[Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks printing
Aaron de Bruyn
aaron at heyaaron.com
Sat Dec 24 23:14:11 UTC 2022
I've been fighting with this for a few months now.
I removed the Louis' repos because there are starting to have more and more dependency issues, and updated to 2:4.17.3+dfsg-3~bpo11+1 from the Debian repos.
Printing was still gorked, but for a different reason.
Windows would still pull up the printer and submit jobs, but new clients couldn't connect to the printers or install drivers.
After a bit of digging, I found the changes discussed earlier in the thread about vfs_full_audit (open vs openat, etc...) were hitting me.
I temporarily disabled auditing and printing started working.
I re-enabled auditing and corrected the success/failure names and everything appears to be working now.
We'll see on Tuesday when everyone returns to the offices. 😉
I hope Louis is doing well. I haven't seen any signs of him being online for a few months.
-A
On Wed Oct 19, 2022, 01:53 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
> Apologies for the very very late reply Louis.
>
> I didn't get a chance to enable debugging before the network got busy this morning, but here's is a lightly redacted smbd.conf showing my global section along with the two printer sections:
>
> [global]
> workgroup = REDACTED
> server string = uslogsdnas01
> netbios name = USLOGSDNAS01
> disable netbios = yes
> interfaces = lo vmbr0
> map archive = False
> map readonly = False
> map system = False
> map to guest = Never
> realm = REDACTED.LOCAL
> usershare path =
> local master = False
> socket options = TCP_NODELAY
> security = ADS
> idmap config * : backend = tdb
> idmap config * : range = 10000-50000
> winbind enum groups = yes
> winbind enum users = yes
> winbind nss info = template
> winbind cache time = 300
> template shell = /usr/bin/bash
> template homedir = /tank/users/%U
> obey pam restrictions = no
> client ldap sasl wrapping = seal
> server schannel = True
> client schannel = True
> winbind use default domain = yes
> winbind expand groups = 1
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = True
> min protocol = SMB2
> max protocol = SMB3
> server signing = mandatory
> client signing = mandatory
> smb encrypt = desired
> store dos attributes = False
> winbind offline logon = yes
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
> load printers = False
> printing = CUPS
> printcap = cups
> spoolss: architecture = Windows x64
>
> [printers]
> comment = Printer Drivers Share
> path = /var/spool/samba/
> write list = redacted-printer-admin-user
> printable = True
>
> available = yes
> hide dot files = yes
> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
> browseable = yes
> force create mode = 0666
> force directory mode = 0777
> recycle:repository = .recycle/%U
> recycle:keeptree = yes
> recycle:versions = yes
> recycle:touch = yes
> recycle:directory_mode = 0777
> recycle:subdir_mode = 0700
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:format = _%Y-%m-%d_%H:%M:%S
> shadow:snapprefix = ^autosnap
> shadow:delimiter = _
> shadow:localtime = no
> full_audit:prefix = %I|%u|%m|%S
> full_audit:facility = LOCAL6
> full_audit:priority = ALERT
> full_audit:success = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
> full_audit:failure = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
> vfs objects = shadow_copy2 full_audit
>
> [print$]
> comment = Printer Driver Share
> path = /tank/print
> guest ok = False
> write list = redacted-printer-admin-user
>
> available = yes
> hide dot files = yes
> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
> browseable = yes
> force create mode = 0666
> force directory mode = 0777
> recycle:repository = .recycle/%U
> recycle:keeptree = yes
> recycle:versions = yes
> recycle:touch = yes
> recycle:directory_mode = 0777
> recycle:subdir_mode = 0700
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:format = _%Y-%m-%d_%H:%M:%S
> shadow:snapprefix = ^autosnap
> shadow:delimiter = _
> shadow:localtime = no
> full_audit:prefix = %I|%u|%m|%S
> full_audit:facility = LOCAL6
> full_audit:priority = ALERT
> full_audit:success = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
> full_audit:failure = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
> vfs objects = shadow_copy2 full_audit
>
> I just tested this morning with the newer releases of Samba (2:4.16.2+dfsg-1nmu1~deb11.1) and the printing issue still exists.
> I did try after disabling apparmor for Samba and cups with no success.
>
> I rolled back to 2:4.13.13+dfsg-1~deb11u5.
>
> -A
>
> On Thu Sep 1, 2022, 07:20 AM GMT, L. van Belle via samba <mailto:samba at lists.samba.org> wrote:
>> Hm,,
>>
>> i've been reading the thread, On this.
>>>> Absolutely nothing prints except a test page submitted directly through
>> the CUPS web GUI
>>
>> So, then yes, this has to be the link between samba and cups.
>> so, I suggest to enable debugging and to not get overloaded in it.
>>
>> Read these first.
>> https://wiki.samba.org/index.php/Client_specific_logging
>> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>> And enable debugging for 1 client, makes debugging bit more easy.
>>
>> Can you also share a smb.conf and/or compare it to mine,
>> as im also running with this version : 2:4.16.2+dfsg-1nmu1~deb11.1 and no
>> problems here.
>>
>> I use backend AD with point and print setup.
>> All printer shares are pushed through AD with \\FQ.DN.TLD\printer
>> And my printer had A and PTR dns records.
>>
>> [global]
>>
>> # Workaround *na laatste CVE update.
>> min domain uid = 0
>>
>> #log level = 1 auth_audit:3
>> #log level = 0 full_audit:2@/var/log/samba_audit.log
>> log level = 0
>>
>> workgroup = ADDOM
>> security = ADS
>> realm = ADDOM.DOMAIN.TLD
>> netbios name = PRINT1
>>
>> preferred master = no
>> domain master = no
>> host msdfs = no
>>
>> interfaces = 192.168.1.11 127.0.0.1
>> bind interfaces only = yes
>>
>> dns proxy = yes
>>
>> # Add and Update TLS Key
>> tls enabled = yes
>> tls keyfile = /etc/ssl/local/private/XXXXXXX.key
>> tls certfile = /etc/ssl/local/certs/XXXXXXX.crt
>> tls cafile = /etc/ssl/local/XXXXXXX_CA_Intermediate.crt
>>
>>
>> ## map id's outside to domain to tdb files.
>> idmap config * :backend = tdb
>> idmap config * :range = 2000-9999
>>
>> ## map ids from the domain the range may not overlap !
>> idmap config ADDOM : backend = ad
>> idmap config ADDOM : schema_mode = rfc2307
>> idmap config ADDOM : range = 10000-3999999
>> idmap config ADDOM : unix_primary_group = yes
>> idmap config ADDOM : unix_nss_info = yes
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> # Renew the kerberos ticket
>> winbind refresh tickets = yes
>>
>> # show domain prefix
>> # set to no, dont use the default domain, output shows: DOMAIN\user
>> # set to yes, use the default domain, output shows: user
>> winbind use default domain = yes
>>
>> # show users with getent passwd
>> winbind enum users = no
>> winbind enum groups = no
>>
>> # enable offline logins
>> winbind offline logon = yes
>>
>> # check depth of nested groups, ! slows down you samba, if to much
>> groups depth
>> winbind expand groups = 1
>>
>> # user Administrator workaround, without it you are unable to set
>> privileges
>> username map = /etc/samba/samba_usermapping
>>
>> # disable usershares creating, when set empty no error log messages.
>> usershare path =
>>
>> # For Windows ACL support on member file server, enabled globaly,
>> OBLIGATED
>> # For a mixed setup of rights, put this per share!
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>>
>> # Share Setting Globally
>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>> hide unreadable = yes
>>
>> ##### PRINT SERVER PART #######
>> #enable asu support = yes
>>
>> ## Enabling spoolssd
>> rpc_server:spoolss = external
>> rpc_daemon:spoolssd = fork
>> spoolss:architecture = Windows x64
>> spoolssd:prefork_min_children = 5 # Minimum number of child
>> processes
>> spoolssd:prefork_max_children = 25 # Maximum number of child
>> processes
>> spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs
>> if one connection comes in (up to prefork_max_children)
>> spoolssd:prefork_max_allowed_clients = 100 # Number of clients, a child
>> process should be responsible for
>> spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a
>> child process (60 seconds
>>
>> # is the minimum, even a lower value has been configured)
>> load printers = yes
>>
>>
>> # Windows clients look for this share name as a source of downloadable
>> # printer drivers
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>> acl_xattr:ignore system acl = yes
>> browseable = yes
>> writable = yes
>> guest ok = no
>> # Uncomment to allow remote administration of Windows print drivers.
>> # You may need to replace 'lpadmin' with the name of the group your
>> # admin users are members of.
>> # Please note that you also need to set appropriate Unix permissions
>> # to the drivers directory for these users to have write rights in it
>> write list = root, administrator, @"Domain Admins", @lpadmin, @"Print
>> Operators"
>>
>> [printers]
>> comment = All Printers
>> path = /var/lib/samba/printing/spool
>> acl_xattr:ignore system acl = yes
>> browseable = yes
>> printable = yes
>> printing = CUPS
>>
>>
>>
>> So far,
>>
>> Greetz,
>>
>> Louis
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba <samba-bounces at lists.samba.org> Namens Aaron de Bruyn via
>>> samba
>>> Verzonden: woensdag 31 augustus 2022 21:33
>>> Aan: Rowland penny <rpenny at samba.org>; samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks
>>> printing
>>>
>>> These machines are all domain members, not DCs.
>>>
>>> I'll do some more troubleshooting tonight and enable debugging when the
>>> network is quiet and see if I can find anything.
>>>
>>> -A
>>>
>>> On Wed Aug 31, 2022, 06:06 PM GMT, Rowland Penny via samba
>>> <mailto:samba at lists.samba.org> wrote:
>>> > On Wed, 2022-08-31 at 17:52 +0000, Aaron de Bruyn wrote:
>>> >> Hey Rowland,
>>> >>
>>> >> I did see that thread.
>>> >> I don't have a /var/cache/samba/printer_list.tdb.
>>> >
>>> > Funny that, I don't print, but I have, but only on Unix domain member.
>>> >>
>>> >> # find /var/cache/samba -iname '*print*'
>>> >> /var/cache/samba/printing
>>> >> /var/cache/samba/printing/printers.tdb
>>> >> #
>>> >>
>>> >> I did try stopping Samba and CUPS at one site and I removed the
>>> >> printers.tdb file, then started Samba and CUPS. That didn't resolve
>>> >> the issue.
>>> >
>>> > The fix was posted by Andreas and he should know, he writes some of
>>> > the code. I wouldn't have a clue about printing.
>>> >
>>> > Rowland
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions: https://lists.samba.org/mailman/options/samba
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list