[Samba] No access check deleting printer drivers

Cesar Hernandez sistemes at genos.es
Fri Feb 17 15:39:20 GMT 2006


Hi.
I have the same poblem. I can delete any unused printer driver from my
samba server. I use samba-3.0.21b. The difference is that I use a
windows 2000 client; login as user to the samba domain (no
administrative privileges). Then I go to \\server , printers, server
properties, and I can delete any unused printer driver.
However, I cannot add any printer driver (as a normal user). Also, I
cannot create/delete/modify any file in \\server\print$. When I connect
as administrator, I can delete/add, etc.. printer drivers as usual.

That user is in domain users, and hasn't any privilege (like 
SePrintOperatorPrivilege).
My smb.conf is the following:


[global]

preferred master = yes
domain master = yes
local master = yes
domain logons = yes
add machine script = /etc/groupware/scripts/create_machine.sh %u
os level=33
logon path = \\%L\Profiles\%U
logon home=  \\%L\Profiles\%U
logon drive = j:

enable privileges = yes
logon script = startup.bat

   security = user
   workgroup = JLPDOM
   netbios name = jlp
   printing = cups
   printcap name = cups

   map to guest = Bad User

   passdb backend = ldapsam:ldap://127.0.0.1
   ldap admin dn = "cn=manager,dc=jlp,dc=es"
   ldap ssl = on
   ldap delete dn = no

   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap suffix = dc=jlp,dc=es

   log file = /var/log/samba/log.%m
   max log size = 50

   server string = Samba Server at jlp.jlp.es
   encrypt passwords = yes
   ldap replication sleep = 10000

log level=10

[users]
   comment = All users
   path = /var/homes
   writeable = Yes
   veto files = /aquota.user/groups/shares/
   browseable = yes
   guest ok = no
   printable = no
   vfs object = vscan-clamav
   vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

[homes]
   comment = Home directory
   writeable=yes
   vfs object = vscan-clamav
   vscan-clamav: config-file = /etc/samba/vscan-clamav.conf


[printers]

     read only=yes
      browseable = yes
      guest ok = no
      printable = yes
   admin users = @Administrators
      comment = All Printers
      path = /tmp

[print$]
      comment = Printer Drivers
      path = /var/lib/samba/drivers


      write list = admin.jlp.es
      admin users = admin.jlp.es

      read only=yes

      create mask = 0664
      directory mask = 0775
      browseable = yes
      guest ok = no
      printable = no

[netlogon]
   path = /var/lib/samba/netlogon
   read only = yes
   write list = @Administrators
   admin users = @Administrators
   vfs object = vscan-clamav
   vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

[profiles]
   path = /var/lib/samba/profiles
   read only = no
   preexec=/etc/groupware/scripts/check_quota_user.sh %m %I
   vfs object = vscan-clamav
   vscan-clamav: config-file = /etc/samba/vscan-clamav.conf


[viruses]
   path = /var/lib/samba/viruses
   admin users = @Administrators
   valid users = @Administrators
   write list = @Administrators


--------

Even using "read only=yes"or "writeable=no" in [print$] I can delete
printer drivers. Normally, I use "write list = admin.jlp.es" and "admin
users = admin.jlp.es" (admin.jlp.es is the domain administrator user) .
If I delete the last two lines, I can also delete drivers.
Permissions in /var/lib/samba/drivers are 755, with owner root:root.
I also send you the samba log, with log level 10. It's very big, I don't
know if it would very useful to you...


Thanks


Cesar Hernandez
chernandez at genos.es
Genos Open Source S.L.
Tarragona, 100. 08015 Barcelona
Tel. 932 282 231

http://genos.es
http://www.genos.org


More information about the samba mailing list