[Samba] Printing problem on RHEL3

Adam Lins adam at bdti.com
Thu Jan 13 23:45:45 GMT 2005


I have a problem printing on a RHEL3 server running samba-3.0.9-1.3E.1. The server is configured to authenticates users using a nearby Windows 2000 Active Directory server. Windows users are authenticated to shared drives just fine, but printing from Windows clients is proving impossible. 

Occasionally I can hit a configuration that allows me to add a printer on my PC using the Add Printer wizard (usually by adding 'disable spoolss = yes' to smb.conf). But if I try to connect to the printer share from my Windows PC and print a test page, the test page fails to print and Windows asks to launch the troubleshooter. Looking in the Samba logs I see entries like this:

 [2005/01/13 12:24:46, 3] lib/util_seaccess.c:se_access_check(251)
 [2005/01/13 12:24:46, 3] lib/util_seaccess.c:se_access_check(252)
   se_access_check: user sid is S-1-5-21-1214440339-1580818891-1202660629-2125
   se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-513
   se_access_check: also S-1-1-0
   se_access_check: also S-1-5-2
   se_access_check: also S-1-5-11
   se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2183
   se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2181
   se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2184
   se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2185
   se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2188
   se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2186
   se_access_check: also S-1-5-21-1214440339-1580818891-1202660629-2187
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-3015
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-3017
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-3019
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-3023
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-3025
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-3027
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-3033
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-3035
   se_access_check: also S-1-5-21-15958514-230334199-2340646718-5047
 [2005/01/13 12:24:46, 3] printing/printing.c:print_job_start(2224)
   print_job_start: job start denied by security descriptor

(Those are my, valid SIDs; I see the same SIDs displayed when connecting to a shared drive, followed in the samba log by messages indicating that my SIDs have been mapped correctly to a Unix user account.)

I'm completely stumped about the security descriptor entry: what security descriptor? One on the AD server?

The relevant pieces of the smb.conf are:

        server string = Bertha SAMBA server
        netbios name = bertha
        client schannel = auto
        server schannel = auto
        client signing = Auto
        server signing = Auto
        client use spnego = yes
        map to guest = bad user
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        password server =
        ldap ssl = on
        idmap uid = 1000-20000
        idmap gid = 1000-20000
        name resolve order = wins bcast
        disable spoolss = yes
        printcap name = cups
        load printers = yes
        printing = cups
        cups options = raw
        guest account = nobody
        log file = /var/log/samba/%m.log
        max log size = 500
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = no
        domain master = no
        preferred master = no        
        security = ADS
        wins server =
        wins proxy = yes
        dns proxy = no

        comment = All Printers
        path = /var/spool/samba
        create mode = 0600
        browseable = no
        public = yes
        printable = yes
        guest ok = yes
        writable = no
        use client driver = yes

This is driving me crazy. I've searched on Google and seen a lot of discussion in the past related to adding 'use client driver = yes' (which I have) and setting the correct permissions on /var/spool/samba (done). This problem seems to be directly related to how SAMBA+AD detemermine user permissions, but beyond that I have no idea what's really wrong or how to fix it. 

Any help appreciated,

More information about the samba mailing list