[Samba] Problem accessing Samba as a member server sharing Cups Printers - not listed in Windows Print Management console
Michael Evans
michael.evans at nor-consult.com
Fri Dec 31 02:05:52 UTC 2021
I'm trying to setup a samba server as a print server in an existing domain
with (older) Windows DCs (to be replaced hopefully soon). The clients are
all Windows 10 systems.
Connecting to \\printserver\ shows the printers (both I've setup in CUPS so
far), but connections fail (... Connect -> Add Printer - Connect to Printer
- Windows cannot connect to the printer - Operation Failed with error
0x0000001f). Samba's logs, even at log level 10, don't quite show me where
to fix the issue. I don't know why it can't connect to spoolss, if there's
a problem there, if the samba server can't connect to my workstation (for
testing I've disabled the firewall temporarily, the issue persists), etc.
A fileshare, named testshare, works, I can create files from a Windows 10
PC.
If there is any other information I can provide and/or any other tests I can
run to provide useful data?
I've run out of places to look for more data and search engine results
haven't been helpful (nearly all of them in a short list are about disabling
the printer support entirely).
Attempting to map a printer results in some log entries...
[2021/12/31 01:33:13.894843, 10, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../lib/util/util.c:722(dump_data)
[0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 4C 00 41 .\.P.I.P
.E.\.L.A
[0010] 00 4E 00 4D 00 41 00 4E 00 00 00 00 00 46 00 7A .N.M.A.N
.....F.z
[0020] 57 72 4C 68 00 42 31 33 00 70 72 6E 6C 78 63 31 WrLh.B13
.prnname
[0030] 00 00 00 00 00 .....
[2021/12/31 01:33:13.894888, 3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/process.c:1548(switch_message)
switch message SMBtrans (pid 21151) conn 0x55b6e8438050
[2021/12/31 01:33:13.894904, 5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
change_to_user_impersonate: Skipping user change - already user
[2021/12/31 01:33:13.894926, 5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/uid.c:293(print_impersonation_info)
print_impersonation_info: Impersonated user: uid=(4100,4100),
gid=(0,4104), cwd=[/tmp]
[2021/12/31 01:33:13.894945, 3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/ipc.c:589(handle_trans)
trans <\PIPE\LANMAN> data=0 params=24 setup=0
[2021/12/31 01:33:13.894971, 5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/ipc.c:624(handle_trans)
calling named_pipe
[2021/12/31 01:33:13.894984, 3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/ipc.c:542(named_pipe)
named pipe command on <LANMAN> name
[2021/12/31 01:33:13.894997, 3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:5779(api_reply)
Got API command 70 of form <zWrLh> <B13>
(tdscnt=0,tpscnt=24,mdrcnt=0,mprcnt=6)
[2021/12/31 01:33:13.895009, 3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:5787(api_reply)
Doing DosPrintQGetInfo
[2021/12/31 01:33:13.895025, 3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:808(api_DosPrintQGetInfo)
api_DosPrintQGetInfo uLevel=0 name=prnname
[2021/12/31 01:33:13.895045, 5, pid=21151, effective(4100, 4104),
real(4100, 0), class=rpc_srv]
../../source3/rpc_server/rpc_ncacn_np.c:1311(rpc_pipe_open_interface)
Connecting to spoolss pipe.
[2021/12/31 01:33:13.895101, 4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(4100, 4104) : sec_ctx_stack_ndx = 1
[2021/12/31 01:33:13.895120, 4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/uid.c:561(push_conn_ctx)
push_conn_ctx(45144) : conn_ctx_stack_ndx = 0
[2021/12/31 01:33:13.895133, 4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/12/31 01:33:13.895145, 5, pid=21151, effective(4100, 4104),
real(4100, 0)]
../../libcli/security/security_token.c:52(security_token_debug)
Security token: (NULL)
[2021/12/31 01:33:13.895157, 5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/12/31 01:33:13.895190, 10, pid=21151, effective(0, 0), real(0, 0)]
../../libcli/named_pipe_auth/npa_tstream.c:152(tstream_npa_connect_send)
[2021/12/31 01:33:13.895202, 1, pid=21151, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:429(ndr_print_debug)
...
[2021/12/31 01:33:13.896039, 4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (4100, 4104) - sec_ctx_stack_ndx = 0
[2021/12/31 01:33:13.896056, 1, pid=21151, effective(4100, 4104),
real(4100, 0), class=rpc_srv]
../../source3/rpc_server/rpc_ncacn_np.c:1117(make_external_rpc_pipe_p)
tstream_npa_connect_recv to /var/run/samba/ncalrpc/np for pipe spoolss
and user WINDOM\anadminuser failed: Connection refused
[2021/12/31 01:33:13.896073, 1, pid=21151, effective(4100, 4104),
real(4100, 0), class=rpc_srv]
../../source3/rpc_server/rpc_ncacn_np.c:1173(rpc_pipe_open_external)
Unable to make proxy_state for connection to spoolss.
[2021/12/31 01:33:13.896093, 0, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:846(api_DosPrintQGetInfo)
api_DosPrintQGetInfo: could not connect to spoolss: NT_STATUS_UNSUCCESSFUL
[2021/12/31 01:33:13.896393, 4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:967(api_DosPrintQGetInfo)
printqgetinfo: errorcode 31
[2021/12/31 01:33:13.896410, 5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/ipc.c:59(copy_trans_params_and_data)
copy_trans_params_and_data: params[0..6] data[0..0] (align 2)
dpkg -l ...
ii samba-common 2:4.13.13+dfsg-1~deb11u2 all common files used
by both the Samba server and client
ii cups 2.3.3op2-3+deb11u1 amd64 Common UNIX Printing
System(tm) - PPD/driver support, web interface
smb.conf
[global]
#log level = 0
#log level = 1 printdrivers:10 rpc_parse:10 rpc_srv:10 rpc_cli:10
log level = 10
security = ads
realm = WINDOM.LOCAL
workgroup = WINDOM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# The DC is old
client min protocol = NT1
server min protocol = NT1
client max protocol = SMB3
server role = member server
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
winbind normalize names = Yes
disable netbios = yes
# I like using Unix tools for file management
winbind enum users = yes
winbind enum groups = yes
# Just copied this from the recommended configuration, modify to reflect
your needs.
idmap config * : backend = tdb
idmap config * : range = 10000-15999
idmap config WINDOM : backend = ad
idmap config WINDOM : schema_mode = rfc2307
idmap config WINDOM : range = 4000-9999
idmap config WINDOM : unix_nss_info = yes
load printers = yes
printing = cups
printcap name = cups
disable spoolss = no
rpc_server:spoolss = external
rpc_server:spoolssd = fork
spoolssd:prefork_min_children = 5
spoolssd:prefork_max_children = 25
spoolssd:prefork_spawn_rate = 5
spoolssd:prefork_max_allowed_clients = 100
spoolssd:prefork_child_min_life = 60
client ldap sasl wrapping = sign
ldap server require strong auth = no
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
# turn off usershares
usershare max shares = 0
[testshare]
comment = testshare
path = /samba/network/testshare
valid users = "@WINDOM\domain users" "@domain users" "@domain users@
WINDOM.LOCAL" scanned
read only = No
follow symlinks = yes
wide links = no
[printers]
comment = All Printers
browseable = yes
path = /samba/network/spool
printable = yes
[print$]
comment = Printer Drivers
path = /samba/network/printerdrivers
browseable = yes
read only = no
guest ok = no
write list = root @lpadmin anadminaccount "@domain admins" "@domain
admins at WINDOM.LOCAL"
cat /etc/samba/user.map
!root = WINDOM\Administrator
More information about the samba
mailing list