[Samba] Point-and-Print driver installation asks for confirmation on current Windows

L.P.H. van Belle belle at bazuin.nl
Mon Aug 29 14:01:39 UTC 2016 

Hai, 

 

One thing. 

> Another point I observed during testing: Windows 10 1607 supports

> (shared) driver isolation for this driver while Samba does not seem to

> allow for this.

You really cant compare a windows PC config to a Server config. 

If you want to test ?correct? setup a virtual windows 2008R2. 

https://www.microsoft.com/en-us/download/details.aspx?id=11093 

a 180 trail..  and you wil see, if you setup the GPO wrong it errors. 

I also have a win 2003 for print testing, that have the same problem when the GPO is wrongly configured. 

 

Check these GPO setttings

Computer Configuration\Policies\Administrative Templates\Printers\Execute Print Drivers In Isolated Processes
This policy setting determines whether the print spooler will execute printer drivers in an isolated or separate process.

If you enable or do not configure this policy setting, the print spooler will attempt to execute printer drivers in an isolated process.

 

Computer Configuration\Policies\Administrative Templates\Printers\Override Print Driver Compatibility Execution Setting Reported By Print Driver
This policy setting determines whether the print spooler will override the driver isolation compatibility reported by the printer driver via the DriverIsolation entry in its .inf file

 

That said..  this works for me, all info i know/have set below is below. 

OS running debian Jessie, samba 4.4.5 (debian package), cups.  ( all debian packages no source packages used ) 

Works for me with : for win7sp1 Win10 1511/1607  (all 64bit)

 

https://wiki.samba.org/index.php/Defining_printer_driver_sources_trusts 

is incomplete imo. 

 

Enable: User can only point and print to these servers. 

You MUST also define the fully qualified servers, due to the MS patches. 

At least i did.   !! again very important in FQDN !! 

 

My setup..  

Setup 1 ) 

https://wiki.samba.org/index.php/Setup_a_Samba_print_server

 

I do use spoolssd: 

rpc_server:spoolss = external

rpc_daemon:spoolssd = fork 

 

added : 

spoolss: architecture = Windows x64 

I have mostly 64 bits here so preffered to 64bit arch. 

 

The ?CUPS? part i used : socket://ip:port 

 

And i  implemented : 

https://wiki.samba.org/index.php/Configure_network_printer_ports

 

Setup a small script : 

#/bin/bash

# you dont want to loose your old port, this makes swithing more easy.

echo "Samba Printer Port"

# Default local domain. ( internal.domain.tld )

IPRANGE=$(hostname -i | cut -d"." -f1,2,3)

DOMAIN=$(hostname -d)

# my printer are in the default range as the server starting from ip .10 to 40. 

for ip in {10..40}

do

 echo "${IPRANGE}.${ip}"

 echo "ptr-ip-0${ip}.${DOMAIN}"

done

 

 

setup 2)

https://wiki.samba.org/index.php/Configuring_Point%27n%27Print_automatic_printer_driver_deployment 

here : 

net rpc rights grant 'Domain Admins' SePrintOperatorPrivilege -U'SAMDOM\administrator' 

I also added the default windows printer groups with the needed rights, these : 

 

BUILTIN\Print Operators

SePrintOperatorPrivilege

 

BUILTIN\Administrators

SePrintOperatorPrivilege

 

NTDOMAIN\Domain Admins 

SePrintOperatorPrivilege

 

And NTDOMAIN\Domain Admin,  should not be needed since its by default added in the BUILTIN\Administrators.

There were some problems here, which has to do with sid/xid mappings, cant recall it, but i added it also. 

 

And im using for a better ACL matchin on the print shares 

acl_xattr:ignore system acl = yes 

after setting this you MUST set the right from within windows and DONT change anything from linux cli anymore.

I added a local linux user to lpadmin and normal windows users was also added to lpadmin to control my cups. 

 

Handy links : 

https://msdn.microsoft.com/en-us/library/windows/hardware/ff560836(v=vs.85).aspx

https://support.microsoft.com/en-us/kb/2793718

https://technet.microsoft.com/en-us/library/cc732946.aspx 

https://technet.microsoft.com/en-us/library/cc753269(v=ws.11).aspx  

http://sourcedaddy.com/windows-7/understanding-printer-driver-isolation.html 

 

 

Tested  (

HP Universal PCL6  6.0.0  No driver isolation support  ( works fine for me ) 

HP Universal PCL6  6.2.1  With driver isolation support. ( works also fine for me ) 

Original Windows Kyocera drivers 

Toshiba Universal printer 2 driver.  PCL6, latest ( from juli 2016 ) 

A Kyocera Beta ( unrelease to public, expected release end september/begin october, is waiting now for ms signing. ) 

This one is optimized for samba installs. 

 

And best is setup a new OU, put a computer and users in there. 

And now configure the printer GPO depolyment there. 

 

 

Greetz, 

 

Louis

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mario Lipinski

> via samba

> Verzonden: vrijdag 26 augustus 2016 18:13

> Aan: samba at lists.samba.org

> Onderwerp: [Samba] Point-and-Print driver installation asks for

> confirmation on current Windows

> 

> Hello,

> 

> when deploying drivers via Point-and-Print recent Windows (tested with

> Windows 10 1607) asks the user to confirm the driver installation. An

> appropriate Policy [1] is set up so that no user interaction should be

> required for the driver installation.

> There are similar reports [2,3] that identify updates KB3163912,

> KB3172985 and KB3170455 causing these issues. However, Windows 10 1607

> seems to ship with these changes.

> 

> Reports suggest, that a "packaged" driver should be used to allow driver

> deployment with Point-and-Print. It is not possible to install a

> "packaged" driver to a Samba server. Although a registry key can be

> manipulated to show the driver as "packaged", this does not seem to work.

> 

> I successfully tested automatic Point-and-Print driver deployment with

> setting up a Windows 10 1607 print server and using a HP Universal Print

> Driver PS 6.2.1 for testing. Since this works, this leads me to belive

> that Samba is at fault.

> 

> Another point I observed during testing: Windows 10 1607 supports

> (shared) driver isolation for this driver while Samba does not seem to

> allow for this.

> 

> I hope that Samba will be fixed/improved to allow automatic driver

> deployment with Windows 10 1607.

> Please advice, if you know any way to get print driver deployment

> working with currrent Windows.

> 

> To move things forward I plan to table this issue to samba-technical as

> I believe this needs fixing in Samba and open a bug report at

> Samba-Bugzilla.

> 

> 

> [1]

> https://wiki.samba.org/index.php/Defining_printer_driver_sources_trusts

> [2] https://lists.samba.org/archive/samba/2016-August/202078.html

> [3]

> https://social.technet.microsoft.com/Forums/office/en-US/030ee94a-047d-

> 460a-bc39-52351a199364/kb3163912-breaks-point-and-print-restrictions-gpo-

> settings?forum=winserverGP

> 

> --

> Mit freundlichen Grüßen,

> Mario Lipinski

> 

> IServ GmbH

> Bültenweg 73

> 38106 Braunschweig

> 

> Telefon:   0531-2243666-0

> Fax:       0531-2243666-9

> E-Mail:    info at iserv.eu

> Internet:  iserv.eu

> 

> USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822

> Geschäftsführer: Benjamin Heindl, Jörg Ludwig

> 

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

 

More information about the samba mailing list