[Samba] Print driver deployment broken after KB3170455 on Windows 7

Julian Timm X-Dimension at gmx.net
Wed Sep 28 10:51:39 UTC 2016 

Is there any workaround for this problem at the moment?
We are using Windows 10 on our clients and can't rollout our printers anymore.

Thx,
Julian

> Gesendet: Freitag, 09. September 2016 um 22:52 Uhr
> Von: "Achim Gottinger via samba" <samba at lists.samba.org>
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Print driver deployment broken after KB3170455 on Windows 7
>
> 
> 
> Am 09.09.2016 um 19:26 schrieb Geert Lorang via samba:
> > Hi,
> >
> > Since recently printer deployment is broken on Windows 7 (and above?) 
> > due to KB3170455. This is probably the same problem 
> > https://lists.samba.org/archive/samba/2016-August/202078.html on Win 10.
> >
> > After a lot of reading and investigating it appears that we now (after 
> > KB3170455) need:
> >
> > - A Point & Print Restriction GPO enabled with FQDN of all Print 
> > Servers and "Do not show warning or elevation prompt" for 
> > instaling/updating drivers - this is easy
> > - "Packaged drivers" - this is not so easy
> >
> > The problem is that either "Packaged Drivers" are not available from 
> > the vendor OR Samba does not support this(?).
> >
> > For Windows Print Servers there is a workaround[1] around where you 
> > can "trick" the print server with a "regular" print driver and making 
> > the reg. key
> > HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windows 
> > x64\Drivers\...\Driver name\PrinterDriverAttributes odd.
> >
> > When you apply this registry hack the Windows Print Server daemon will 
> > package the driver by itself into a single CAB file - this is probably 
> > what they call the "Packaged Driver" - and then Printer Deployment 
> > actually works.
> >
> > This is what happens on a Windows Print Server now when you don't have 
> > packaged drivers available:
> >
> > 1) the normal printer driver installed into 
> > \\print-srv\print$\x64\3\<lots of DDL, cfg, chm files etc>
> > 2) make reg key PrinterDriverAttributes odd
> > 3) when you now try to deploy a Printer from this print server, 
> > Windows will package the driver into \\print-srv\print$\x64\PCC\<your 
> > printer>.inf_amd64_neutral_<some random number>.cab
> > 4) client downloads this CAB file and load this driver into the local 
> > Driver Store (C:\Windows\System32\DriverStore\FileRepository)
> > 5) printers deploy without problem
> >
> > As a test i copied this packaged driver from 3) into my Samba print 
> > server in \\print-srv\print$\x64\PCC\ but it didn't make any difference.
> >
> > 4) is explained in a post[2] on Technet; quoted from Alan Morris:
> >
> > > The package drivers are copied to the client from the PCC share on 
> > the print server  \\Server\print$\x64\pcc
> > > The cab file is copied to client , extracted , then staged to the 
> > filerepository.
> > > At this point the spooler will install the print driver from the 
> > package and copy the file to the \system32\spool\drivers\x64\3 
> > directory and loaded into the spooler process from there.
> > > ...
> > > The spooler does some secure validation using the asyncRPC protocols 
> > with package aware drivers
> >
> > With a process monitor on the client I can confirm that when the print 
> > server is Windows the entire CAB is downloaded, but when the print 
> > server is Linux/Samba I only see a few requests to 
> > \\print-srv\print$\x64\3.
> > Maybe some RPC calls not implemented? I guess the client will send a 
> > request to the server to check which drivers are available on the 
> > server and then Samba returns a list of available drivers? (really no 
> > idea, just a guess!)
> > Or the "secure validation" does not work but I guess you need to at 
> > least make a single request to the CAB file - which is not happening. 
> > According to Sigcheck.exe the file is not signed.
> >
> > In any case the problem is limited to the driver installation. As soon 
> > as the driver is installed in the local "Driver Store" everything 
> > works again.
> >
> > As a workaround you can open \\print-srv -> view remote printers -> 
> > select properties of a printer, a warning will pop-up to download the 
> > printer driver, as soon as you click yes the printer driver will be 
> > installed and printers will deploy again without problem.
> > If you try to reproduce this make sure the driver is not yet present 
> > in both "Print Management" and "pnputil -e". As long as your driver 
> > was installed before July 2016 you will never hit this issue.
> >
> > So basically my questions are:
> >
> > - Does Samba support "\\print-srv\print$\x64\pcc" ?
> > - Anyone documents/info on "Packaged Drivers" - It seems hard to find?
> > - Anyone who got print (driver) deployment still working on Win 7with 
> > Samba ?
> >
> > [1] 
> > https://www.reddit.com/r/sysadmin/comments/50gw1b/solved_deploying_nonpackaged_print_drivers_after/
> > [2] 
> > https://social.technet.microsoft.com/Forums/office/en-US/6cbdc0b0-761e-4b95-a7de-e9a9ca052f8d/w2k8-server-shared-printers-wont-install-if-drivers-not-in-win7?forum=winserverprint#f5205908-4f0a-4d52-8981-6e9ff0393495
> >
> > Thx,
> > Geert
> >
> Very informative thanks for sharing. Was wondering about the warning 
> when adding an new pc to our domain last week.
> 
> Seems the so called "Print System Asynchronous Remote Protocol" must be 
> implemented to support packaged drivers. See here
> https://bugzilla.redhat.com/show_bug.cgi?id=1369515
> 
> N'night
> 
> Achim
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list