:33, 3] lib/access.c:362(only_ipaddrs_in_list)
> only_ipaddrs_in_list: list has non-ip address (127.)
> [2010/03/31 13:44:33, 3] lib/access.c:396(check_access)
> check_access: hostnames in host allow/deny list.
> [2010/03/31 13:44:33, 2] lib/access.c:406(check_access)
> Allowed connection from 127.0.0.1 (127.0.0.1)
> [2010/03/31 13:44:33, 10] smbd/share_access.c:234(user_ok_token)
> user_ok_token: share ZZZ is ok for unix user denieduser
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
> se_map_generic(): mapped mask 0x20020008 to 0x00020008
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
> se_map_generic(): mapped mask 0x100f000c to 0x000f000c
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
> se_map_generic(): mapped mask 0x100f000c to 0x000f000c
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
> se_map_generic(): mapped mask 0x100f000c to 0x000f000c
> [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
> se_map_generic(): mapped mask 0x100f000c to 0x000f000c
> [2010/03/31 13:44:33, 4] printing/nt_printing.c:5733(print_access_check)
> access check was FAILURE
> [2010/03/31 13:44:33, 3]
> rpc_server/srv_spoolss_nt.c:1707(_spoolss_OpenPrinterEx)
> access DENIED for printer open
> [2010/03/31 13:44:33, 4]
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
> Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
> 4B 01 8A ........ .....K..
> [0010] FF 54 00 00 .T..
> [2010/03/31 13:44:33, 4]
> rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
> Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
> 4B 01 8A ........ .....K..
> [0010] FF 54 00 00 .T..
> [2010/03/31 13:44:33, 3] rpc_server/srv_lsa_hnd.c:218(close_policy_hnd)
> Closed policy
> [2010/03/31 13:44:33, 1]
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
> spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
> out: struct spoolss_OpenPrinterEx
> handle : *
> handle: struct policy_handle
> handle_type : 0x00000000 (0)
> uuid :
> 00000000-0000-0000-0000-000000000000
> result : WERR_ACCESS_DENIED
> --------------------------------------------
>
> The only discernible difference to my eye is that for the denieduser,
> se_map_generic() is called before ultimately denying the user.
>
> Finally, here is testparm output:
>
> --------------------------------------------
> [global]
> workgroup = POTSDAM
> server string = Printing Server
> security = DOMAIN
> password server = MEGA
> restrict anonymous = 2
> log level = 1
> log file = /var/log/samba/%m.log
> max log size = 10000
> time server = Yes
> unix extensions = No
> deadtime = 5
> printcap name = cups
> wins server = 192.168.0.1
> printer admin = @printeradmins
> hosts allow = 127., 192.168.
> cups options = raw
> veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
> browsable = No
>
> [print$]
> comment = Printer Drivers for Windows
> path = /usr/share/samba/print
> write list = @printeradmins
>
> [drivers]
> comment = Vendor Printer Driver Paks
> path = /usr/share/samba/drivers
> write list = @printeradmins
> create mask = 0775
> directory mask = 0775
> --------------------------------------------
>
> If anyone could shed light on this issue, it would be much
> appreciated. Thank you.
>
> -Jeff
>
> --
> Jeffrey M Hardy
> Systems Analyst
> hardyjm at potsdam.edu
More information about the samba
mailing list