[Samba] our windows APW can't add printer driver to samba domain member

daniel.jarboe at custserv.com daniel.jarboe at custserv.com
Fri Oct 10 13:23:17 GMT 2003

The problem is probably either permissions on /var/lib/samba/printers or
the subdirectory you are writing to being so restrictive that the users
who is connecting to add drivers via APW can't write the files to the
subdirectory they need to.  So fix that first... and clean up your
create mask = 0700 line so that it doesn't happen the next time a
subdirectory is created, and so that users will actually be able to
read/retrieve the uploaded files.

There's two layers of security you need to be concerned with... the
first is samba's write list for the print$ share, which you have set up
to allow anyone in the group MYGROUP\Staff.  Once a user is found to be
in that group, they can write files to the share IFF the filesystem
allows the user connecting to samba to write to the filesystem.  The
reason your create mask is a problem, is because if a user passes both
of these tests and uploads drivers, your create mask is set to 0700 so
the files will be rwx------ (and owned by the user who uploaded the
files).  That means only the user who actually uploads the files (or
root) will be able to ever do anything with them... like use them for
point 'n print.

> We've actually tried changing that. also we've tried different 
> permissions on the printers/W* directories, but still the 
> same error on APW.

> >>[print$]
> >>        comment = Printer Drivers
> >>        path = /var/lib/samba/printers
> >>        write list = root, @MYGROUP\Staff
> >>        create mask = 0700
> >>    
> >>
> >
> >Can /var/lib/samba/printers be reached by a member of @MYGROUP\Staff?
> >What does the ownership permissions of the subdirectories look like?
> >i.e. W32X86... W32X86/2... W32X86/3?
> >
> >Your create mask of 0700 seems like it would be problematic for a few
> >reasons, but mostly because your write list is group based, and other
> >users will not be able to read files from print$.


This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.

More information about the samba mailing list