[Samba] Printer management on Samba server connected to ADS

R. Gruyters r.gruyters at yirdis.nl
Mon Sep 3 11:52:05 GMT 2007 

Hello,

Last week we'd moved our PDC (Samba) to RDM (Active Directory). Everything
(almost) went okay, but I encounter some problems with the printers which
are connected to the Samba server.

We have three printers connected to the Samba server, when I try to update
the properties of each printer, It doesn't allow me to update them. (e.g.
paper format, tray configuration, duplex, etc)

I have tried to set the "SePrintOperatorPrivilege", but it doesn't allow me
to do so.

$ net -Urobin rpc rights grant  'DOMAIN\Domain Admins'
SePrintOperatorPrivilege
Password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

When I check the user permissions:
$ id robin
uid=20006(robin) gid=20004(domain users) groups=20004(domain users),
20019(domain admins), 20000(BUILTIN\administrators)

When I create a usermap to link my account with root, it works perfectly.
$ echo "root = DOMAIN\robin" > /usr/local/etc/smb.usermap
$ net -Urobin rpc rights grant 'DOMAIN\Domain Admins'
SePrintOperatorPrivilege
Password:
Successfully granted rights.

When I remove the usermap and try to update the properties on a printer, It
still doesn't allow me to do so.

Has anybody got an idea? Do I need to reinstall each printer on the Samba
server?

Here is an overview of my smb.conf:

Server role: ROLE_DOMAIN_MEMBER
[global]
        unix charset = ISO8859-1
        workgroup = DOMAIN
        realm = DOMAIN.NL
        server string = YIRDIS Office Server
        interfaces = xxx.xxx.xxx.xxx/24
        security = ADS
        password server = domain.nl
        username map = /usr/local/etc/smb.usermap
        log file = /var/log/samba/log.%m
        max log size = 1024
        os level = 32
        wins server = xxx.xxx.xxx.xxx
        ldap admin dn = cn=Samba, ou=SysAdm, dc=yirdis, dc=nl
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap suffix = dc=yirdis, dc=nl
        ldap ssl = no
        remote announce = xxx.xxx.xxx.xxx
        remote browse sync = xxx.xxx.xxx.xxx
        idmap backend = ldap:ldap://127.0.0.1/
        idmap uid = 20000-40000
        idmap gid = 20000-40000
        template homedir = /home/samba/%D/%U
        template shell = /bin/sh
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes

[netlogon]
        path = /data2/samba/netlogon/scripts/%g
        locking = No

[profiles]
        comment = Roaming Profiles
        path = /data2/samba/profiles
        admin users = "@DOMAIN\Domain Admins"
        read only = No
        create mask = 0700
        directory mask = 0700
        profile acls = Yes
        hide files = /desktop.ini/
        browseable = No

[homes]
        comment = Home Directories
        read only = No
        hide files = /desktop.ini/
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No

[print$]
        comment = Printer Driver Download Area
        path = /data3/samba/shares/printers
        guest ok = Yes


Kind regards,

Robin Gruyters
Network and Security Engineer
YIRDIS
I: http://yirdis.com
P: +31(0)20 5659193
F: +31(0)20 5659190

More information about the samba mailing list