[Samba] Shared printing between Linux (client) and Windows (server): NT_STATUS_ACCESS_DENIED
L.P.H. van Belle
belle at bazuin.nl
Thu Apr 4 06:37:23 UTC 2019
Try this.
Check the enabled Guest account, go to Devices and Printers in Control Panel,
right click on the network shared default printer and select Printer properties.
Next select the Security tab on the Printer Properties page, and you should see
Everyone in the list of users. Check the permissions for Everyone. At minimum,
Print should be checked in the Allow check box. The print permission granted to
Everyone will be sufficient to allow the Guest account to print to the printer.
Also try with, smbclient -L 192.168.0.100 -m SMB2
Your problem
> map to guest = Bad Password
> usershare allow guests = yes
> guest ok = yes
> guest account = kotee
So now you linux account "nobody" is kotee
Remove
> guest account = kotee
> map to guest = Bad Password
Then try again.
Or enable on both windows and linux the guests, and dont map users or abuse the map to guest.
Or use username/password which need to be the same on both sides and use passthrough auth.
But your so far behind with a lot of fixed, you still might hit SMBv1 problems.
Upgrading samba to 4.9.5 or 4.10.1 should help a lot.
The ubuntu 18.04 packages i have a the repo should work also with Mint 19, but i've not tested that.
You could ;-) https://apt.van-belle.nl for more info.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> cloun via samba
> Verzonden: donderdag 4 april 2019 0:38
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Shared printing between Linux (client) and
> Windows (server): NT_STATUS_ACCESS_DENIED
>
> I have a Windows 7 workstation with physically connected printer and
> Linux laptop (Linux Mint 19). They are connected to each other via
> router with internet cord plugged in.
>
> I managed to establish file exchange between them: create a shared
> resource on one computer, then access it from another. But the same
> trick with printer just do not work: as soon as I try to
> access it via
> network from laptop, it gives me an Access Denied error (if accessed
> from terminal) or requires me to authenticate endlessly (if accessed
> from GUI; any document in print queue gets a `Held for
> Authentication'
> status if I refuse to enter any credentials.
>
> $ samba --version
> Version 4.7.6-Ubuntu
>
> $ uname -r
> 4.15.0-46-generic
>
> I made some log excerpts and command results provided below. I am not
> sure about what else should I include; I am not an experienced Linux
> user by any means, but hope you can give me some advices.
>
> Additional info: SMB v1 is switched off on Windows side due
> to security
> reasons. `$ smbtree' gives no results. Switching ufw does not change
> anything. On Windows side Guest account is active and
> Password Protected
> Sharing is disabled. Printer permissions are set for Guest and I can
> print under Guest account locally on that Win7 machine with
> no problem.
> LOCAL is the name of workgroup.
>
> --------------------------------------------------
> resource list cmd
> --------------------------------------------------
> $ smbclient -L 192.168.0.100
> WARNING: The "null passwords" option is deprecated
> Enter LOCAL\kotee's password:
>
> Sharename Type Comment
> --------- ---- -------
> ADMIN$ Disk ?????????????????? Admin
> C$ Disk ??????????????????????
> ?????????? ????????????
> D$ Disk ??????????????????????
> ?????????? ????????????
> F$ Disk ??????????????????????
> ?????????? ????????????
> H$ Disk ??????????????????????
> ?????????? ????????????
> hp1516 Printer hp1516
> IPC$ IPC ?????????????????? IPC
> print$ Disk ???????????????? ??????????????????
> Public Disk
> Users Disk
> SMB1 disabled -- no workgroup available
> ------------------------------------------------
> end of cmd output
> ------------------------------------------------
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------
> /etc/samba/smb.conf
> ------------------------------------------------
>
> [global]
> browseable = yes
> workgroup = local
> null passwords = yes
> wins support = true
> local master = no
> domain master = no
> preferred master = no
> client min protocol = SMB2
> ntlm auth = no
> lanman auth = yes
> client ntlmv2 auth = yes
> server string = XXXXXXXXX
> load printers = yes
> printing = cups
> printcap name = cups
> use client driver = yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> server role = standalone server
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> map to guest = Bad Password
> usershare allow guests = yes
> usershare owner only = no
> security = user
> encrypt passwords = yes
> guest ok = yes
> guest account = kotee
>
> [printers]
> comment = All Printers
> ; browseable = yes
> path = /tmp
> printable = yes
> guest ok = yes
> ; read only = yes
> create mask = 0700
> use client driver = yes
>
> [temp]
> browseable = yes
> writeable = yes
> path = /home/kotee/tmp
> force user = kotee
> force group = kotee
> guest ok = yes
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> ; browseable = yes
> ; read only = yes
> ; guest ok = no
> -----------------------------------------------------
> end of /etc/samba/smb.conf file
> -----------------------------------------------------
>
>
> -----------------------------------------------------
> a test printing command
> -----------------------------------------------------
> $ echo -en "asdfg\n" | smbclient "\\\\192.168.0.100\\hp1516"
> -c "print -" -N -d10
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> auth_audit: 10
> auth_json_audit: 10
> kerberos: 10
> drs_repl: 10
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows
> limit (16384)
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> auth_audit: 10
> auth_json_audit: 10
> kerberos: 10
> drs_repl: 10
> Processing section "[global]"
> doing parameter browseable = yes
> doing parameter workgroup = local
> doing parameter null passwords = yes
> WARNING: The "null passwords" option is deprecated
> doing parameter wins support = true
> doing parameter local master = no
> doing parameter domain master = no
> doing parameter preferred master = no
> doing parameter client min protocol = SMB2
> doing parameter ntlm auth = no
> doing parameter lanman auth = yes
> doing parameter client ntlmv2 auth = yes
> doing parameter server string = XXXXXX
> doing parameter load printers = yes
> doing parameter printing = cups
> doing parameter printcap name = cups
> doing parameter use client driver = yes
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 1000
> doing parameter panic action = /usr/share/samba/panic-action %d
> doing parameter server role = standalone server
> doing parameter unix password sync = yes
> doing parameter passwd program = /usr/bin/passwd %u
> doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> doing parameter pam password change = yes
> doing parameter map to guest = Bad Password
> doing parameter usershare allow guests = yes
> doing parameter usershare owner only = no
> doing parameter security = user
> doing parameter encrypt passwords = yes
> doing parameter guest ok = yes
> doing parameter guest account = kotee
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface wlp4s0 ip=192.168.0.102 bcast=192.168.0.255
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="XXXXXXXXXX"
> Client started (version 4.7.6-Ubuntu).
> Connecting to 192.168.0.100 at port 445
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 87040
> SO_RCVBUF = 372480
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> session request ok
> negotiated dialect[SMB2_10] against server[192.168.0.100]
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.3.6.1.4.1.311.2.2.10
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism ntlmssp
> negotiate: struct NEGOTIATE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmNegotiate (1)
> NegotiateFlags : 0x62088215 (1644724757)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 0: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 0: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> 1: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> DomainNameLen : 0x0000 (0)
> DomainNameMaxLen : 0x0000 (0)
> DomainName : *
> DomainName : ''
> WorkstationLen : 0x0000 (0)
> WorkstationMaxLen : 0x0000 (0)
> Workstation : *
> Workstation : ''
> Version: struct ntlmssp_VERSION
> ProductMajorVersion :
> NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
> ProductMinorVersion :
> NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
> ProductBuild : 0x0000 (0)
> Reserved: ARRAY(3)
> [0] : 0x00 (0)
> [1] : 0x00 (0)
> [2] : 0x00 (0)
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> Got challenge flags:
> Got NTLMSSP neg_flags=0x628a8215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_TARGET_TYPE_SERVER
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62008215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62008215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - using NTLM1
> session setup ok
> tconx ok
> map_open_params_to_ntcreate: fname = stdin-7154, deny_mode =
> 0x42, open_func = 0x12
> map_open_params_to_ntcreate: file stdin-7154, access_mask =
> 0x12019f, share_mode = 0x3, create_disposition = 0x5,
> create_options = 0x40 private_flags = 0x0
> NT_STATUS_ACCESS_DENIED opening remote file stdin-7154
> ------------------------------------------------------------
> end of cmd output
> ------------------------------------------------------------
>
> ------------------------------------------------------------
> /var/log/cups/error_log
> ------------------------------------------------------------
> E [01/Apr/2019:00:09:15 +0300] [Job 74]
> NT_STATUS_ACCESS_DENIED opening remote spool Test Page
> E [01/Apr/2019:00:09:29 +0300] [Job 74] Session setup failed:
> NT_STATUS_LOGON_FAILURE
> E [01/Apr/2019:00:09:29 +0300] [Job 74] Session setup failed:
> NT_STATUS_ACCESS_DENIED
> E [01/Apr/2019:00:09:29 +0300] [Job 74]
> NT_STATUS_ACCESS_DENIED opening remote spool Test Page
> E [01/Apr/2019:00:12:20 +0300] [Job 75] Session setup failed:
> NT_STATUS_LOGON_FAILURE
> E [01/Apr/2019:00:12:20 +0300] [Job 75] Session setup failed:
> NT_STATUS_ACCESS_DENIED
> ........... (omitted lines) .....................
> E [01/Apr/2019:16:27:12 +0300] [Job 107]
> NT_STATUS_ACCESS_DENIED opening remote spool Test Page
> E [01/Apr/2019:16:30:09 +0300] [Job 107]
> NT_STATUS_ACCESS_DENIED opening remote spool Test Page
> E [01/Apr/2019:16:30:14 +0300] [Job 107]
> NT_STATUS_ACCESS_DENIED opening remote spool Test Page
> E [01/Apr/2019:16:30:19 +0300] [Job 107]
> NT_STATUS_ACCESS_DENIED opening remote spool Test Page
> E [01/Apr/2019:16:30:24 +0300] [Job 107]
> NT_STATUS_ACCESS_DENIED opening remote spool Test Page
> E [01/Apr/2019:16:30:35 +0300] [Job 107]
> NT_STATUS_ACCESS_DENIED opening remote spool Test Page
> -------------------------------------------------------------
> end of excerpt from /var/log/cups/error_log
> -------------------------------------------------------------
>
> -------------------------------------------------------------
> /var/log/samba/log.smbd
> -------------------------------------------------------------
> ... (same lines) ...
> STATUS=daemon 'smbd' finished starting up and ready to
> serve connections
> [2019/04/01 17:25:05.324671, 0]
> ../lib/util/become_daemon.c:124(daemon_ready)
> STATUS=daemon 'smbd' finished starting up and ready to
> serve connections
> [2019/04/01 18:03:11.886409, 0]
> ../lib/util/become_daemon.c:124(daemon_ready)
> STATUS=daemon 'smbd' finished starting up and ready to
> serve connections
> --------------------------------------------------------------
> end of excerpt from /var/log/samba/log.smbd
> --------------------------------------------------------------
>
> -------------------------------------------------------------
> /var/log/samba/log.nmbd
> -------------------------------------------------------------
> ... (same lines) ...
> [2019/04/01 18:03:14.227989, 0] ../source3/nmbd/nmbd.c:58(terminate)
> Got SIGTERM: going down...
> [2019/04/01 18:03:14.309438, 0]
> ../source3/nmbd/asyncdns.c:158(start_async_dns)
> started asyncdns process 4299
> [2019/04/01 18:03:14.315341, 0]
> ../lib/util/become_daemon.c:124(daemon_ready)
> STATUS=daemon 'nmbd' finished starting up and ready to
> serve connections
> --------------------------------------------------------------
> end of excerpt from /var/log/samba/log.nmbd
> --------------------------------------------------------------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list