[Samba] Access denied, unable to connect to printer
Norman Walsh
ndw at nwalsh.com
Tue May 6 17:54:28 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
/ "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say:
| Norman Walsh ndw at nwalsh.com wrote on Samba Digest
|
|> Mon Apr 28 10:21:43 GMT 2003
|> / "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say
|> | Unforch, 2.2.3a is very old, with many known weaknesses in the printing
|> | code.
|> I should go off and build something more recent, eh? Fair 'nough.
|> I see Debian binaries for 2.2.8, would that be significantly better?
|
| I would assume so.
Ok, I'm now running 2.2.8.
|> |> The server is using Cups
|> |
|> | Which version of CUPS?
|> 1.1.15
|> | What is the exact message you are getting on XP? What is the exact
|> | procedure you are using to connect to the printer?
|> I get "Access dened, unable to connnect"
|> First I double-click on a share drive to make sure I get prompted for
|> username/password. After I've made sure I can connect to the server, I
|> double click on the printer and it says "epson - Access dened, unable
|> to connnect" in the status bar.
|
| That's strange.
It gets stranger. Looking in the /var/log/samba/log.athena file:
[2003/05/06 13:20:53, 3] smbd/process.c:process_smb(846)
Transaction 13 of length 856
[2003/05/06 13:20:53, 3] smbd/process.c:switch_message(685)
switch message SMBtrans (pid 642)
[2003/05/06 13:20:53, 3] smbd/ipc.c:reply_trans(520)
trans <\PIPE\> data=776 params=0 setup=2
[2003/05/06 13:20:53, 3] smbd/ipc.c:named_pipe(334)
named pipe command on <> name
[2003/05/06 13:20:53, 3] smbd/ipc.c:api_fd_reply(296)
Got API command 0x26 on pipe "spoolss" (pnum 7425)free_pipe_context: destroying talloc pool of size 0
[2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_pipe_request(1165)
Doing \PIPE\spoolss
[2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_rpcTNP(1197)
api_rpcTNP: pipe 29733 rpc command: SPOOLSS_OPENPRINTEREX
checking name: \\zeus\Epson
[2003/05/06 13:20:53, 3] rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(394)
Setting printer type=\\zeus\Epson
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(269)
se_access_check: user sid is S-1-5-21-258535541-2170564375-100393917-3004
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-3005
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1013
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1015
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1041
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1043
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1045
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1049
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1051
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1059
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1081
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1089
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1101
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1121
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1201
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-21-258535541-2170564375-100393917-1025
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-1-0
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-2
[2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
se_access_check: also S-1-5-11
[2003/05/06 13:20:53, 3] rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1181)
access DENIED for printer open
[2003/05/06 13:20:53, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(197)
Closed policy
[2003/05/06 13:20:53, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(444)
free_pipe_context: destroying talloc pool of size 662
Ok, at least I can see the explicit fail message. But...
echo hi > \\zeus\epson
prints "hi"!
So the data actually flows to the device!
|> | Is it XP Prof or XP Home? Service Packs?
|> Uhm, XP Home I would guess.
|
| Hmmmm... that is a completely different animal from XP Prof and I have no
| experience with it.
|
| What does the "ver" command give you in a DOS box?
Microsoft Windows XP [Version 5.1.2600]
|> |> Here's my smb.conf:
|> |> [global]
|> |> debuglevel = 5
|> |> server string = Zeus
|> |> encrypt passwords = true
|> |> obey pam restrictions = Yes
|
| Are you trying to authenticate via PAM?
Uhm, perhaps not. I deleted that line.
| What is the setting for "security" on your Samba box?
| If you haven't set it in smb.conf, "testparm" will show you the
| compiled-in default taken in lieu of a specified "security = .."
| line...
"USER".
Here's what testparm says about my configuration (I've tinkered a bit
since I last posted it).
# Global parameters
[global]
coding system =
client code page = 850
code page directory = /usr/share/samba/codepages
workgroup = WORKGROUP
netbios name =
netbios aliases =
netbios scope =
server string = Zeus
interfaces =
bind interfaces only = No
security = USER
encrypt passwords = Yes
update encrypted = No
allow trusted domains = Yes
hosts equiv =
min passwd length = 5
map to guest = Never
null passwords = No
obey pam restrictions = No
password server =
smb passwd file = /etc/samba/smbpasswd
root directory =
pam password change = No
passwd program = /usr/bin/passwd
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
username map =
password level = 0
username level = 0
unix password sync = No
restrict anonymous = No
lanman auth = Yes
use rhosts = No
admin log = No
log level = 3
syslog = 0
syslog only = No
log file = /var/log/samba/log.%m
max log size = 1000
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
protocol = NT1
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
acl compatibility =
nt smb support = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts host wins bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 10
max smbd processes = 0
max disk size = 0
max open files = 10000
name cache timeout = 660
read size = 16384
socket options = TCP_NODELAY
stat cache size = 50
use mmap = Yes
total print jobs = 0
load printers = Yes
printcap name = cups
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
strip dot = No
mangling method = hash
character set =
mangled stack = 50
stat cache = Yes
domain admin group =
domain guest group =
machine password timeout = 604800
add user script =
delete user script =
logon script =
logon path = \\%N\%U\profile
logon drive =
logon home = \\%N\%U
domain logons = No
os level = 20
lm announce = Auto
lm interval = 60
preferred master = Auto
local master = Yes
domain master = Yes
browse list = Yes
enhanced browsing = Yes
dns proxy = No
wins proxy = No
wins server =
wins support = Yes
wins hook =
kernel oplocks = Yes
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
add share command =
change share command =
delete share command =
config file =
preload =
lock dir =
pid directory = /var/run/samba
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
dfree command =
valid chars =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map =
time offset = 0
NIS homedir = No
source environment =
panic action =
hide local users = No
host msdfs = No
winbind uid =
winbind gid =
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
comment =
path =
alternate permissions = No
username =
guest account = nobody
invalid users =
valid users =
admin users =
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = 00
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow =
hosts deny =
status = Yes
nt acl support = Yes
profile acls = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
write cache size = 0
max print jobs = 1000
printable = No
postscript = No
printing = cups
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = No
printer driver =
printer driver file = /etc/samba/printers.def
printer driver location =
default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
hide unreadable = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No
share modes = Yes
copy =
include =
exec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs object =
vfs options =
msdfs root = No
[homes]
comment = Home Directories
read only = No
create mask = 0644
directory mask = 0775
[printers]
comment = All Printers
path = /tmp
read only = No
create mask = 0777
guest ok = Yes
printable = Yes
browseable = No
[cdrom]
comment = Samba server's CD-ROM
path = /cdrom
guest ok = Yes
locking = No
exec = /bin/mount /cdrom
postexec = /bin/umount /cdrom
[epson]
comment = Norm's CX3200
path = /var/spool/samba
read only = No
create mask = 0777
guest ok = Yes
printable = Yes
printer name = Epson
[Music]
path = /share/Music
| invalid users = root # (possibly overridden by "guest ok = yes")
I removed it.
|> | To troubleshoot the "Access denied", you might want to
|> | look into the "smbstatus" command, which shows *as which
|> | user* Samba is connecting clients to each share.
|
| Did you check this out?
Yep. smbstatus tells me that 'dbw' is connecting. That makes sense:
Samba version 2.2.8a-0.1 for Debian
Service uid gid pid machine
- ----------------------------------------------
IPC$ dbw dbw 642 athena (192.168.1.109) Tue May 6 13:19:35 2003
No locked files
|> | One final attempt to describe a more complete procedure:
|> |
|> | Can you connect with smbclient? Try (from a Linux client):
|> |
|> | smbclient //[SambaIPaddress]/[printersharename] -U root%[password]
|> |
|> | You should see s.th. like this:
|> |
|> | added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
|> | Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a]
|> Oddly, "ndw" (me) fails: NT_STATUS_LOGON_FAILURE. But dbw (my wife),
|> guest, and nobody all succeed.
|
| Have you added "ndw" to the list of valid Samba users? Try
|
| smbpasswd -a ndw
|
| as root. Or use any other authentication scheme you might have configured.
Yes, I can connect that way.
| [But it is still very strange, since the "guest ok = yes" should let you
| access the share... Could it possibly be that WinXP Home isn't fit for
| networking inside an NT-domain-like environment?
*Sigh* I hope not. And I don't think so. This did work once before, before my
server got trashed.
| You *should* be able to get some more meaningful messages by staring at
|
| tail -f /var/log/samba/log.[name_of_XPclient]
|
| while you try to connect...]
Above. More meaningful perhaps, but not actually very meaningful to me :-/
|> | If this works, install the driver to use your parallel port on Windows XP.
|> | Then try this from the "DOS window" in XP:
|> |
|> | net use lpt1: \\[SambaIPaddress]\[printersharename] -U root%[password]
|
| This should of course be
|
| net use lpt1: \\[SambaIPaddress]\[printersharename] -U Administrator%[password]
I can net use it, and then I can type "echo hi > lpt1:" and it prints. But
adding a printer on lpt1: and printing to that doesn't work. The job appears in
the Windows queue for a few minutes then goes away.
| OK -- we'll see... ;-)
I hope you can see more clearly than I :-)
Be seeing you,
norm
- --
Norman Walsh <ndw at nwalsh.com> | Nearly every complex solution to a
http://nwalsh.com/ | programming problem that I have looked
| at carefully has turned out to be
| wrong.--Brent Welch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>
iD8DBQE+t/bUOyltUcwYWjsRAq+TAKCM7QjRHdosNRdbBh/bwSOsOg888wCeMHab
g9TbFoYEiiZHnH8V5hLnDiA=
=vNtt
-----END PGP SIGNATURE-----
More information about the samba
mailing list