Printing in 2.2.1a

Gerald Carter gcarter at valinux.com
Sun Aug 12 23:38:13 GMT 2001 

On Sun, 12 Aug 2001, Juergen Hasch wrote:

> Printing from NT 4 to a Win2K machine works. I traced the
> communication with ethereal and it looks like (at least within my
> limited understanding) it's using spoolss. I can see the NT 4 machine
> requesting full printer access (access_type=0xf000c) and Win2k treats
> this in a way the NT4 machine is satisfied with.

I'll have to a look at a trace again for this.  The WIn2k
printer server did not have a valid NT printer I assume
so you had to install one.  However, this Win2k server did send
back a valid printer driver name I think.  In these cases, the
NT 4 box treats this as a printer connection.

If the server does not give you a valid printer driver name
and lets you choose your own, this is treated as a local printer
(and the according access rights).

>
/* PATCH: fallback if access_type is not PRINTER_ACCESS_USE */
> 	if ( !result && (access_type != PRINTER_ACCESS_USE)) {
> 		access_type = PRINTER_ACCESS_USE;
> 		map_printer_permissions(secdesc->sec);
> 		result = se_access_check(secdesc->sec, user,access_type,&access_granted,&status);
> 		DEBUG(0, ("fallback access check was %s\n", result ? "SUCCESS" : "FAILURE"));
> 	}
> /* end of patch */
>
> This makes printing work without problems, at least nobody at work
> complained any more :-) I know you said you don't like this approach,
> but it looks like its working very well for me. I am open to any other
> solution, I just believe downgrading all clients to lanman printing is
> not the best solution.

Unconfirmed, but I'm fairly certain this will break things.
The problem with this is that if the client tries to open the
printer with PRINTER_ACCESS_ADMINISTER and you return success
(because you actually dumbed the requested priviledge down internally),
the client will think it has PRINTER_ACCESS_ADMINISTER.

A client uses this same check for printer connections to determine
(a) if the APW should be displayed, and (b) whether or not the
properties should be greyed out.

What might work is if we only do this for a printer open (service
level parameter) create a fall back.  Hmm....that might just work.
I'll look at it some more and see.








 ---------------------------------------------------------------------
 www.valinux.com         VA Linux Systems       gcarter_at_valinux.com
 www.samba.org              SAMBA Team              jerry_at_samba.org
 www.plainjoe.org                                jerry_at_plainjoe.org
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

More information about the samba-technical mailing list