[Samba] No access check deleting printer drivers
Cesar Hernandez
sistemes at genos.es
Fri Feb 17 15:39:20 GMT 2006
Hi.
I have the same poblem. I can delete any unused printer driver from my
samba server. I use samba-3.0.21b. The difference is that I use a
windows 2000 client; login as user to the samba domain (no
administrative privileges). Then I go to \\server , printers, server
properties, and I can delete any unused printer driver.
However, I cannot add any printer driver (as a normal user). Also, I
cannot create/delete/modify any file in \\server\print$. When I connect
as administrator, I can delete/add, etc.. printer drivers as usual.
That user is in domain users, and hasn't any privilege (like
SePrintOperatorPrivilege).
My smb.conf is the following:
[global]
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
add machine script = /etc/groupware/scripts/create_machine.sh %u
os level=33
logon path = \\%L\Profiles\%U
logon home= \\%L\Profiles\%U
logon drive = j:
enable privileges = yes
logon script = startup.bat
security = user
workgroup = JLPDOM
netbios name = jlp
printing = cups
printcap name = cups
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = "cn=manager,dc=jlp,dc=es"
ldap ssl = on
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=jlp,dc=es
log file = /var/log/samba/log.%m
max log size = 50
server string = Samba Server at jlp.jlp.es
encrypt passwords = yes
ldap replication sleep = 10000
log level=10
[users]
comment = All users
path = /var/homes
writeable = Yes
veto files = /aquota.user/groups/shares/
browseable = yes
guest ok = no
printable = no
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
[homes]
comment = Home directory
writeable=yes
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
[printers]
read only=yes
browseable = yes
guest ok = no
printable = yes
admin users = @Administrators
comment = All Printers
path = /tmp
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = admin.jlp.es
admin users = admin.jlp.es
read only=yes
create mask = 0664
directory mask = 0775
browseable = yes
guest ok = no
printable = no
[netlogon]
path = /var/lib/samba/netlogon
read only = yes
write list = @Administrators
admin users = @Administrators
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
[profiles]
path = /var/lib/samba/profiles
read only = no
preexec=/etc/groupware/scripts/check_quota_user.sh %m %I
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
[viruses]
path = /var/lib/samba/viruses
admin users = @Administrators
valid users = @Administrators
write list = @Administrators
--------
Even using "read only=yes"or "writeable=no" in [print$] I can delete
printer drivers. Normally, I use "write list = admin.jlp.es" and "admin
users = admin.jlp.es" (admin.jlp.es is the domain administrator user) .
If I delete the last two lines, I can also delete drivers.
Permissions in /var/lib/samba/drivers are 755, with owner root:root.
I also send you the samba log, with log level 10. It's very big, I don't
know if it would very useful to you...
Thanks
Cesar Hernandez
chernandez at genos.es
Genos Open Source S.L.
Tarragona, 100. 08015 Barcelona
Tel. 932 282 231
http://genos.es
http://www.genos.org
More information about the samba
mailing list