[Samba] Problem accessing Samba as a member server sharing Cups Printers - not listed in Windows Print Management console

Michael Evans michael.evans at nor-consult.com
Fri Dec 31 02:05:52 UTC 2021 

I'm trying to setup a samba server as a print server in an existing domain
with (older) Windows DCs (to be replaced hopefully soon).  The clients are
all Windows 10 systems.

Connecting to \\printserver\ shows the printers (both I've setup in CUPS so
far), but connections fail (... Connect -> Add Printer - Connect to Printer
- Windows cannot connect to the printer - Operation Failed with error
0x0000001f).  Samba's logs, even at log level 10, don't quite show me where
to fix the issue.  I don't know why it can't connect to spoolss, if there's
a problem there, if the samba server can't connect to my workstation (for
testing I've disabled the firewall temporarily, the issue persists), etc.

A fileshare, named testshare, works, I can create files from a Windows 10
PC.


If there is any other information I can provide and/or any other tests I can
run to provide useful data?
I've run out of places to look for more data and search engine results
haven't been helpful (nearly all of them in a short list are about disabling
the printer support entirely).

Attempting to map a printer results in some log entries...


[2021/12/31 01:33:13.894843, 10, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../lib/util/util.c:722(dump_data)
  [0000] 00 5C 00 50 00 49 00 50   00 45 00 5C 00 4C 00 41   .\.P.I.P
.E.\.L.A
  [0010] 00 4E 00 4D 00 41 00 4E   00 00 00 00 00 46 00 7A   .N.M.A.N
.....F.z
  [0020] 57 72 4C 68 00 42 31 33   00 70 72 6E 6C 78 63 31   WrLh.B13
.prnname
  [0030] 00 00 00 00 00                                     ..... 
[2021/12/31 01:33:13.894888,  3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/process.c:1548(switch_message)
  switch message SMBtrans (pid 21151) conn 0x55b6e8438050
[2021/12/31 01:33:13.894904,  5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2021/12/31 01:33:13.894926,  5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/uid.c:293(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(4100,4100),
gid=(0,4104), cwd=[/tmp]
[2021/12/31 01:33:13.894945,  3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/ipc.c:589(handle_trans)
  trans <\PIPE\LANMAN> data=0 params=24 setup=0
[2021/12/31 01:33:13.894971,  5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/ipc.c:624(handle_trans)
  calling named_pipe
[2021/12/31 01:33:13.894984,  3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/ipc.c:542(named_pipe)
  named pipe command on <LANMAN> name
[2021/12/31 01:33:13.894997,  3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:5779(api_reply)
  Got API command 70 of form <zWrLh> <B13>
(tdscnt=0,tpscnt=24,mdrcnt=0,mprcnt=6)
[2021/12/31 01:33:13.895009,  3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:5787(api_reply)
  Doing DosPrintQGetInfo
[2021/12/31 01:33:13.895025,  3, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:808(api_DosPrintQGetInfo)
  api_DosPrintQGetInfo uLevel=0 name=prnname
[2021/12/31 01:33:13.895045,  5, pid=21151, effective(4100, 4104),
real(4100, 0), class=rpc_srv]
../../source3/rpc_server/rpc_ncacn_np.c:1311(rpc_pipe_open_interface)
  Connecting to spoolss pipe.
[2021/12/31 01:33:13.895101,  4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(4100, 4104) : sec_ctx_stack_ndx = 1
[2021/12/31 01:33:13.895120,  4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/uid.c:561(push_conn_ctx)
  push_conn_ctx(45144) : conn_ctx_stack_ndx = 0
[2021/12/31 01:33:13.895133,  4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/12/31 01:33:13.895145,  5, pid=21151, effective(4100, 4104),
real(4100, 0)]
../../libcli/security/security_token.c:52(security_token_debug)
  Security token: (NULL)
[2021/12/31 01:33:13.895157,  5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/12/31 01:33:13.895190, 10, pid=21151, effective(0, 0), real(0, 0)]
../../libcli/named_pipe_auth/npa_tstream.c:152(tstream_npa_connect_send)
[2021/12/31 01:33:13.895202,  1, pid=21151, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:429(ndr_print_debug)
...
[2021/12/31 01:33:13.896039,  4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (4100, 4104) - sec_ctx_stack_ndx = 0
[2021/12/31 01:33:13.896056,  1, pid=21151, effective(4100, 4104),
real(4100, 0), class=rpc_srv]
../../source3/rpc_server/rpc_ncacn_np.c:1117(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /var/run/samba/ncalrpc/np for pipe spoolss
and user WINDOM\anadminuser failed: Connection refused
[2021/12/31 01:33:13.896073,  1, pid=21151, effective(4100, 4104),
real(4100, 0), class=rpc_srv]
../../source3/rpc_server/rpc_ncacn_np.c:1173(rpc_pipe_open_external)
  Unable to make proxy_state for connection to spoolss.
[2021/12/31 01:33:13.896093,  0, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:846(api_DosPrintQGetInfo)
  api_DosPrintQGetInfo: could not connect to spoolss: NT_STATUS_UNSUCCESSFUL
[2021/12/31 01:33:13.896393,  4, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/lanman.c:967(api_DosPrintQGetInfo)
  printqgetinfo: errorcode 31
[2021/12/31 01:33:13.896410,  5, pid=21151, effective(4100, 4104),
real(4100, 0)] ../../source3/smbd/ipc.c:59(copy_trans_params_and_data)
  copy_trans_params_and_data: params[0..6] data[0..0] (align 2)


dpkg -l ...
ii  samba-common   2:4.13.13+dfsg-1~deb11u2 all          common files used
by both the Samba server and client
ii  cups           2.3.3op2-3+deb11u1 amd64        Common UNIX Printing
System(tm) - PPD/driver support, web interface


smb.conf
[global]
    #log level = 0
    #log level = 1 printdrivers:10 rpc_parse:10 rpc_srv:10 rpc_cli:10 
    log level = 10

    security = ads
    realm = WINDOM.LOCAL
    workgroup = WINDOM

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # The DC is old
    client min protocol = NT1
    server min protocol = NT1
    client max protocol = SMB3
    server role = member server

    winbind use default domain = yes
    winbind expand groups = 2
    winbind refresh tickets = Yes
    winbind normalize names = Yes
    disable netbios = yes
    # I like using Unix tools for file management
    winbind enum users = yes
    winbind enum groups = yes

    # Just copied this from the recommended configuration, modify to reflect
your needs.
    idmap config * : backend = tdb
    idmap config * : range = 10000-15999
    idmap config WINDOM : backend = ad
    idmap config WINDOM : schema_mode = rfc2307
    idmap config WINDOM : range = 4000-9999
    idmap config WINDOM : unix_nss_info = yes

    load printers = yes
    printing = cups
    printcap name = cups
    disable spoolss = no
    rpc_server:spoolss = external
    rpc_server:spoolssd = fork
    spoolssd:prefork_min_children = 5
    spoolssd:prefork_max_children = 25
    spoolssd:prefork_spawn_rate = 5
    spoolssd:prefork_max_allowed_clients = 100
    spoolssd:prefork_child_min_life = 60

    client ldap sasl wrapping = sign
    ldap server require strong auth = no

    # user Administrator workaround, without it you are unable to set
privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes

    # turn off usershares
    usershare max shares = 0

[testshare]
        comment = testshare
        path = /samba/network/testshare
        valid users = "@WINDOM\domain users" "@domain users" "@domain users@
WINDOM.LOCAL" scanned
        read only = No
        follow symlinks = yes
        wide links = no

[printers]
   comment = All Printers
   browseable = yes
   path = /samba/network/spool
   printable = yes

[print$]
   comment = Printer Drivers
   path = /samba/network/printerdrivers
   browseable = yes
   read only = no
   guest ok = no
   write list = root @lpadmin anadminaccount "@domain admins" "@domain
admins at WINDOM.LOCAL"


cat /etc/samba/user.map 
!root = WINDOM\Administrator

More information about the samba mailing list