[Samba] Print driver deployment broken after KB3170455 on Windows 7

Achim Gottinger achim at ag-web.biz
Fri Sep 9 20:52:38 UTC 2016

Am 09.09.2016 um 19:26 schrieb Geert Lorang via samba:
> Hi,
> Since recently printer deployment is broken on Windows 7 (and above?) 
> due to KB3170455. This is probably the same problem 
> https://lists.samba.org/archive/samba/2016-August/202078.html on Win 10.
> After a lot of reading and investigating it appears that we now (after 
> KB3170455) need:
> - A Point & Print Restriction GPO enabled with FQDN of all Print 
> Servers and "Do not show warning or elevation prompt" for 
> instaling/updating drivers - this is easy
> - "Packaged drivers" - this is not so easy
> The problem is that either "Packaged Drivers" are not available from 
> the vendor OR Samba does not support this(?).
> For Windows Print Servers there is a workaround[1] around where you 
> can "trick" the print server with a "regular" print driver and making 
> the reg. key
> HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windows 
> x64\Drivers\...\Driver name\PrinterDriverAttributes odd.
> When you apply this registry hack the Windows Print Server daemon will 
> package the driver by itself into a single CAB file - this is probably 
> what they call the "Packaged Driver" - and then Printer Deployment 
> actually works.
> This is what happens on a Windows Print Server now when you don't have 
> packaged drivers available:
> 1) the normal printer driver installed into 
> \\print-srv\print$\x64\3\<lots of DDL, cfg, chm files etc>
> 2) make reg key PrinterDriverAttributes odd
> 3) when you now try to deploy a Printer from this print server, 
> Windows will package the driver into \\print-srv\print$\x64\PCC\<your 
> printer>.inf_amd64_neutral_<some random number>.cab
> 4) client downloads this CAB file and load this driver into the local 
> Driver Store (C:\Windows\System32\DriverStore\FileRepository)
> 5) printers deploy without problem
> As a test i copied this packaged driver from 3) into my Samba print 
> server in \\print-srv\print$\x64\PCC\ but it didn't make any difference.
> 4) is explained in a post[2] on Technet; quoted from Alan Morris:
> > The package drivers are copied to the client from the PCC share on 
> the print server  \\Server\print$\x64\pcc
> > The cab file is copied to client , extracted , then staged to the 
> filerepository.
> > At this point the spooler will install the print driver from the 
> package and copy the file to the \system32\spool\drivers\x64\3 
> directory and loaded into the spooler process from there.
> > ...
> > The spooler does some secure validation using the asyncRPC protocols 
> with package aware drivers
> With a process monitor on the client I can confirm that when the print 
> server is Windows the entire CAB is downloaded, but when the print 
> server is Linux/Samba I only see a few requests to 
> \\print-srv\print$\x64\3.
> Maybe some RPC calls not implemented? I guess the client will send a 
> request to the server to check which drivers are available on the 
> server and then Samba returns a list of available drivers? (really no 
> idea, just a guess!)
> Or the "secure validation" does not work but I guess you need to at 
> least make a single request to the CAB file - which is not happening. 
> According to Sigcheck.exe the file is not signed.
> In any case the problem is limited to the driver installation. As soon 
> as the driver is installed in the local "Driver Store" everything 
> works again.
> As a workaround you can open \\print-srv -> view remote printers -> 
> select properties of a printer, a warning will pop-up to download the 
> printer driver, as soon as you click yes the printer driver will be 
> installed and printers will deploy again without problem.
> If you try to reproduce this make sure the driver is not yet present 
> in both "Print Management" and "pnputil -e". As long as your driver 
> was installed before July 2016 you will never hit this issue.
> So basically my questions are:
> - Does Samba support "\\print-srv\print$\x64\pcc" ?
> - Anyone documents/info on "Packaged Drivers" - It seems hard to find?
> - Anyone who got print (driver) deployment still working on Win 7with 
> Samba ?
> [1] 
> https://www.reddit.com/r/sysadmin/comments/50gw1b/solved_deploying_nonpackaged_print_drivers_after/
> [2] 
> https://social.technet.microsoft.com/Forums/office/en-US/6cbdc0b0-761e-4b95-a7de-e9a9ca052f8d/w2k8-server-shared-printers-wont-install-if-drivers-not-in-win7?forum=winserverprint#f5205908-4f0a-4d52-8981-6e9ff0393495
> Thx,
> Geert
Very informative thanks for sharing. Was wondering about the warning 
when adding an new pc to our domain last week.

Seems the so called "Print System Asynchronous Remote Protocol" must be 
implemented to support packaged drivers. See here



More information about the samba mailing list