[Samba] Access denied, unable to connect to printer
Kurt Pfeifle
kpfeifle at danka.de
Tue May 6 20:07:21 GMT 2003
Norman Walsh wrote:
> / "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say:
> | Norman Walsh ndw at nwalsh.com wrote on Samba Digest
> |
> |> Mon Apr 28 10:21:43 GMT 2003
> |> / "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say
> |> | Unforch, 2.2.3a is very old, with many known weaknesses in the printing
> |> | code.
> |> I should go off and build something more recent, eh? Fair 'nough.
> |> I see Debian binaries for 2.2.8, would that be significantly better?
> |
> | I would assume so.
>
> Ok, I'm now running 2.2.8.
>
> |> |> The server is using Cups
> |> |
> |> | Which version of CUPS?
> |> 1.1.15
> |> | What is the exact message you are getting on XP? What is the exact
> |> | procedure you are using to connect to the printer?
> |> I get "Access dened, unable to connnect"
> |> First I double-click on a share drive to make sure I get prompted for
> |> username/password. After I've made sure I can connect to the server, I
> |> double click on the printer and it says "epson - Access dened, unable
> |> to connnect" in the status bar.
I can't remember what you said about your procedure to install the Win XP
Printer driver. You may want to follow the procedures described for
* first upload the driver into the Samba [print$] share.
* then download it to the client.
This enables the NT-style MS-RPC/SPOOLSS named pipe printing. Installing
drivers directly and local to the clients is the old LanMan Win95 style.
(see smb.conf "use client driver" / "disable spoolss") (deprecated).
The most recent and most complete description is at
http://www.linuxprinting.org/kpfeifle/SambaPrintHOWTO/
It would be a great help to make this documentation complete and better,
if you tested it by following its descriptions and procedures.
Be warned: it will take time (but you will learn a lot), because the
descriptions are detailed and verbose (and parially redundant).
I would appreciate your feedback on it.
> | That's strange.
>
> It gets stranger. Looking in the /var/log/samba/log.athena file:
You may want to turn off the time stamps for better readability:
debug timestamp = no
> [2003/05/06 13:20:53, 3] smbd/process.c:process_smb(846)
> Transaction 13 of length 856
> [2003/05/06 13:20:53, 3] smbd/process.c:switch_message(685)
> switch message SMBtrans (pid 642)
> [2003/05/06 13:20:53, 3] smbd/ipc.c:reply_trans(520)
> trans <\PIPE\> data=776 params=0 setup=2
> [2003/05/06 13:20:53, 3] smbd/ipc.c:named_pipe(334)
> named pipe command on <> name
> [2003/05/06 13:20:53, 3] smbd/ipc.c:api_fd_reply(296)
> Got API command 0x26 on pipe "spoolss" (pnum 7425)free_pipe_context: destroying talloc pool of size 0
> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_pipe_request(1165)
> Doing \PIPE\spoolss
> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_rpcTNP(1197)
> api_rpcTNP: pipe 29733 rpc command: SPOOLSS_OPENPRINTEREX
> checking name: \\zeus\Epson
> [2003/05/06 13:20:53, 3] rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(394)
> Setting printer type=\\zeus\Epson
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(269)
> se_access_check: user sid is S-1-5-21-258535541-2170564375-100393917-3004
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-3005
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1013
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1015
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1041
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1043
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1045
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1049
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1051
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1059
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1081
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1089
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1101
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1121
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1201
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1025
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-1-0
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-2
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-11
> [2003/05/06 13:20:53, 3] rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1181)
> access DENIED for printer open
"man smb.conf
/use client driver ENTER
n
n
/disable spoolss ENTER
N
N"
> [2003/05/06 13:20:53, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(197)
> Closed policy
> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(444)
> free_pipe_context: destroying talloc pool of size 662
>
> Ok, at least I can see the explicit fail message. But...
>
> echo hi > \\zeus\epson
>
> prints "hi"!
>
> So the data actually flows to the device!
This matches the man page description for "use client driver".
I can't remember currently how you did setup the driver to come to the
WinXP. Was it Point'n'Print? Downloaded from Samba's [print$]?
> |> | Is it XP Prof or XP Home? Service Packs?
> |> Uhm, XP Home I would guess.
> |
> | Hmmmm... that is a completely different animal from XP Prof and I have no
> | experience with it.
> |
> | What does the "ver" command give you in a DOS box?
>
> Microsoft Windows XP [Version 5.1.2600]
Same here. And this is Win XP Prof, I know.
> |> |> Here's my smb.conf:
> |> |> [global]
> |> |> debuglevel = 5
> |> |> server string = Zeus
> |> |> encrypt passwords = true
> |> |> obey pam restrictions = Yes
> |
> | Are you trying to authenticate via PAM?
>
> Uhm, perhaps not. I deleted that line.
>
> | What is the setting for "security" on your Samba box?
> | If you haven't set it in smb.conf, "testparm" will show you the
> | compiled-in default taken in lieu of a specified "security = .."
> | line...
>
> "USER".
>
> Here's what testparm says about my configuration (I've tinkered a bit
> since I last posted it).
>
> # Global parameters
> [global]
[....]
printer admin =
You don't have a "printer admin" configured. You should (if you want
to enable the more modern MS-RPC printing...)
[....]
> vfs options =
> msdfs root = No
>
> [homes]
> comment = Home Directories
> read only = No
> create mask = 0644
> directory mask = 0775
>
> [printers]
> comment = All Printers
> path = /tmp
> read only = No
This should be made "read only = yes". This normally (for other types of shares)
prevents users to create or modify files in the service's directory. However, in
a "printable" service, it is ALWAYS allowed to write to the directory (if user
privileges allow connection), but only via print spooling operations. "Normal"
write operations are not allowed.
However, I am not sure if this affects your current problem...
> create mask = 0777
> guest ok = Yes
> printable = Yes
> browseable = No
>
> [cdrom]
> comment = Samba server's CD-ROM
> path = /cdrom
> guest ok = Yes
> locking = No
> exec = /bin/mount /cdrom
> postexec = /bin/umount /cdrom
>
> [epson]
> comment = Norm's CX3200
> path = /var/spool/samba
> read only = No
> create mask = 0777
> guest ok = Yes
> printable = Yes
> printer name = Epson
>
> [Music]
> path = /share/Music
>
> | invalid users = root # (possibly overridden by "guest ok = yes")
>
> I removed it.
>
> |> | To troubleshoot the "Access denied", you might want to
> |> | look into the "smbstatus" command, which shows *as which
> |> | user* Samba is connecting clients to each share.
> |
> | Did you check this out?
>
> Yep. smbstatus tells me that 'dbw' is connecting. That makes sense:
>
> Samba version 2.2.8a-0.1 for Debian
> Service uid gid pid machine
> ----------------------------------------------
> IPC$ dbw dbw 642 athena (192.168.1.109) Tue May 6 13:19:35 2003
>
> No locked files
Good.
> |> | One final attempt to describe a more complete procedure:
> |> |
> |> | Can you connect with smbclient? Try (from a Linux client):
> |> |
> |> | smbclient //[SambaIPaddress]/[printersharename] -U root%[password]
> |> |
> |> | You should see s.th. like this:
> |> |
> |> | added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
> |> | Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a]
> |> Oddly, "ndw" (me) fails: NT_STATUS_LOGON_FAILURE. But dbw (my wife),
> |> guest, and nobody all succeed.
> |
> | Have you added "ndw" to the list of valid Samba users? Try
> |
> | smbpasswd -a ndw
> |
> | as root. Or use any other authentication scheme you might have configured.
>
> Yes, I can connect that way.
Good.
> | [But it is still very strange, since the "guest ok = yes" should let you
> | access the share... Could it possibly be that WinXP Home isn't fit for
> | networking inside an NT-domain-like environment?
>
> *Sigh* I hope not. And I don't think so.
XP Home isn't able to participate in a domain-like environment, I checked.
It is worse than Win95 in many networking areas.
> This did work once before,
That's because you have Win XP Prof
> before my
> server got trashed.
>
> | You *should* be able to get some more meaningful messages by staring at
> |
> | tail -f /var/log/samba/log.[name_of_XPclient]
> |
> | while you try to connect...]
>
> Above. More meaningful perhaps, but not actually very meaningful to me :-/
>
> |> | If this works, install the driver to use your parallel port on Windows XP.
> |> | Then try this from the "DOS window" in XP:
> |> |
> |> | net use lpt1: \\[SambaIPaddress]\[printersharename] -U root%[password]
> |
> | This should of course be
> |
> | net use lpt1: \\[SambaIPaddress]\[printersharename] -U Administrator%[password]
>
> I can net use it, and then I can type "echo hi > lpt1:" and it prints. But
> adding a printer on lpt1: and printing to that doesn't work.
It will, if you can "echo-hi" print to it..... ;-) You just need to
send "legal" data.
Make the data the printer driver generates "legal":
* Probably CUPS is not set up to allow the raw passthru spooling of
"application/octet-stream"
* See the last lines in "/etc/cups/mime.types" and "/etc/cups/mime.convs"
and remove the commant sign "#". Restart cupsd. Print.
> The job appears in
> the Windows queue for a few minutes then goes away.
What happens on the Samba side? Does it arrive in the Samba path
for that printer (above you named "/var/spool/samba/"...)?
You should try to use
watch -n 1 "ls -ltr /var/spool/samba/"
while you print. Does something appear? If yes, does it get transfered to
the CUPS spool directory?
watch -n 1 "ls -lr /var/spool/cups/"
If yes, what does "/var/log/cups/error_log" contain? (Set "LogLevel
debug" in cupsd.conf).
> | OK -- we'll see... ;-)
>
> I hope you can see more clearly than I :-)
You may want to check out
http://www.linuxprinting.org/kpfeifle/SambaPrintHOWTO/
for a new fresh beginnig using SPOOLSS, MS-RPC and [print$] share
printing (and use client driver = no").
Actually, no. *I* want you to check out this and testdrive it.
Please forget that your printing now works following above
advice. (This is enabling LanMan styple printing -- I want you
to test if this HOWTO enables you to install MS-RPC printing)
I will upload an update to this document in a few hours to be
even more explicit on some points I learned from this exchange.
> Be seeing you,
> norm
>
Thanks,
Kurt
More information about the samba
mailing list