[Samba] Access denied, unable to connect to printer
Ryan Novosielski
novosirj at umdnj.edu
Tue May 20 14:40:12 GMT 2003
I have the exact same problem. Printing does work, however -- just not
actually opening the print queue.
---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX Systems Admin
|$&| |__| | | |__/ | \| _| | novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
On Tue, 6 May 2003, Norman Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> / "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say:
> | Norman Walsh ndw at nwalsh.com wrote on Samba Digest
> |
> |> Mon Apr 28 10:21:43 GMT 2003
> |> / "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say
> |> | Unforch, 2.2.3a is very old, with many known weaknesses in the printing
> |> | code.
> |> I should go off and build something more recent, eh? Fair 'nough.
> |> I see Debian binaries for 2.2.8, would that be significantly better?
> |
> | I would assume so.
>
> Ok, I'm now running 2.2.8.
>
> |> |> The server is using Cups
> |> |
> |> | Which version of CUPS?
> |> 1.1.15
> |> | What is the exact message you are getting on XP? What is the exact
> |> | procedure you are using to connect to the printer?
> |> I get "Access dened, unable to connnect"
> |> First I double-click on a share drive to make sure I get prompted for
> |> username/password. After I've made sure I can connect to the server, I
> |> double click on the printer and it says "epson - Access dened, unable
> |> to connnect" in the status bar.
> |
> | That's strange.
>
> It gets stranger. Looking in the /var/log/samba/log.athena file:
>
> [2003/05/06 13:20:53, 3] smbd/process.c:process_smb(846)
> Transaction 13 of length 856
> [2003/05/06 13:20:53, 3] smbd/process.c:switch_message(685)
> switch message SMBtrans (pid 642)
> [2003/05/06 13:20:53, 3] smbd/ipc.c:reply_trans(520)
> trans <\PIPE\> data=776 params=0 setup=2
> [2003/05/06 13:20:53, 3] smbd/ipc.c:named_pipe(334)
> named pipe command on <> name
> [2003/05/06 13:20:53, 3] smbd/ipc.c:api_fd_reply(296)
> Got API command 0x26 on pipe "spoolss" (pnum 7425)free_pipe_context: destroying talloc pool of size 0
> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_pipe_request(1165)
> Doing \PIPE\spoolss
> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_rpcTNP(1197)
> api_rpcTNP: pipe 29733 rpc command: SPOOLSS_OPENPRINTEREX
> checking name: \\zeus\Epson
> [2003/05/06 13:20:53, 3] rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(394)
> Setting printer type=\\zeus\Epson
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(269)
> se_access_check: user sid is S-1-5-21-258535541-2170564375-100393917-3004
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-3005
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1013
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1015
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1041
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1043
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1045
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1049
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1051
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1059
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1081
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1089
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1101
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1121
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1201
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1025
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-1-0
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-2
> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
> se_access_check: also S-1-5-11
> [2003/05/06 13:20:53, 3] rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1181)
> access DENIED for printer open
> [2003/05/06 13:20:53, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(197)
> Closed policy
> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(444)
> free_pipe_context: destroying talloc pool of size 662
>
> Ok, at least I can see the explicit fail message. But...
>
> echo hi > \\zeus\epson
>
> prints "hi"!
>
> So the data actually flows to the device!
>
> |> | Is it XP Prof or XP Home? Service Packs?
> |> Uhm, XP Home I would guess.
> |
> | Hmmmm... that is a completely different animal from XP Prof and I have no
> | experience with it.
> |
> | What does the "ver" command give you in a DOS box?
>
> Microsoft Windows XP [Version 5.1.2600]
>
> |> |> Here's my smb.conf:
> |> |> [global]
> |> |> debuglevel = 5
> |> |> server string = Zeus
> |> |> encrypt passwords = true
> |> |> obey pam restrictions = Yes
> |
> | Are you trying to authenticate via PAM?
>
> Uhm, perhaps not. I deleted that line.
>
> | What is the setting for "security" on your Samba box?
> | If you haven't set it in smb.conf, "testparm" will show you the
> | compiled-in default taken in lieu of a specified "security = .."
> | line...
>
> "USER".
>
> Here's what testparm says about my configuration (I've tinkered a bit
> since I last posted it).
>
> # Global parameters
> [global]
> coding system =
> client code page = 850
> code page directory = /usr/share/samba/codepages
> workgroup = WORKGROUP
> netbios name =
> netbios aliases =
> netbios scope =
> server string = Zeus
> interfaces =
> bind interfaces only = No
> security = USER
> encrypt passwords = Yes
> update encrypted = No
> allow trusted domains = Yes
> hosts equiv =
> min passwd length = 5
> map to guest = Never
> null passwords = No
> obey pam restrictions = No
> password server =
> smb passwd file = /etc/samba/smbpasswd
> root directory =
> pam password change = No
> passwd program = /usr/bin/passwd
> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> passwd chat debug = No
> username map =
> password level = 0
> username level = 0
> unix password sync = No
> restrict anonymous = No
> lanman auth = Yes
> use rhosts = No
> admin log = No
> log level = 3
> syslog = 0
> syslog only = No
> log file = /var/log/samba/log.%m
> max log size = 1000
> timestamp logs = Yes
> debug hires timestamp = No
> debug pid = No
> debug uid = No
> protocol = NT1
> large readwrite = Yes
> max protocol = NT1
> min protocol = CORE
> read bmpx = No
> read raw = Yes
> write raw = Yes
> acl compatibility =
> nt smb support = Yes
> nt pipe support = Yes
> nt status support = Yes
> announce version = 4.9
> announce as = NT
> max mux = 50
> max xmit = 16644
> name resolve order = lmhosts host wins bcast
> max ttl = 259200
> max wins ttl = 518400
> min wins ttl = 21600
> time server = No
> unix extensions = No
> change notify timeout = 60
> deadtime = 0
> getwd cache = Yes
> keepalive = 300
> lpq cache time = 10
> max smbd processes = 0
> max disk size = 0
> max open files = 10000
> name cache timeout = 660
> read size = 16384
> socket options = TCP_NODELAY
> stat cache size = 50
> use mmap = Yes
> total print jobs = 0
> load printers = Yes
> printcap name = cups
> disable spoolss = No
> enumports command =
> addprinter command =
> deleteprinter command =
> show add printer wizard = Yes
> os2 driver map =
> strip dot = No
> mangling method = hash
> character set =
> mangled stack = 50
> stat cache = Yes
> domain admin group =
> domain guest group =
> machine password timeout = 604800
> add user script =
> delete user script =
> logon script =
> logon path = \\%N\%U\profile
> logon drive =
> logon home = \\%N\%U
> domain logons = No
> os level = 20
> lm announce = Auto
> lm interval = 60
> preferred master = Auto
> local master = Yes
> domain master = Yes
> browse list = Yes
> enhanced browsing = Yes
> dns proxy = No
> wins proxy = No
> wins server =
> wins support = Yes
> wins hook =
> kernel oplocks = Yes
> lock spin count = 3
> lock spin time = 10
> oplock break wait time = 0
> add share command =
> change share command =
> delete share command =
> config file =
> preload =
> lock dir =
> pid directory = /var/run/samba
> utmp directory =
> wtmp directory =
> utmp = No
> default service =
> message command =
> dfree command =
> valid chars =
> remote announce =
> remote browse sync =
> socket address = 0.0.0.0
> homedir map =
> time offset = 0
> NIS homedir = No
> source environment =
> panic action =
> hide local users = No
> host msdfs = No
> winbind uid =
> winbind gid =
> template homedir = /home/%D/%U
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 15
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = No
> comment =
> path =
> alternate permissions = No
> username =
> guest account = nobody
> invalid users =
> valid users =
> admin users =
> read list =
> write list =
> printer admin =
> force user =
> force group =
> read only = Yes
> create mask = 0744
> force create mode = 00
> security mask = 0777
> force security mode = 00
> directory mask = 0755
> force directory mode = 00
> directory security mask = 0777
> force directory security mode = 00
> force unknown acl user = 00
> inherit permissions = No
> inherit acls = No
> guest only = No
> guest ok = No
> only user = No
> hosts allow =
> hosts deny =
> status = Yes
> nt acl support = Yes
> profile acls = No
> block size = 1024
> max connections = 0
> min print space = 0
> strict allocate = No
> strict sync = No
> sync always = No
> write cache size = 0
> max print jobs = 1000
> printable = No
> postscript = No
> printing = cups
> print command = lpr -r -P'%p' %s
> lpq command = lpq -P'%p'
> lprm command = lprm -P'%p' %j
> lppause command =
> lpresume command =
> queuepause command =
> queueresume command =
> printer name =
> use client driver = No
> default devmode = No
> printer driver =
> printer driver file = /etc/samba/printers.def
> printer driver location =
> default case = lower
> case sensitive = No
> preserve case = Yes
> short preserve case = Yes
> mangle case = No
> mangling char = ~
> hide dot files = Yes
> hide unreadable = No
> delete veto files = No
> veto files =
> hide files =
> veto oplock files =
> map system = No
> map hidden = No
> map archive = Yes
> mangled names = Yes
> mangled map =
> browseable = Yes
> blocking locks = Yes
> csc policy = manual
> fake oplocks = No
> locking = Yes
> oplocks = Yes
> level2 oplocks = Yes
> oplock contention limit = 2
> posix locking = Yes
> strict locking = No
> share modes = Yes
> copy =
> include =
> exec =
> preexec close = No
> postexec =
> root preexec =
> root preexec close = No
> root postexec =
> available = Yes
> volume =
> fstype = NTFS
> set directory = No
> wide links = Yes
> follow symlinks = Yes
> dont descend =
> magic script =
> magic output =
> delete readonly = No
> dos filemode = No
> dos filetimes = No
> dos filetime resolution = No
> fake directory create times = No
> vfs object =
> vfs options =
> msdfs root = No
>
> [homes]
> comment = Home Directories
> read only = No
> create mask = 0644
> directory mask = 0775
>
> [printers]
> comment = All Printers
> path = /tmp
> read only = No
> create mask = 0777
> guest ok = Yes
> printable = Yes
> browseable = No
>
> [cdrom]
> comment = Samba server's CD-ROM
> path = /cdrom
> guest ok = Yes
> locking = No
> exec = /bin/mount /cdrom
> postexec = /bin/umount /cdrom
>
> [epson]
> comment = Norm's CX3200
> path = /var/spool/samba
> read only = No
> create mask = 0777
> guest ok = Yes
> printable = Yes
> printer name = Epson
>
> [Music]
> path = /share/Music
>
> | invalid users = root # (possibly overridden by "guest ok = yes")
>
> I removed it.
>
> |> | To troubleshoot the "Access denied", you might want to
> |> | look into the "smbstatus" command, which shows *as which
> |> | user* Samba is connecting clients to each share.
> |
> | Did you check this out?
>
> Yep. smbstatus tells me that 'dbw' is connecting. That makes sense:
>
> Samba version 2.2.8a-0.1 for Debian
> Service uid gid pid machine
> - ----------------------------------------------
> IPC$ dbw dbw 642 athena (192.168.1.109) Tue May 6 13:19:35 2003
>
> No locked files
>
> |> | One final attempt to describe a more complete procedure:
> |> |
> |> | Can you connect with smbclient? Try (from a Linux client):
> |> |
> |> | smbclient //[SambaIPaddress]/[printersharename] -U root%[password]
> |> |
> |> | You should see s.th. like this:
> |> |
> |> | added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
> |> | Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a]
> |> Oddly, "ndw" (me) fails: NT_STATUS_LOGON_FAILURE. But dbw (my wife),
> |> guest, and nobody all succeed.
> |
> | Have you added "ndw" to the list of valid Samba users? Try
> |
> | smbpasswd -a ndw
> |
> | as root. Or use any other authentication scheme you might have configured.
>
> Yes, I can connect that way.
>
> | [But it is still very strange, since the "guest ok = yes" should let you
> | access the share... Could it possibly be that WinXP Home isn't fit for
> | networking inside an NT-domain-like environment?
>
> *Sigh* I hope not. And I don't think so. This did work once before, before my
> server got trashed.
>
> | You *should* be able to get some more meaningful messages by staring at
> |
> | tail -f /var/log/samba/log.[name_of_XPclient]
> |
> | while you try to connect...]
>
> Above. More meaningful perhaps, but not actually very meaningful to me :-/
>
> |> | If this works, install the driver to use your parallel port on Windows XP.
> |> | Then try this from the "DOS window" in XP:
> |> |
> |> | net use lpt1: \\[SambaIPaddress]\[printersharename] -U root%[password]
> |
> | This should of course be
> |
> | net use lpt1: \\[SambaIPaddress]\[printersharename] -U Administrator%[password]
>
> I can net use it, and then I can type "echo hi > lpt1:" and it prints. But
> adding a printer on lpt1: and printing to that doesn't work. The job appears in
> the Windows queue for a few minutes then goes away.
>
> | OK -- we'll see... ;-)
>
> I hope you can see more clearly than I :-)
>
> Be seeing you,
> norm
>
> - --
> Norman Walsh <ndw at nwalsh.com> | Nearly every complex solution to a
> http://nwalsh.com/ | programming problem that I have looked
> | at carefully has turned out to be
> | wrong.--Brent Welch
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>
>
> iD8DBQE+t/bUOyltUcwYWjsRAq+TAKCM7QjRHdosNRdbBh/bwSOsOg888wCeMHab
> g9TbFoYEiiZHnH8V5hLnDiA=
> =vNtt
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list