[Samba] Ubuntu Jaunty samba 3.3.2 print$ no write rights even though I do;-)

Glenn T. Arnold garnold at unrealsolutions.com
Thu Jul 2 18:09:15 GMT 2009


I am setting up a OpenLdap PDC with file and print services on Ubuntu Jaunty. Jaunty ships with samba 3.3.2. I configured samba to just use the registry back in which I think is pretty cool! What happend when I use the Add print wizard to add my Windows XP drivers I get the famous "unable to install driver access denied" message. I can ssh into the box with my user id and create files in the /var/lib/samba/printers folder with no problem. I have gave the Domain Admins and root all privileges to manage the domain see bellow. 

root at SERVER01:/var/lib/samba/printers# net rpc rights list root 
Enter root's password: 
SeMachineAccountPrivilege 
SeTakeOwnershipPrivilege 
SeBackupPrivilege 
SeRestorePrivilege 
SeRemoteShutdownPrivilege 
SePrintOperatorPrivilege 
SeAddUsersPrivilege 
SeDiskOperatorPrivilege 

net rpc rights list "Domain Admins" 
Enter root's password: 
SeMachineAccountPrivilege 
SeTakeOwnershipPrivilege 
SeBackupPrivilege 
SeRestorePrivilege 
SeRemoteShutdownPrivilege 
SePrintOperatorPrivilege 
SeAddUsersPrivilege 
SeDiskOperatorPrivilege 

Here is the rights on the /var/lib/samba/printers directory 

root at server01:/var/lib/samba# getfacl printers -R 
# file: printers 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

# file: printers/W32X86 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

# file: printers/W32ALPHA 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

# file: printers/showtrueconfig 
# owner: root 
# group: root 
user::rw- 
group::r-x #effective:r-- 
group:Domain\040Admins:rwx #effective:rw- 
mask::rw- 
other::r-- 

# file: printers/W32MIPS 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

# file: printers/x64 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

# file: printers/W32PPC 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

# file: printers/IA64 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

# file: printers/WIN40 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

# file: printers/COLOR 
# owner: root 
# group: Domain\040Admins 
user::rwx 
group::r-x 
group:Domain\040Admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:Domain\040Admins:rwx 
default:mask::rwx 
default:other::r-x 

I created a second share called printer drivers to prove I have rights to write to the /var/lib/samba/printers folder from a windows xp. Which I can create and copy files and folders with no problems through the print drivers share, but when I connect to the /var/lib/samba/printers folder through print$ I get access denied. But, I can add workstations to the domain with no problems, I can change security on the printer I am trying to upload a print driver with no problems. If you run smbstatus you can see when I connect with root that it only shows read only rights here is my smbstatus ouptput . 
Locked files: 
Pid Uid DenyMode Access R/W Oplock SharePath Name Time 
-------------------------------------------------------------------------------------------------- 
12885 0 DENY_NONE 0x100081 RDONLY NONE /var/lib/samba/printers . Thu Jul 2 13:13:34 2009 
12885 0 DENY_NONE 0x100081 RDONLY NONE /var/lib/samba/printers . Thu Jul 2 13:13:34 2009 
12471 10000 DENY_NONE 0x100081 RDONLY NONE /var/lib/samba/printers . Thu Jul 2 13:06:46 2009 
12471 10000 DENY_NONE 0x100081 RDONLY NONE /var/lib/samba/printers . Thu Jul 2 13:06:46 2009 
12471 10000 DENY_NONE 0x100081 RDONLY NONE /var/lib/samba/printers . Thu Jul 2 13:35:05 2009 
12471 10000 DENY_NONE 0x100081 RDONLY NONE /home/gtarnold . Thu Jul 2 13:39:55 2009 


Below is my smb.conf and my registry based any sugestions would be appreciated! Sorry for being so long winded! 

-Glenn 
smb.conf file 
# Generated by /usr/sbin/modify_samba_config.pl 
# 
[global] 
configbackend = registry 

## Section - [smbsrvr] 
[smbsrvr] 
comment = test 
maxconnections = 0 
path = /smbsrvr 
max connections = 0 

# 
# end of generated smb.conf 
# 
Samba registry backend configuration 
[HKEY_LOCAL_MACHINE\SOFTWARE\Samba] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\Group Policy] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\global] 
"ldap group suffix"="ou=Groups" 
"passwd program"="/usr/bin/passwd %u" 
"add share command"="/usr/sbin/modify_samba_config.pl" 
"netbios name"="SERVER01" 
"delete share command"="/usr/sbin/modify_samba_config.pl" 
"max log size"="1000" 
"idmap uid"="10000-20000" 
"map to guest"="bad user" 
"add machine script"="sudo /usr/sbin/smbldap-useradd -t 0 -w \"%u\"" 
"printcap name"="cups" 
"domain logons"="yes" 
"delete user script"="sudo /usr/sbin/smbldap-userdel \"%u\"" 
"panic action"="/usr/share/samba/panic-action %d" 
"shutdown script"="sudo /sbin/shutdown.sh" 
"log file"="/var/log/samba/log.%m" 
"preferred master"="yes" 
"printing"="cups" 
"unix extensions"="yes" 
"logon drive"="H:" 
"add user to group script"="sudo /usr/sbin/smbldap-groupmod -m \"%u\" \"%g\"" 
"inherit permissions"="Yes" 
"ldap machine suffix"="ou=Computers" 
"workgroup"="LCSD" 
"ldap passwd sync"="yes" 
"pam password change"="yes" 
"ldap admin dn"="cn=admin,dc=someonenet,dc=net" 
"registry shares"="yes" 
"security"="user" 
"domain master"="yes" 
"eventlog list"="Application System Security SyslogLinux" 
"abort shutdown script"="sudo /sbin/shutdown -c" 
"add group script"="sudo /usr/sbin/smbldap-groupadd -p \"%g\"" 
"time server"="yes" 
"ldap user suffix"="ou=People" 
"ldap ssl"="no" 
"delete user from group script"="sudo /usr/sbin/smbldap-groupmod -x \"%u\" \"%g\"" 
"obey pam restrictions"="yes" 
"map acl inherit"="yes" 
"usershare max shares"="0" 
"add user script"="sudo /usr/sbin/smbldap-useradd -m \"%u\"" 
"dns proxy"="yes" 
"set primary group script"="sudo /usr/sbin/smbldap-usermod -g \"%g\" \"%u\"" 
"interfaces"="eth0, lo" 
"ldap idmap suffix"="ou=Idmap" 
"passdb backend"="ldapsam:ldap://lcsms01.lynchclay.net" 
"delete group script"="sudo /usr/sbin/smbldap-groupdel \"%g\"" 
"ldap suffix"="dc=lynchclay,dc=net" 
"load printers"="yes" 
"local master"="yes" 
"unix password sync"="yes" 
"passwd chat"="*Enter\\snew\\s*\\spassword:* %n\\n *Retype\\snew\\s*\\spassword:* %n\\n *password\\supdated\\ssuccessfully* ." 
"change share command"="/usr/sbin/modify_samba_config.pl" 
"svcctllist"="slapd gdm ufw networking samba webmin" 
"template shell"="/bin/bash" 
"server string"="%h server (MS File Server)" 
"os level"="64" 
"logon path"="" 
"cups options"="raw" 
"printcap cache time"="180" 
"smb ports"="445" 
"syslog"="2" 
"socket options"="IPTOS_LOWDELAY TCP_NODELAY" 
"logon script"="wkix32.exe logon.kix" 
"idmap backend"="ldap:ldap://server01.someonenet.net" 
"idmap gid"="10000-20000" 
"winbind enum users"="yes" 
"winbind enum groups"="yes" 
"wins support"="yes" 
"winbind use default domain "="yes" 
"winbind separator"="\\" 
"enable privileges"="yes" 
"admin users"="@\"Domain Admins\"" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\netlogon] 
"path"="/opt/samba/scripts" 
"read only"="yes" 
"comment "="Network Logon Service" 
"guest ok"="yes" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\homes] 
"guest ok"="no" 
"read only"="no" 
"directory mask"="0770" 
"create mask"="0770" 
"browseable"="no" 
"nt acl support"="yes" 
"hide dot files"="yes" 
"force create mode "="0770" 
"force directory mode"="0770" 
"comment"="Home Directories" 
"force group"="Domain Admins" 
"dos file times"="yes" 
"valid users"="%S" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\print$] 
"path"="/var/lib/samba/printers" 
"comment"="Printer Drivers" 
"write list "="@\"Domain Admins\",root" 
"read only"="yes" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\c$] 
"read only"="no" 
"comment"="Admin Share" 
"path"="/srv" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\scripts$] 
"comment"="Share use to edit login scripts" 
"path"="/opt/samba/scripts" 
"read only"="no" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\printers] 
"comment "="All Printers" 
"path"="/var/spool/samba" 
"browseable "="no" 
"public"="yes" 
"guest ok"="yes" 
"printable"="yes" 
"writable"="yes" 
"write list"="@\"Domain Admins\"" 
"admin users"="@\"Domain Admins\"" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\msstaffhome] 
"guest ok"="no" 
"read only"="no" 
"directory mask"="0770" 
"create mask"="0770" 
"browseable"="no" 
"nt acl support"="yes" 
"hide dot files"="yes" 
"force create mode "="0770" 
"force directory mode"="0770" 
"comment"="Home Directories for Staff" 
"force group"="Domain Admins" 
"dos file times"="yes" 
"write list"="%S" 
"path"="/home/msstaffhome/%U" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\msstdhome] 
"guest ok"="no" 
"read only"="no" 
"directory mask"="0770" 
"create mask"="0770" 
"browseable"="no" 
"nt acl support"="yes" 
"hide dot files"="yes" 
"force create mode "="0770" 
"force directory mode"="0770" 
"force group"="Domain Admins" 
"dos file times"="yes" 
"path"="/home/msstdhome/%U" 
"comment"="Home Directories for Students" 
"veto files"="/*.mp3/*.wma/*.mov/*.bat/*.exe/*.com/*.js/*.cmd/*.wsh/*.scr/" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\drivers] 
"path"="/opt/drivers" 
"comment"="DriverPacks Repository" 
"writelist"="@\"Domain Admins\"" 
"guest ok"="yes" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\printer drivers] 
"path"="/var/lib/samba/printers" 
"read only"="no" 






More information about the samba mailing list