[Samba] Printing problem on RHEL3
Adam Lins
adam at bdti.com
Thu Jan 13 23:45:45 GMT 2005
Hi,
I have a problem printing on a RHEL3 server running samba-3.0.9-1.3E.1. The server is configured to authenticates users using a nearby Windows 2000 Active Directory server. Windows users are authenticated to shared drives just fine, but printing from Windows clients is proving impossible.
Occasionally I can hit a configuration that allows me to add a printer on my PC using the Add Printer wizard (usually by adding 'disable spoolss = yes' to smb.conf). But if I try to connect to the printer share from my Windows PC and print a test page, the test page fails to print and Windows asks to launch the troubleshooter. Looking in the Samba logs I see entries like this:
[2005/01/13 12:24:46, 3] lib/util_seaccess.c:se_access_check(251)
[2005/01/13 12:24:46, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-1214440339-1580818891-1202660629-2125
se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-513
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2183
se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2181
se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2184
se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2185
se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2188
se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2186
se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2187
se_access_check: also S-1-5-21-15958514-230334199-2340646718-3015
se_access_check: also S-1-5-21-15958514-230334199-2340646718-3017
se_access_check: also S-1-5-21-15958514-230334199-2340646718-3019
se_access_check: also S-1-5-21-15958514-230334199-2340646718-3023
se_access_check: also S-1-5-21-15958514-230334199-2340646718-3025
se_access_check: also S-1-5-21-15958514-230334199-2340646718-3027
se_access_check: also S-1-5-21-15958514-230334199-2340646718-3033
se_access_check: also S-1-5-21-15958514-230334199-2340646718-3035
se_access_check: also S-1-5-21-15958514-230334199-2340646718-5047
[2005/01/13 12:24:46, 3] printing/printing.c:print_job_start(2224)
print_job_start: job start denied by security descriptor
(Those are my, valid SIDs; I see the same SIDs displayed when connecting to a shared drive, followed in the samba log by messages indicating that my SIDs have been mapped correctly to a Unix user account.)
I'm completely stumped about the security descriptor entry: what security descriptor? One on the AD server?
The relevant pieces of the smb.conf are:
[global]
server string = Bertha SAMBA server
netbios name = bertha
client schannel = auto
server schannel = auto
client signing = Auto
server signing = Auto
client use spnego = yes
map to guest = bad user
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
password server = 192.168.1.3
ldap ssl = on
idmap uid = 1000-20000
idmap gid = 1000-20000
name resolve order = wins bcast
disable spoolss = yes
printcap name = cups
load printers = yes
printing = cups
cups options = raw
guest account = nobody
log file = /var/log/samba/%m.log
max log size = 500
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
security = ADS
wins server = 192.168.1.8
wins proxy = yes
dns proxy = no
[printers]
comment = All Printers
path = /var/spool/samba
create mode = 0600
browseable = no
public = yes
printable = yes
guest ok = yes
writable = no
use client driver = yes
This is driving me crazy. I've searched on Google and seen a lot of discussion in the past related to adding 'use client driver = yes' (which I have) and setting the correct permissions on /var/spool/samba (done). This problem seems to be directly related to how SAMBA+AD detemermine user permissions, but beyond that I have no idea what's really wrong or how to fix it.
Any help appreciated,
-Adam
More information about the samba
mailing list