[Samba] Samba3 print server in a Samba4 domain

Steve Thompson smt at vgersoft.com
Thu Apr 18 13:13:20 MDT 2013

CentOS 6.4 x86_64, Samba 3.6.9 on member servers, joined to a Samba 4.0.3 
AD domain.

I am attempting to use the Samba3 member server ("TS-1") as a print 
server. While CUPS works well, I cannot upload any drivers ("access 
denied"), and I cannot see any drivers in the [print$] share, even though 
I have populated these from a functioning Samba3 domain. I can map the 
\\ts-1\print$ share and write to it, and I have sePrintOperatorPrivilege 
(but in any event I am logged in as a Domain Admin). "net rpc rights" etc
all work properly, and show the privileges that I expect.

>From a level 10 log, I see the print server system doing a lot of:

   smbldap_search_ext: base => [DC=europa,DC=icse,DC=cornell,DC=edu],
 	filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))],
 	scope => [2]

which is obviously not going to work, since sambaGroupMapping and sambaSID 
are appropriate for a Samba3 domain. The end result is:

[2013/04/18 15:00:56.781729,  3] rpc_server/spoolss/srv_spoolss_nt.c:1840(_spoolss_OpenPrinterEx)
   access DENIED as user is not root, has no printoperator privilege, not a
 	member of the printoperator builtin group and is not in printer admin list

which is not expected.

Since I have security=ads, how do I coerce Samba3 in this situation to do 
proper lookups? Or is this not the problem?

If I manually load drivers on clients, printing works just fine, but I 
want clients to load drivers from the print server. I tried the samba4 
RPM's for CentOS, but there's no ldapsam support in there.


More information about the samba mailing list