2cent note-- RE: [Samba] Access denied, unable to connect to prin ter
Brian Wiese
bwiese at hms4emc.com
Tue May 20 16:35:49 GMT 2003
We had a similar problem here, different but perhaps not entirely unique if
someone else happens to make the same mistake. We give kudos to the samba
logging. =)
We have a linux samba print server with cups as a member server of an nt4
domain. The win98 users could print fine, win 2k could not - but that
wasn't the problem, though only these systems had an "access denied" error
message for the network printers.
In the samba global config, we had "admin users = root, at NT4dom+adminusers"
so these users were being translated to "root" while we also had "valid
users = @NT4dom+domainusers" in the global samba config as well (to prevent
share/printer enumeration by nondomain users)... so, this prevented our
NT4dom+adminusers group from printing... as "root" was not in the "valid
users" field. So we added 'root' to the "valid users = " line and it works
again.
hth someone else out there.
peace
Brian and Brandon
|-----Original Message-----
|From: Ryan Novosielski [mailto:novosirj at umdnj.edu]
|Sent: Tuesday, May 20, 2003 9:40 AM
|To: Samba Mailing List
|Subject: Re: [Samba] Access denied, unable to connect to printer
|
|
|I have the exact same problem. Printing does work, however -- just not
|actually opening the print queue.
|
|---- _ _ _ _ ___ _ _ _
||Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX
|Systems Admin
||$&| |__| | | |__/ | \| _| | novosirj at umdnj.edu -
|973/972.0922 (2-0922)
|\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science
|Bldg - C630
|
|On Tue, 6 May 2003, Norman Walsh wrote:
|
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> / "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say:
|> | Norman Walsh ndw at nwalsh.com wrote on Samba Digest
|> |
|> |> Mon Apr 28 10:21:43 GMT 2003
|> |> / "Kurt Pfeifle" <kpfeifle at danka.de> was heard to say
|> |> | Unforch, 2.2.3a is very old, with many known weaknesses
|in the printing
|> |> | code.
|> |> I should go off and build something more recent, eh? Fair 'nough.
|> |> I see Debian binaries for 2.2.8, would that be
|significantly better?
|> |
|> | I would assume so.
|>
|> Ok, I'm now running 2.2.8.
|>
|> |> |> The server is using Cups
|> |> |
|> |> | Which version of CUPS?
|> |> 1.1.15
|> |> | What is the exact message you are getting on XP? What
|is the exact
|> |> | procedure you are using to connect to the printer?
|> |> I get "Access dened, unable to connnect"
|> |> First I double-click on a share drive to make sure I get
|prompted for
|> |> username/password. After I've made sure I can connect to
|the server, I
|> |> double click on the printer and it says "epson - Access
|dened, unable
|> |> to connnect" in the status bar.
|> |
|> | That's strange.
|>
|> It gets stranger. Looking in the /var/log/samba/log.athena file:
|>
|> [2003/05/06 13:20:53, 3] smbd/process.c:process_smb(846)
|> Transaction 13 of length 856
|> [2003/05/06 13:20:53, 3] smbd/process.c:switch_message(685)
|> switch message SMBtrans (pid 642)
|> [2003/05/06 13:20:53, 3] smbd/ipc.c:reply_trans(520)
|> trans <\PIPE\> data=776 params=0 setup=2
|> [2003/05/06 13:20:53, 3] smbd/ipc.c:named_pipe(334)
|> named pipe command on <> name
|> [2003/05/06 13:20:53, 3] smbd/ipc.c:api_fd_reply(296)
|> Got API command 0x26 on pipe "spoolss" (pnum
|7425)free_pipe_context: destroying talloc pool of size 0
|> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_pipe_request(1165)
|> Doing \PIPE\spoolss
|> [2003/05/06 13:20:53, 3] rpc_server/srv_pipe.c:api_rpcTNP(1197)
|> api_rpcTNP: pipe 29733 rpc command: SPOOLSS_OPENPRINTEREX
|> checking name: \\zeus\Epson
|> [2003/05/06 13:20:53, 3]
|rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(394)
|> Setting printer type=\\zeus\Epson
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(269)
|> se_access_check: user sid is
|S-1-5-21-258535541-2170564375-100393917-3004
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-3005
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1013
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1015
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1041
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1043
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1045
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1049
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1051
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1059
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1081
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1089
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1101
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1121
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1201
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-21-258535541-2170564375-100393917-1025
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-1-0
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-2
|> [2003/05/06 13:20:53, 3] lib/util_seaccess.c:se_access_check(273)
|> se_access_check: also S-1-5-11
|> [2003/05/06 13:20:53, 3]
|rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1181)
|> access DENIED for printer open
|> [2003/05/06 13:20:53, 3]
|rpc_server/srv_lsa_hnd.c:close_policy_hnd(197)
|> Closed policy
|> [2003/05/06 13:20:53, 3]
|rpc_server/srv_pipe_hnd.c:free_pipe_context(444)
|> free_pipe_context: destroying talloc pool of size 662
|>
|> Ok, at least I can see the explicit fail message. But...
|>
|> echo hi > \\zeus\epson
|>
|> prints "hi"!
|>
|> So the data actually flows to the device!
|>
|> |> | Is it XP Prof or XP Home? Service Packs?
|> |> Uhm, XP Home I would guess.
|> |
|> | Hmmmm... that is a completely different animal from XP
|Prof and I have no
|> | experience with it.
|> |
|> | What does the "ver" command give you in a DOS box?
|>
|> Microsoft Windows XP [Version 5.1.2600]
|>
|> |> |> Here's my smb.conf:
|> |> |> [global]
|> |> |> debuglevel = 5
|> |> |> server string = Zeus
|> |> |> encrypt passwords = true
|> |> |> obey pam restrictions = Yes
|> |
|> | Are you trying to authenticate via PAM?
|>
|> Uhm, perhaps not. I deleted that line.
|>
|> | What is the setting for "security" on your Samba box?
|> | If you haven't set it in smb.conf, "testparm" will show you the
|> | compiled-in default taken in lieu of a specified "security = .."
|> | line...
|>
|> "USER".
|>
|> Here's what testparm says about my configuration (I've tinkered a bit
|> since I last posted it).
|>
|> # Global parameters
|> [global]
|> coding system =
|> client code page = 850
|> code page directory = /usr/share/samba/codepages
|> workgroup = WORKGROUP
|> netbios name =
|> netbios aliases =
|> netbios scope =
|> server string = Zeus
|> interfaces =
|> bind interfaces only = No
|> security = USER
|> encrypt passwords = Yes
|> update encrypted = No
|> allow trusted domains = Yes
|> hosts equiv =
|> min passwd length = 5
|> map to guest = Never
|> null passwords = No
|> obey pam restrictions = No
|> password server =
|> smb passwd file = /etc/samba/smbpasswd
|> root directory =
|> pam password change = No
|> passwd program = /usr/bin/passwd
|> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
|> passwd chat debug = No
|> username map =
|> password level = 0
|> username level = 0
|> unix password sync = No
|> restrict anonymous = No
|> lanman auth = Yes
|> use rhosts = No
|> admin log = No
|> log level = 3
|> syslog = 0
|> syslog only = No
|> log file = /var/log/samba/log.%m
|> max log size = 1000
|> timestamp logs = Yes
|> debug hires timestamp = No
|> debug pid = No
|> debug uid = No
|> protocol = NT1
|> large readwrite = Yes
|> max protocol = NT1
|> min protocol = CORE
|> read bmpx = No
|> read raw = Yes
|> write raw = Yes
|> acl compatibility =
|> nt smb support = Yes
|> nt pipe support = Yes
|> nt status support = Yes
|> announce version = 4.9
|> announce as = NT
|> max mux = 50
|> max xmit = 16644
|> name resolve order = lmhosts host wins bcast
|> max ttl = 259200
|> max wins ttl = 518400
|> min wins ttl = 21600
|> time server = No
|> unix extensions = No
|> change notify timeout = 60
|> deadtime = 0
|> getwd cache = Yes
|> keepalive = 300
|> lpq cache time = 10
|> max smbd processes = 0
|> max disk size = 0
|> max open files = 10000
|> name cache timeout = 660
|> read size = 16384
|> socket options = TCP_NODELAY
|> stat cache size = 50
|> use mmap = Yes
|> total print jobs = 0
|> load printers = Yes
|> printcap name = cups
|> disable spoolss = No
|> enumports command =
|> addprinter command =
|> deleteprinter command =
|> show add printer wizard = Yes
|> os2 driver map =
|> strip dot = No
|> mangling method = hash
|> character set =
|> mangled stack = 50
|> stat cache = Yes
|> domain admin group =
|> domain guest group =
|> machine password timeout = 604800
|> add user script =
|> delete user script =
|> logon script =
|> logon path = \\%N\%U\profile
|> logon drive =
|> logon home = \\%N\%U
|> domain logons = No
|> os level = 20
|> lm announce = Auto
|> lm interval = 60
|> preferred master = Auto
|> local master = Yes
|> domain master = Yes
|> browse list = Yes
|> enhanced browsing = Yes
|> dns proxy = No
|> wins proxy = No
|> wins server =
|> wins support = Yes
|> wins hook =
|> kernel oplocks = Yes
|> lock spin count = 3
|> lock spin time = 10
|> oplock break wait time = 0
|> add share command =
|> change share command =
|> delete share command =
|> config file =
|> preload =
|> lock dir =
|> pid directory = /var/run/samba
|> utmp directory =
|> wtmp directory =
|> utmp = No
|> default service =
|> message command =
|> dfree command =
|> valid chars =
|> remote announce =
|> remote browse sync =
|> socket address = 0.0.0.0
|> homedir map =
|> time offset = 0
|> NIS homedir = No
|> source environment =
|> panic action =
|> hide local users = No
|> host msdfs = No
|> winbind uid =
|> winbind gid =
|> template homedir = /home/%D/%U
|> template shell = /bin/false
|> winbind separator = \
|> winbind cache time = 15
|> winbind enum users = Yes
|> winbind enum groups = Yes
|> winbind use default domain = No
|> comment =
|> path =
|> alternate permissions = No
|> username =
|> guest account = nobody
|> invalid users =
|> valid users =
|> admin users =
|> read list =
|> write list =
|> printer admin =
|> force user =
|> force group =
|> read only = Yes
|> create mask = 0744
|> force create mode = 00
|> security mask = 0777
|> force security mode = 00
|> directory mask = 0755
|> force directory mode = 00
|> directory security mask = 0777
|> force directory security mode = 00
|> force unknown acl user = 00
|> inherit permissions = No
|> inherit acls = No
|> guest only = No
|> guest ok = No
|> only user = No
|> hosts allow =
|> hosts deny =
|> status = Yes
|> nt acl support = Yes
|> profile acls = No
|> block size = 1024
|> max connections = 0
|> min print space = 0
|> strict allocate = No
|> strict sync = No
|> sync always = No
|> write cache size = 0
|> max print jobs = 1000
|> printable = No
|> postscript = No
|> printing = cups
|> print command = lpr -r -P'%p' %s
|> lpq command = lpq -P'%p'
|> lprm command = lprm -P'%p' %j
|> lppause command =
|> lpresume command =
|> queuepause command =
|> queueresume command =
|> printer name =
|> use client driver = No
|> default devmode = No
|> printer driver =
|> printer driver file = /etc/samba/printers.def
|> printer driver location =
|> default case = lower
|> case sensitive = No
|> preserve case = Yes
|> short preserve case = Yes
|> mangle case = No
|> mangling char = ~
|> hide dot files = Yes
|> hide unreadable = No
|> delete veto files = No
|> veto files =
|> hide files =
|> veto oplock files =
|> map system = No
|> map hidden = No
|> map archive = Yes
|> mangled names = Yes
|> mangled map =
|> browseable = Yes
|> blocking locks = Yes
|> csc policy = manual
|> fake oplocks = No
|> locking = Yes
|> oplocks = Yes
|> level2 oplocks = Yes
|> oplock contention limit = 2
|> posix locking = Yes
|> strict locking = No
|> share modes = Yes
|> copy =
|> include =
|> exec =
|> preexec close = No
|> postexec =
|> root preexec =
|> root preexec close = No
|> root postexec =
|> available = Yes
|> volume =
|> fstype = NTFS
|> set directory = No
|> wide links = Yes
|> follow symlinks = Yes
|> dont descend =
|> magic script =
|> magic output =
|> delete readonly = No
|> dos filemode = No
|> dos filetimes = No
|> dos filetime resolution = No
|> fake directory create times = No
|> vfs object =
|> vfs options =
|> msdfs root = No
|>
|> [homes]
|> comment = Home Directories
|> read only = No
|> create mask = 0644
|> directory mask = 0775
|>
|> [printers]
|> comment = All Printers
|> path = /tmp
|> read only = No
|> create mask = 0777
|> guest ok = Yes
|> printable = Yes
|> browseable = No
|>
|> [cdrom]
|> comment = Samba server's CD-ROM
|> path = /cdrom
|> guest ok = Yes
|> locking = No
|> exec = /bin/mount /cdrom
|> postexec = /bin/umount /cdrom
|>
|> [epson]
|> comment = Norm's CX3200
|> path = /var/spool/samba
|> read only = No
|> create mask = 0777
|> guest ok = Yes
|> printable = Yes
|> printer name = Epson
|>
|> [Music]
|> path = /share/Music
|>
|> | invalid users = root # (possibly overridden by "guest ok = yes")
|>
|> I removed it.
|>
|> |> | To troubleshoot the "Access denied", you might want to
|> |> | look into the "smbstatus" command, which shows *as which
|> |> | user* Samba is connecting clients to each share.
|> |
|> | Did you check this out?
|>
|> Yep. smbstatus tells me that 'dbw' is connecting. That makes sense:
|>
|> Samba version 2.2.8a-0.1 for Debian
|> Service uid gid pid machine
|> - ----------------------------------------------
|> IPC$ dbw dbw 642 athena
|(192.168.1.109) Tue May 6 13:19:35 2003
|>
|> No locked files
|>
|> |> | One final attempt to describe a more complete procedure:
|> |> |
|> |> | Can you connect with smbclient? Try (from a Linux client):
|> |> |
|> |> | smbclient //[SambaIPaddress]/[printersharename] -U
|root%[password]
|> |> |
|> |> | You should see s.th. like this:
|> |> |
|> |> | added interface ip=10.160.51.60 bcast=10.160.51.255
|nmask=255.255.252.0
|> |> | Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a]
|> |> Oddly, "ndw" (me) fails: NT_STATUS_LOGON_FAILURE. But dbw
|(my wife),
|> |> guest, and nobody all succeed.
|> |
|> | Have you added "ndw" to the list of valid Samba users? Try
|> |
|> | smbpasswd -a ndw
|> |
|> | as root. Or use any other authentication scheme you might
|have configured.
|>
|> Yes, I can connect that way.
|>
|> | [But it is still very strange, since the "guest ok = yes"
|should let you
|> | access the share... Could it possibly be that WinXP Home
|isn't fit for
|> | networking inside an NT-domain-like environment?
|>
|> *Sigh* I hope not. And I don't think so. This did work once
|before, before my
|> server got trashed.
|>
|> | You *should* be able to get some more meaningful messages
|by staring at
|> |
|> | tail -f /var/log/samba/log.[name_of_XPclient]
|> |
|> | while you try to connect...]
|>
|> Above. More meaningful perhaps, but not actually very
|meaningful to me :-/
|>
|> |> | If this works, install the driver to use your parallel
|port on Windows XP.
|> |> | Then try this from the "DOS window" in XP:
|> |> |
|> |> | net use lpt1: \\[SambaIPaddress]\[printersharename]
|-U root%[password]
|> |
|> | This should of course be
|> |
|> | net use lpt1:
|\\[SambaIPaddress]\[printersharename] -U
|Administrator%[password]
|>
|> I can net use it, and then I can type "echo hi > lpt1:" and
|it prints. But
|> adding a printer on lpt1: and printing to that doesn't work.
|The job appears in
|> the Windows queue for a few minutes then goes away.
|>
|> | OK -- we'll see... ;-)
|>
|> I hope you can see more clearly than I :-)
|>
|> Be seeing you,
|> norm
|>
|> - --
|> Norman Walsh <ndw at nwalsh.com> | Nearly every complex solution to a
|> http://nwalsh.com/ | programming problem that I
|have looked
|> | at carefully has turned out to be
|> | wrong.--Brent Welch
|> -----BEGIN PGP SIGNATURE-----
|> Version: GnuPG v1.0.6 (GNU/Linux)
|> Comment: Processed by Mailcrypt 3.5.7
|<http://mailcrypt.sourceforge.net/>
|>
|>
|iD8DBQE+t/bUOyltUcwYWjsRAq+TAKCM7QjRHdosNRdbBh/bwSOsOg888wCeMHab
|> g9TbFoYEiiZHnH8V5hLnDiA=
|> =vNtt
|> -----END PGP SIGNATURE-----
|> --
|> To unsubscribe from this list go to the following URL and read the
|> instructions: http://lists.samba.org/mailman/listinfo/samba
|>
|--
|To unsubscribe from this list go to the following URL and read the
|instructions: http://lists.samba.org/mailman/listinfo/samba
|
More information about the samba
mailing list