[Samba] access DENIED for non-printserver bits

Åke Holmlund holm at informatik.umu.se
Fri Mar 24 14:00:42 UTC 2017 

Hi,

>> The "Access denied" happens before the installation would
>
>> have started.
>
> Ok so a mis configuration somewere.

Probably. Question is where?

> ( tested with samba 4.4.x 4.5.x 4.6.x on debian jessie with cups and point and print setup.)

I'm now running 4.6.x on Solaris with SYSV printing (with some modifications).

> Like :
>
> Share rights

Looks ok to me. If I connect to the share I have full access (read/write)

> File/folder rights

On the Solaris side the whole directory structure, for the print$ share,
is owned byt the domain admin user.

> SePrivilege rights

Looks like this (changed usernames and IP-numbers):

user at server% net rpc rights list -U "MY-DOM\domainadmin"
Enter MY-DOM\domainadmin's password:
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares
           SeSecurityPrivilege  System security

My smb.conf printer parts:

[global]
        printing = sysv
        printcap name = /var/conf/Samba/printcap
#       printer admin = domainadmin

[print$]
        comment = Skrivardrivrutiner
        path = /var/conf/Samba/print
        browseable = yes
        read only = no             # tested different combinations yes/no
#       write list = domainadmin   # with/without write list
        acl_xattr:ignore system acl = yes # made no difference

[printers]
        comment = Skrivare
        allow hosts = 1.2.3.4/255.255.255.0
        path = /var/spool/Samba
        printable = yes
        read only = yes
        browsable = no
        acl_xattr:ignore system acl = yes  # made no difference
        lpq command = /usr/bin/lpstat %p
        print command = /opt/sbin/smbprint %p %s %J

> check
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server#Granting_the_SePrintOperatorP
> rivilege_Privilege

Done that (see above)

> then 
> https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Client
> s
>
>  
>
> goto : Setting up the [print$] Share
>
> Using Windows ACLs:
>
> Apply that part.

I'm unable to check this right now. Since I have updated W10 to 1607
and Samba from 4.4.x to 4.6.x I have run into some other problems. Time
has run out today so I will have to take a look at that on monday.

Regards,
Åke

More information about the samba mailing list