[Samba] Samba 3.9 + AD: Print share permissions difficulties
Michael Mol
mikemol at gmail.com
Tue Feb 11 16:41:09 MST 2014
Trying to print to a printer share on a Samba 3.9 printer server. When
I print a test page from a domain administrator account, I get:
> The document Print Document, owned by Administrator, failed to print
> on printer \\printer-server\SAVIN_SECONDARY. Try to print the document
> again, or restart the print spooler.
> Data type: RAW. Size of the spool file in bytes: 191277. Number of
> bytes printed: 0. Total number of pages in the document: 1. Number of
> pages printed: 0. Client computer: \\WINDOWS-SERVER-2. Win32 error
> code returned by the print processor: 5. Access is denied.
in the event log. For the life of me, I can't figure out why, and I've
been working on this, one way or another, for over a week. It's driving
me mad...
Complete smb.conf follows (minor substitution in workgroup and realm
names):
[global]
workgroup = WINDOWS
realm = WINDOWS.EXAMPLE.COM
server string = Samba Server Version %v
# load printers = yes
security = ads
local master = no
domain master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072 use sendfile = true
wins server = 10.161.1.32
dns proxy = no
idmap config * : backend = autorid
idmap config * : range = 16777216-33554431
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind expand groups = 2
winbind refresh tickets = yes
winbind uid = 16777216-33554431
winbind gid = 16777216-33554431
template homedir = /home/%D/%U
template shell = /bin/bash
interfaces = eth0 lo
log file = /var/log/samba/log.%m
max log size = 50
invalid users = root
valid users = administrator
write list = administrator
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
[SAVIN_MAIN]
print ok = yes
writeable = yes
printing = cups
path = /var/spool/samba
comment = SAVIN MAIN (C9135)
[SAVIN_SECONDARY]
print ok = yes
writeable = yes
printing = cups
path = /var/spool/samba
valid users = administrator
write list = administrator
admin users = administrator
comment = SAVIN SECONDARY (C3535)
[SAVIN_LARGEFORMAT]
print ok = yes
writeable = yes
printing = cups
path = /var/spool/samba
comment = SAVIN LARGEFORMAT (2406WD)
[homes]
comment = Home Directories
browseable = no
writable = yes
force create mode = 0004
force directory mode = 0005
root preexec = /var/lib/samba/scripts/mkuserdir %u
valid users = %S
...
For the curious, yes, the homes shares work fine.
net rpc rights list accounts -Uadministrator :
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
WINDOWS\Domain Admins
SePrintOperatorPrivilege
net sam rights list SePrintOperatorPrivilege -Uadministrator:
BUILTIN\Administrators
WINDOWS\Domain Admins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20140211/7c8bbf98/attachment.pgp>
More information about the samba
mailing list