[Samba] Point-and-Print driver installation asks for confirmation on current Windows

L.P.H. van Belle belle at bazuin.nl
Mon Aug 29 15:02:09 UTC 2016


One thing. 
> Another point I observed during testing: Windows 10 1607 supports
> (shared) driver isolation for this driver while Samba does not seem to
> allow for this.
You really cant compare a windows PC config to a Server config. 
If you want to test “correct” setup a virtual windows 2008R2. 
a 180 trail..  and you wil see, if you setup the GPO wrong it errors. 
I also have a win 2003 for print testing, that have the same problem when the GPO is wrongly configured. 

Check these GPO setttings
Computer Configuration\Policies\Administrative Templates\Printers\Execute Print Drivers In Isolated Processes
This policy setting determines whether the print spooler will execute printer drivers in an isolated or separate process.
If you enable or do not configure this policy setting, the print spooler will attempt to execute printer drivers in an isolated process.

Computer Configuration\Policies\Administrative Templates\Printers\Override Print Driver Compatibility Execution Setting Reported By Print Driver
This policy setting determines whether the print spooler will override the driver isolation compatibility reported by the printer driver via the DriverIsolation entry in its .inf file

That said..  this works for me, all info i know/have set below is below. 
OS running debian Jessie, samba 4.4.5 (debian package), cups.  ( all debian packages no source packages used ) 
Works for me with : for win7sp1 Win10 1511/1607  (all 64bit)

is incomplete imo. 

Enable: User can only point and print to these servers. 
You MUST also define the fully qualified servers, due to the MS patches. 
At least i did.   !! again very important in FQDN !! 

My setup..  
Setup 1 ) 

I do use spoolssd: 
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork 

added : 
spoolss: architecture = Windows x64 
I have mostly 64 bits here so preffered to 64bit arch. 

The “CUPS” part i used : socket://ip:port 

And i  implemented : 

Setup a small script : 
# you dont want to loose your old port, this makes swithing more easy.
echo "Samba Printer Port"
# Default local domain. ( internal.domain.tld )
IPRANGE=$(hostname -i | cut -d"." -f1,2,3)
DOMAIN=$(hostname -d)
# my printer are in the default range as the server starting from ip .10 to 40. 
for ip in {10..40}
 echo "${IPRANGE}.${ip}"
 echo "ptr-ip-0${ip}.${DOMAIN}"

setup 2)
here : 
net rpc rights grant 'Domain Admins' SePrintOperatorPrivilege -U'SAMDOM\administrator' 
I also added the default windows printer groups with the needed rights, these : 

BUILTIN\Print Operators


NTDOMAIN\Domain Admins 

And NTDOMAIN\Domain Admin,  should not be needed since its by default added in the BUILTIN\Administrators.
There were some problems here, which has to do with sid/xid mappings, cant recall it, but i added it also. 

And im using for a better ACL matchin on the print shares 
acl_xattr:ignore system acl = yes 
after setting this you MUST set the right from within windows and DONT change anything from linux cli anymore.
I added a local linux user to lpadmin and normal windows users was also added to lpadmin to control my cups. 

Handy links : 

Tested  (
HP Universal PCL6  6.0.0  No driver isolation support  ( works fine for me ) 
HP Universal PCL6  6.2.1  With driver isolation support. ( works also fine for me ) 
Original Windows Kyocera drivers 
Toshiba Universal printer 2 driver.  PCL6, latest ( from juli 2016 ) 
A Kyocera Beta ( unrelease to public, expected release end september/begin october, is waiting now for ms signing. ) 
This one is optimized for samba installs. 

And best is setup a new OU, put a computer and users in there. 
And now configure the printer GPO deployment there. 



More information about the samba mailing list