[Samba] Print driver deployment broken after KB3170455 on Windows 7

Geert Lorang geert.lorang at luciad.com
Fri Sep 9 17:26:05 UTC 2016


Since recently printer deployment is broken on Windows 7 (and above?) 
due to KB3170455. This is probably the same problem 
https://lists.samba.org/archive/samba/2016-August/202078.html on Win 10.

After a lot of reading and investigating it appears that we now (after 
KB3170455) need:

- A Point & Print Restriction GPO enabled with FQDN of all Print Servers 
and "Do not show warning or elevation prompt" for instaling/updating 
drivers - this is easy
- "Packaged drivers" - this is not so easy

The problem is that either "Packaged Drivers" are not available from the 
vendor OR Samba does not support this(?).

For Windows Print Servers there is a workaround[1] around where you can 
"trick" the print server with a "regular" print driver and making the 
reg. key
x64\Drivers\...\Driver name\PrinterDriverAttributes odd.

When you apply this registry hack the Windows Print Server daemon will 
package the driver by itself into a single CAB file - this is probably 
what they call the "Packaged Driver" - and then Printer Deployment 
actually works.

This is what happens on a Windows Print Server now when you don't have 
packaged drivers available:

1) the normal printer driver installed into 
\\print-srv\print$\x64\3\<lots of DDL, cfg, chm files etc>
2) make reg key PrinterDriverAttributes odd
3) when you now try to deploy a Printer from this print server, Windows 
will package the driver into \\print-srv\print$\x64\PCC\<your 
printer>.inf_amd64_neutral_<some random number>.cab
4) client downloads this CAB file and load this driver into the local 
Driver Store (C:\Windows\System32\DriverStore\FileRepository)
5) printers deploy without problem

As a test i copied this packaged driver from 3) into my Samba print 
server in \\print-srv\print$\x64\PCC\ but it didn't make any difference.

4) is explained in a post[2] on Technet; quoted from Alan Morris:

 > The package drivers are copied to the client from the PCC share on 
the print server  \\Server\print$\x64\pcc
 > The cab file is copied to client , extracted , then staged to the 
 > At this point the spooler will install the print driver from the 
package and copy the file to the \system32\spool\drivers\x64\3 directory 
and loaded into the spooler process from there.
 > ...
 > The spooler does some secure validation using the asyncRPC protocols 
with package aware drivers

With a process monitor on the client I can confirm that when the print 
server is Windows the entire CAB is downloaded, but when the print 
server is Linux/Samba I only see a few requests to \\print-srv\print$\x64\3.
Maybe some RPC calls not implemented? I guess the client will send a 
request to the server to check which drivers are available on the server 
and then Samba returns a list of available drivers? (really no idea, 
just a guess!)
Or the "secure validation" does not work but I guess you need to at 
least make a single request to the CAB file - which is not happening. 
According to Sigcheck.exe the file is not signed.

In any case the problem is limited to the driver installation. As soon 
as the driver is installed in the local "Driver Store" everything works 

As a workaround you can open \\print-srv -> view remote printers -> 
select properties of a printer, a warning will pop-up to download the 
printer driver, as soon as you click yes the printer driver will be 
installed and printers will deploy again without problem.
If you try to reproduce this make sure the driver is not yet present in 
both "Print Management" and "pnputil -e". As long as your driver was 
installed before July 2016 you will never hit this issue.

So basically my questions are:

- Does Samba support "\\print-srv\print$\x64\pcc" ?
- Anyone documents/info on "Packaged Drivers" - It seems hard to find?
- Anyone who got print (driver) deployment still working on Win 7with 
Samba ?



More information about the samba mailing list