[Samba] point n print driver deployment for canon ip7250

Rowland Penny rpenny at samba.org
Sun Nov 27 16:32:05 UTC 2016


See inline comments:

Sun, 27 Nov 2016 14:31:44 +0000
niya levi via samba <samba at lists.samba.org> wrote:

> > On Mon, 21 Nov 2016 13:42:57 +0100
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> >
> >> Hi, 
> >>
> >> Yes thats correct. 
> >> But try the following. 
> >> Make sure you use the usermapping.
> >>
> >> username map = /etc/samba/samba_usermapping 
> >> containing: 
> >> !root = NTDOM\Administrator NTDOM\administrator Administrator
> >> administrator
> >>
> >> And according to the wiki.
> >> (https://wiki.samba.org/index.php/Configuring_Point%27n%27Print_automatic_printer_driver_deployment)  
> >>
> >> For POSIX ACLs:
> >> # chgrp -R "SAMDOM\Domain Admins" /srv/samba/Printer_drivers/
> >> # chmod -R 2755 /srv/samba/Printer_drivers/
> >> Is wrong in my opinion.
> >>
> >> # chmod -R 2775 /srv/samba/Printer_drivers/
> >> Looks better to me. 
> >>
> >> How else are "members of domain admins" allowed to write in
> >> the /srv/samba/Printer_drivers/ folder? 
> >>
> >> Rowland, can you confirm this? 
> > Fixed
> >
> i also thought the permissions looked odd
> but resisted going against the wiki
> until advised by more knowledgeable minds.
> >> But i use the
> >> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs  setup.
> > This is my share setup:
> > [print$]
> >    comment = Printer Drivers
> >    path = /home/samba/printing/drivers
> >    acl_xattr:ignore system acl = yes
> >    writable = yes
> >    guest ok = no
> does acl_xattr:ignore system acl = yes mean ignore posix acls ?

If you mean ignore the Unix ACLs, then yes.


> > Perhaps we need to also add a note that it is better to use windows
> > ACLs

Done.

> last tip. ( for win64 drivers ) 
> > cd /smb/Printer_drivers
> > ln -s x64 X64 
> >
> > i noticed some drivers used capital X in the X64 
> >
> >
> >
> > Greetz, 
> >
> > Louis
> 
> i have tried using rsat to alter the windows acl permissions a couple
> of times
> because i didn't get the permissions right on the previous attempts
> i ended up with permission denied when trying to alter permissions on
> the print$ share
> so i reset the acl's with the following commands
> 
> $ sudo setfacl -b -R /smb/Printer_drivers/*
> $ sudo setfacl -b -R /smb/Printer_drivers/
> $ sudo setfacl -R -m default:group:"Domain
> Admins":rwx /smb/Printer_drivers/
> 
> $ ls -al /smb/Printer_drivers/
> total 8
> drwxrwsr-x+ 1 root domain admins   84 Nov 22 01:47 .
> drwxr-xr-x  7 root root          4096 Nov 14 03:18 ..
> drwxrwsr-x+ 1 root domain admins    0 Oct 30 15:25 IA64
> drwxrwsr-x+ 1 root domain admins    0 Oct 30 15:25 W32ALPHA
> drwxrwsr-x+ 1 root domain admins    0 Oct 30 15:25 W32MIPS
> drwxrwsr-x+ 1 root domain admins    0 Oct 30 15:25 W32PPC
> drwxrwsr-x+ 1 root domain admins    0 Oct 30 15:25 W32X86
> drwxrwsr-x+ 1 root domain admins    0 Oct 30 15:25 WIN40
> drwxrwsr-x+ 1 root domain admins    0 Oct 30 15:25 x64
> lrwxrwxrwx  1 root domain admins    3 Nov 22 01:47 X64 -> x64
> 
> $ sudo getfacl /smb/Printer_drivers/
> getfacl: Removing leading '/' from absolute path names
> # file: smb/Printer_drivers/
> # owner: root
> # group: domain\040admins
> # flags: -s-
> user::rwx
> group::rwx
> other::r-x
> default:user::rwx
> default:group::rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::r-x
> 
> i still get the followig errors.
> 
> Computer Management(TARDIS)\System Tools\SharedFolders\Shares\print$
> share permission tab
> 
> =======================
> an error occurred while applying security information to
> \\TARDIS.AD.TISSISAT.COUK\print$
> failed to enumerate object  in the container. access denied
> if i press continue i get
> unable to save permission changes on print$
> \\TARDIS.AD.TISSISAT.COUK\print$
> access is denied
> 
> if i press cancel i get
> if you stop the propergation of permission settings,
> it might lead to a inconsistent state where objects have different
> settings. if you made this change by mistake you should apply the
> correct permission settings immediately.
> 
> print management/print servers/TARDIS/drivers/add Driver
> ==================================================
> error
> failed to add driver
> access denied
> 
> 
> 
> 

I think you must be mixing up Windows and Posix ACLs, if I follow the
wiki, I get this:

root at devstation:/home/rowland# ls -la /var/lib/samba/Printer_drivers/
total 40
drwxrwx---+ 9 root root 4096 Nov 27 15:45 .
drwxr-xr-x  3 root root 4096 Nov 27 15:44 ..
drwxr-xr-x  2 root root 4096 Nov 27 15:45 IA64
drwxr-xr-x  2 root root 4096 Nov 27 15:45 W32ALPHA
drwxr-xr-x  2 root root 4096 Nov 27 15:45 W32MIPS
drwxr-xr-x  2 root root 4096 Nov 27 15:45 W32PPC
drwxr-xr-x  2 root root 4096 Nov 27 15:45 W32X86
drwxr-xr-x  2 root root 4096 Nov 27 15:45 WIN40
drwxr-xr-x  2 root root 4096 Nov 27 15:45 x64

getfacl /var/lib/samba/Printer_drivers/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/Printer_drivers/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:2004:r-x
group:2005:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:2004:r-x
default:group:2005:rwx
default:mask::rwx
default:other::---

Rowland



More information about the samba mailing list