[Samba] samba printing from 64-bit windows server 2008

Rob Moser Rob.Moser at nau.edu
Mon Jun 14 09:49:08 MDT 2010


Problem solved - or at least, workaround found - so I'm posting it to
the list for the benefit of future archive-divers.  Bug report at:
https://bugzilla.samba.org/show_bug.cgi?id=7506

Basically, the problem is with changes Microsoft made between 2003 and
2008 for Terminal Server - a machine which does not have the Terminal
Server role will not have this problem.  A Server 2008 Terminal Server
host attempting to add a samba-maintained printer (with samba 3.5.3 or
below, at least) will fail to connect to the printer and return the
error code 0x000006d1.  Workaround is as follows:

1) On the Windows Server 2008 TS host, bring up the Server Manager.
2) Under Features, install Group Policy Management if it isn't installed
already.
3) Under Group Policy Management, drill down til you find the policy
which is applying to your machine.
4) Right click the Group Policy Object and select "edit".
5) In the resulting editor window, drill down to Computer
Configuration:Policies:Administrative Templates:Printers
6) Find the setting "Always render print jobs on the server" and disable it.
7) reboot the machine.

Yes, I know; Microsofts documentation says that leaving this policy not
configured is the same as disabling it.  They lie.

     - rob.

On 06/08/2010 11:43 AM, Rob Moser wrote:
> Some additional information on this problem:
> 
> I set up wireshark to do a packet trace of the connection attempt.  I'm
> not familiar enough with what the traffic should look like to know whats
> unusual, but the one thing that jumped out at me towards the end of the
> conversation was a SPOOLSS OpenPrinterEx request on the network printer,
> followed by a response with the return code of 5 - Access denied.
> "Aha!" I say to myself, must be a permissions problem... but a packet
> trace of the successful connection from the XP box shows several similar
> Access denied messages.  Maybe its irrelevant, but it seemed worth
> mentioning.
> 
> I also upped the debug level on smbd and captured a more detailed log.
> The "Printer handle not found" message is still the most
> relevant-looking thing there; the details around it look like:
> 
> [2010/06/08 11:35:36,  3] smbd/ipc.c:handle_trans(442)
>   trans <\PIPE\> data=44 params=0 setup=2
> [2010/06/08 11:35:36,  3] smbd/ipc.c:named_pipe(393)
>   named pipe command on <> name
> [2010/06/08 11:35:36,  4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1231)
>   search for pipe pnum=71df
> [2010/06/08 11:35:36,  3] smbd/ipc.c:api_fd_reply(351)
>   Got API command 0x26 on pipe "spoolss" (pnum 71df)
> [2010/06/08 11:35:36,  3] rpc_server/srv_pipe_hnd.c:free_pipe_context(500)
>   free_pipe_context: destroying talloc pool of size 0
> [2010/06/08 11:35:36,  4] rpc_server/srv_pipe.c:api_rpcTNP(2352)
>   api_rpcTNP: spoolss op 0x1d - api_rpcTNP: rpc command:
> SPOOLSS_CLOSEPRINTER
> [2010/06/08 11:35:36,  4]
> rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(179)
>   Policy not found: [000] 00 00 00 00 18 00 00 00  00 00 00 00 0E 4C 78
> 8D  ........ .....Lx.
>   [010] 28 24 00 00                                       ($..
> [2010/06/08 11:35:36,  2]
> rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
>   find_printer_index_by_hnd: Printer handle not found: Policy not found:
> [000] 00 00 00 00 18 00 00 00  00 00 00 00 0E 4C 78 8D  ........ \
> .....Lx.
>   [010] 28 24 00 00                                       ($..
> [2010/06/08 11:35:36,  2]
> rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
>   find_printer_index_by_hnd: Printer handle not found:
> close_printer_handle: Invalid handle (OURS:9256:9256)
> [2010/06/08 11:35:36,  4] rpc_server/srv_pipe.c:api_rpcTNP(2387)
>   api_rpcTNP: bad handle fault return.
> 
> (I don't want to post a full log or the full packet trace - way too much
> for a mailing list.  If no one recognises the problem from this much
> then I'll attach full data to a bug report.)
> 
> Thanks for any suggestions,
> 
>      - rob.
> 
> On 06/07/2010 03:51 PM, Rob Moser wrote:
>> I have a redhat EL5 samba server hosting a collection of printers and
>> joined to a domain.  I can connect to this server and print happily from
>> a 32-bit XP box on the domain, but a 64-bit windows server 2008 box
>> cannot connect, and returns the error 0x000006d1.
>>
>> I get the same results with samba 3.0.33 (came with redhat), 3.5.3 (the
>> latest from sernet), and 3.3.12 (this message from the samba-technical
>> archives -
>> http://lists.samba.org/archive/samba-technical/2010-February/069145.html
>> - mentions that at least as of February there were issues with 3.4.x+
>> and 64-bit OS'.)
>>
>> /var/log/samba/log.smb from the time around the failed connection contains:
>>
>> [2010/06/07 14:45:24,  2] lib/access.c:check_access(406)
>>   Allowed connection from ::ffff:134.114.138.126 (::ffff:134.114.138.126)
>> [Repeated many times]
>> [2010/06/07 14:45:24,  2]
>> rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
>>   find_printer_index_by_hnd: Printer handle not found:
>> find_printer_index_by_hnd: Printer handle not found:
>> close_printer_handle: Invalid handle (OURS:29459:29459)
>>
>> From the 2008 machine, I can browse the samba server in wexplorer and
>> see the printers, but trying to set up a networked printer generates the
>> error above.
>>
>> Any suggestions?  Thanks,
>>
>>      - rob.
>>
>> # testparm
>> Load smb config files from /etc/samba/smb.conf
>> Unknown parameter encountered: "idmap domains"
>> Ignoring unknown parameter "idmap domains"
>> Processing section "[printers]"
>> Processing section "[print$]"
>> Processing section "[drivers$]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER
>> Press enter to see a dump of your service definitions
>>
>> [global]
>>         workgroup = NAU-STUDENTS
>>         realm = STUDENTS.FROOT.NAU.EDU
>>         netbios aliases = dev-acadprtsrv2.ucc.nau.edu
>>         server string = Samba Server
>>         security = ADS
>>         log level = 2
>>         max log size = 500000
>>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
>> SO_RCVBUF=8192 SO_KEEPALIVE
>>         printcap name = cups
>>         wins server = 134.114.138.35
>>         idmap alloc backend = tdb
>>         idmap uid = 10000 - 4000000
>>         idmap gid = 10000 - 4000000
>>         winbind use default domain = Yes
>>         idmap alloc config:range = 10000 - 4000000
>>         idmap config FROOT:range = 3000001 - 4000000
>>         idmap config FROOT:backend = tdb
>>         idmap config FROOT:default = no
>>         idmap config NAU:range = 2000001 - 3000000
>>         idmap config NAU:backend = tdb
>>         idmap config NAU:default = no
>>         idmap config NAU-STUDENTS:range = 10000 - 2000000
>>         idmap config NAU-STUDENTS:backend = tdb
>>         idmap config NAU-STUDENTS:default = yes
>>         hosts allow = 127., 134.114., 10.5.
>>
>> [printers]
>>         comment = All Printers
>>         path = /var/spool/samba
>>         printable = Yes
>>         default devmode = No
>>         browseable = No
>>
>> [print$]
>>         path = /var/lib/samba/drivers
>>         write list = "@NAU-STUDENTS\Domain Admins", "@domain admins"
>>         force user = root
>>         force group = "domain admins"
>>         force create mode = 0664
>>         force directory mode = 0774
>>         browseable = No
>>
>> [drivers$]
>>         path = /usr/local/printbilling/drivers/
>>         write list = "@NAU-STUDENTS\Domain Admins", "@domain admins"
>>         force user = root
>>         force group = "domain admins"
>>         force create mode = 0664
>>         force directory mode = 0774
>>         browseable = No
> 



More information about the samba mailing list