[Samba] PointnPrint Permissions

Rowland Penny rowlandpenny241155 at gmail.com
Mon Nov 23 19:52:12 UTC 2015 

On 23/11/15 19:34, Henry McLaughlin wrote:
> Printer has been setup, shared and confirmed as working.
>
> Using the following guide:
> https://wiki.samba.org/index.php/Configuring_Point%27n%27Print_automatic_printer_driver_deployment
>
> 1) I have granted print operator privileges to "Domain Admins"
>
> user at jupiter:~$ net rpc rights list accounts -U'ABC\administrator'
> Enter INCRED\administrator's password:
> BUILTIN\Print Operators
> No privileges assigned
>
> BUILTIN\Account Operators
> No privileges assigned
>
> BUILTIN\Backup Operators
> No privileges assigned
>
> BUILTIN\Server Operators
> No privileges assigned
>
> ABC\Domain Admins
> SePrintOperatorPrivilege
> SeDiskOperatorPrivilege
>
> BUILTIN\Administrators
> SeMachineAccountPrivilege
> ...
> SeEnableDelegationPrivilege
>
> Everyone
> No privileges assigned
>
> user at jupiter:~$
>
>
> When creating the [print$] share
>
> 2) I have created the share in smb.conf and it can be seen in Windows:
>
> [print$]
>         path = /srv/samba/Printer_drivers/
>         comment = Printer drivers
>         writeable = yes
>
>
> 3) I have created the physical folder (default permissions as per guide):
>
> user at jupiter:~$ ls -l /srv/samba
> total 12
> drwxrwxr-x 2 root domain admins 4096 Nov 22 21:38 Demo
> drwxrwxr-x 2 root domain admins 4096 Nov 15 11:51 Finance
> drwxr-xr-x 2 root root          4096 Nov 24 06:00 Printer_drivers
> user at jupiter:~$
>
> 3) When I try to set the permissions of the share using Windows ACLs I am
> given a permission denied error:
> "An error occurred whilst applying security information to:
> \\JUPITER.AD.ABC.COM.AU\print$
> Access is denied"

Well you would :-)

 From the above the Unix ownership of the directory is 'rwxr-xr-x' 
root:root. This means that the user 'root' has full control, the 'root' 
group has read permissions and can enter the directory, 'others' (this 
includes Domain Admins) have the same rights as the 'root' group. So 
from this you can see, whilst members of 'Domain Admins' can enter the 
dir and read what is in it, they cannot write to anything.

Try changing the group ownership of the share to match the other two shares.

Rowland

More information about the samba mailing list