[Samba] Print driver deployment broken after KB3170455 on Windows 7
geert.lorang at luciad.com
Fri Sep 9 17:26:05 UTC 2016
Since recently printer deployment is broken on Windows 7 (and above?)
due to KB3170455. This is probably the same problem
https://lists.samba.org/archive/samba/2016-August/202078.html on Win 10.
After a lot of reading and investigating it appears that we now (after
- A Point & Print Restriction GPO enabled with FQDN of all Print Servers
and "Do not show warning or elevation prompt" for instaling/updating
drivers - this is easy
- "Packaged drivers" - this is not so easy
The problem is that either "Packaged Drivers" are not available from the
vendor OR Samba does not support this(?).
For Windows Print Servers there is a workaround around where you can
"trick" the print server with a "regular" print driver and making the
x64\Drivers\...\Driver name\PrinterDriverAttributes odd.
When you apply this registry hack the Windows Print Server daemon will
package the driver by itself into a single CAB file - this is probably
what they call the "Packaged Driver" - and then Printer Deployment
This is what happens on a Windows Print Server now when you don't have
packaged drivers available:
1) the normal printer driver installed into
\\print-srv\print$\x64\3\<lots of DDL, cfg, chm files etc>
2) make reg key PrinterDriverAttributes odd
3) when you now try to deploy a Printer from this print server, Windows
will package the driver into \\print-srv\print$\x64\PCC\<your
printer>.inf_amd64_neutral_<some random number>.cab
4) client downloads this CAB file and load this driver into the local
Driver Store (C:\Windows\System32\DriverStore\FileRepository)
5) printers deploy without problem
As a test i copied this packaged driver from 3) into my Samba print
server in \\print-srv\print$\x64\PCC\ but it didn't make any difference.
4) is explained in a post on Technet; quoted from Alan Morris:
> The package drivers are copied to the client from the PCC share on
the print server \\Server\print$\x64\pcc
> The cab file is copied to client , extracted , then staged to the
> At this point the spooler will install the print driver from the
package and copy the file to the \system32\spool\drivers\x64\3 directory
and loaded into the spooler process from there.
> The spooler does some secure validation using the asyncRPC protocols
with package aware drivers
With a process monitor on the client I can confirm that when the print
server is Windows the entire CAB is downloaded, but when the print
server is Linux/Samba I only see a few requests to \\print-srv\print$\x64\3.
Maybe some RPC calls not implemented? I guess the client will send a
request to the server to check which drivers are available on the server
and then Samba returns a list of available drivers? (really no idea,
just a guess!)
Or the "secure validation" does not work but I guess you need to at
least make a single request to the CAB file - which is not happening.
According to Sigcheck.exe the file is not signed.
In any case the problem is limited to the driver installation. As soon
as the driver is installed in the local "Driver Store" everything works
As a workaround you can open \\print-srv -> view remote printers ->
select properties of a printer, a warning will pop-up to download the
printer driver, as soon as you click yes the printer driver will be
installed and printers will deploy again without problem.
If you try to reproduce this make sure the driver is not yet present in
both "Print Management" and "pnputil -e". As long as your driver was
installed before July 2016 you will never hit this issue.
So basically my questions are:
- Does Samba support "\\print-srv\print$\x64\pcc" ?
- Anyone documents/info on "Packaged Drivers" - It seems hard to find?
- Anyone who got print (driver) deployment still working on Win 7with
More information about the samba