[Samba] Printer Admin Difficulties
Jeff Hardy
hardyjm at potsdam.edu
Thu Apr 1 15:39:38 MDT 2010
I have been trying to setup a new print server on Fedora 12 based around
samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks
good except for the ability for printer administrators to manage
printers. Whether I specify users in a system group using the
deprecated printer admin option, or specifically using net rpc rights
and the SePrinterOperatorPrivilege, it does not matter. This is against
an NT4 domain on samba-3.4.2.
Interestingly, I have one user who can manage printers, whether or not
he is in the group or has the privilege. Also, the printer admin pieces
work correctly on an existing samba-3.0.28a print server against that
same domain controller.
I have been looking at level 10 logs to compare two users, the mystery
adminuser, and the feckless denieduser, when running the following
command (again, both are members of the printer admin group):
rpcclient -c 'setdriver ZZZ "HP LaserJet 4000 Series PS"' -U <user>
localhost
Following are log snippets, both beginning with SPOOLSS_OPENPRINTEREX
and ending when printer access is either granted as
PRINTER_ACCESS_ADMINISTER or denied outright. Whether or not in the
proper printer admin group or given the privilege, the outcome does not
change for either user.
First the user for whom administrative access is granted:
--------------------------------------------
[2010/03/31 13:43:35, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command:
SPOOLSS_OPENPRINTEREX
[2010/03/31 13:43:35, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
api_rpc_cmds[69].fn == 0x7f0e2d66c890
[2010/03/31 13:43:35, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
in: struct spoolss_OpenPrinterEx
printername : *
printername : '\\LOCALHOST\ZZZ'
datatype : NULL
devmode_ctr: struct spoolss_DevmodeContainer
_ndr_size : 0x00000000 (0)
devmode : NULL
access_mask : 0x000f000c (983052)
0: SERVER_ACCESS_ADMINISTER
0: SERVER_ACCESS_ENUMERATE
1: PRINTER_ACCESS_ADMINISTER
1: PRINTER_ACCESS_USE
0: JOB_ACCESS_ADMINISTER
0: JOB_ACCESS_READ
level : 0x00000001 (1)
userlevel : union spoolss_UserLevel(case 1)
level1 : *
level1: struct spoolss_UserLevel1
size : 0x0000001c (28)
client : *
client : '\\TKNEW'
user : *
user : 'adminuser'
build : 0x00000565 (1381)
major : UNKNOWN_ENUM_VALUE (2)
minor :
SPOOLSS_MINOR_VERSION_0 (0)
processor :
PROCESSOR_ARCHITECTURE_INTEL (0)
checking name: \\LOCALHOST\ZZZ
[2010/03/31 13:43:35, 10] rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
open_printer_hnd: name [\\LOCALHOST\ZZZ]
[2010/03/31 13:43:35, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B C7 89 ........ .....K..
[0010] F9 54 00 00 .T..
[2010/03/31 13:43:35, 3]
rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
Setting printer type=\\LOCALHOST\ZZZ
Printer is a printer
[2010/03/31 13:43:35, 4]
rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
Setting printer name=\\LOCALHOST\ZZZ (len=15)
[2010/03/31 13:43:35, 8] lib/util.c:1879(is_myname)
is_myname("LOCALHOST") returns 0
searching for [ZZZ]
[2010/03/31 13:43:35, 10]
printing/nt_printing.c:4630(get_a_printer_internal)
get_a_printer: [printers] level 2
[2010/03/31 13:43:35, 10]
printing/nt_printing.c:3917(get_a_printer_2_default)
get_a_printer_2_default: driver name set to []
printername: printers
[2010/03/31 13:43:35, 10]
printing/nt_printing.c:3917(get_a_printer_2_default)
get_a_printer_2_default: driver name set to []
printername: CRBSTD-P
set_printer_hnd_name: Printer found: ZZZ -> ZZZ
[2010/03/31 13:43:35, 5] rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
1 printer handles active
[2010/03/31 13:43:35, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B C7 89 ........ .....K..
[0010] F9 54 00 00 .T..
[2010/03/31 13:43:35, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B C7 89 ........ .....K..
[0010] F9 54 00 00 .T..
[2010/03/31 13:43:35, 4] rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
short name:ZZZ
[2010/03/31 13:43:35, 3] lib/access.c:362(only_ipaddrs_in_list)
only_ipaddrs_in_list: list has non-ip address (127.)
[2010/03/31 13:43:35, 3] lib/access.c:396(check_access)
check_access: hostnames in host allow/deny list.
[2010/03/31 13:43:35, 2] lib/access.c:406(check_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2010/03/31 13:43:35, 10] smbd/share_access.c:234(user_ok_token)
user_ok_token: share ZZZ is ok for unix user adminuser
[2010/03/31 13:43:35, 4]
rpc_server/srv_spoolss_nt.c:1726(_spoolss_OpenPrinterEx)
Setting printer access = PRINTER_ACCESS_ADMINISTER
[2010/03/31 13:43:35, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
out: struct spoolss_OpenPrinterEx
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000002-0000-0000-b34b-c789f9540000
result : WERR_OK
--------------------------------------------
And now for a user who is denied access:
--------------------------------------------
[2010/03/31 13:44:33, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP)
api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command:
SPOOLSS_OPENPRINTEREX
[2010/03/31 13:44:33, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP)
api_rpc_cmds[69].fn == 0x7f0e2d66c890
[2010/03/31 13:44:33, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
in: struct spoolss_OpenPrinterEx
printername : *
printername : '\\LOCALHOST\ZZZ'
datatype : NULL
devmode_ctr: struct spoolss_DevmodeContainer
_ndr_size : 0x00000000 (0)
devmode : NULL
access_mask : 0x000f000c (983052)
0: SERVER_ACCESS_ADMINISTER
0: SERVER_ACCESS_ENUMERATE
1: PRINTER_ACCESS_ADMINISTER
1: PRINTER_ACCESS_USE
0: JOB_ACCESS_ADMINISTER
0: JOB_ACCESS_READ
level : 0x00000001 (1)
userlevel : union spoolss_UserLevel(case 1)
level1 : *
level1: struct spoolss_UserLevel1
size : 0x0000001c (28)
client : *
client : '\\TKNEW'
user : *
user : 'denieduser'
build : 0x00000565 (1381)
major : UNKNOWN_ENUM_VALUE (2)
minor :
SPOOLSS_MINOR_VERSION_0 (0)
processor :
PROCESSOR_ARCHITECTURE_INTEL (0)
checking name: \\LOCALHOST\ZZZ
[2010/03/31 13:44:33, 10] rpc_server/srv_spoolss_nt.c:560(open_printer_hnd)
open_printer_hnd: name [\\LOCALHOST\ZZZ]
[2010/03/31 13:44:33, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd)
Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 3]
rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype)
Setting printer type=\\LOCALHOST\ZZZ
Printer is a printer
[2010/03/31 13:44:33, 4]
rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name)
Setting printer name=\\LOCALHOST\ZZZ (len=15)
[2010/03/31 13:44:33, 8] lib/util.c:1879(is_myname)
is_myname("LOCALHOST") returns 0
searching for [ZZZ]
[2010/03/31 13:44:33, 10]
printing/nt_printing.c:4630(get_a_printer_internal)
get_a_printer: [printers] level 2
[2010/03/31 13:44:33, 10]
printing/nt_printing.c:3917(get_a_printer_2_default)
get_a_printer_2_default: driver name set to []
printername: printers
[2010/03/31 13:44:33, 10]
printing/nt_printing.c:3917(get_a_printer_2_default)
get_a_printer_2_default: driver name set to []
printername: CRBSTD-P
set_printer_hnd_name: Printer found: ZZZ -> ZZZ
[2010/03/31 13:44:33, 5] rpc_server/srv_spoolss_nt.c:590(open_printer_hnd)
1 printer handles active
[2010/03/31 13:44:33, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 4] rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
short name:ZZZ
[2010/03/31 13:44:33, 3] lib/access.c:362(only_ipaddrs_in_list)
only_ipaddrs_in_list: list has non-ip address (127.)
[2010/03/31 13:44:33, 3] lib/access.c:396(check_access)
check_access: hostnames in host allow/deny list.
[2010/03/31 13:44:33, 2] lib/access.c:406(check_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2010/03/31 13:44:33, 10] smbd/share_access.c:234(user_ok_token)
user_ok_token: share ZZZ is ok for unix user denieduser
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x20020008 to 0x00020008
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 4] printing/nt_printing.c:5733(print_access_check)
access check was FAILURE
[2010/03/31 13:44:33, 3]
rpc_server/srv_spoolss_nt.c:1707(_spoolss_OpenPrinterEx)
access DENIED for printer open
[2010/03/31 13:44:33, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 4]
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3
4B 01 8A ........ .....K..
[0010] FF 54 00 00 .T..
[2010/03/31 13:44:33, 3] rpc_server/srv_lsa_hnd.c:218(close_policy_hnd)
Closed policy
[2010/03/31 13:44:33, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
out: struct spoolss_OpenPrinterEx
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000000-0000-0000-0000-000000000000
result : WERR_ACCESS_DENIED
--------------------------------------------
The only discernible difference to my eye is that for the denieduser,
se_map_generic() is called before ultimately denying the user.
Finally, here is testparm output:
--------------------------------------------
[global]
workgroup = POTSDAM
server string = Printing Server
security = DOMAIN
password server = MEGA
restrict anonymous = 2
log level = 1
log file = /var/log/samba/%m.log
max log size = 10000
time server = Yes
unix extensions = No
deadtime = 5
printcap name = cups
wins server = 192.168.0.1
printer admin = @printeradmins
hosts allow = 127., 192.168.
cups options = raw
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers for Windows
path = /usr/share/samba/print
write list = @printeradmins
[drivers]
comment = Vendor Printer Driver Paks
path = /usr/share/samba/drivers
write list = @printeradmins
create mask = 0775
directory mask = 0775
--------------------------------------------
If anyone could shed light on this issue, it would be much appreciated.
Thank you.
-Jeff
--
Jeffrey M Hardy
Systems Analyst
hardyjm at potsdam.edu
More information about the samba
mailing list