[Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks printing

Aaron de Bruyn aaron at heyaaron.com
Tue Dec 27 19:49:42 UTC 2022


Printing is still borked in 2:4.17.3+dfsg-3~bpo11+1. Unfortunately I can no longer roll back to 2:4.13.13+dfsg-1~deb11u4 which was working.

Documents spool to the printer and the Windows print queue has a status of "Printing". The documents are huge. A simple test page is 5.99 MB instead of the more typical "several KB".

Strangely, if I connect to a printer and the print queue window is up, it will stay up for ~30-60 seconds, then the window simply disappears.

Nothing shows up in the CUPS page, error, or access logs when printing.

Sending a test page directly from the CUPS interface prints just fine.

I disabled apparmor everywhere and restarted winbind, samba, and CUPS to make sure that wasn't interfering.

According to CUPS debug logging, nothing is being submitted. Not even a blip when I submit a test page from Windows.

When I submit from the CUPS interface, it prints just fine.

There's definitely something wrong between Samba and CUPS.

The only evidence I can find is in log.rpcd_spoolss:
[2022/12/27 11:47:15, 0] ../../source3/printing/printer_list.c:58(get_printer_list_db)
get_printer_list_db: Failed to open printer_list.tdb

The printer_list.tdb file doesn't exist.

I'm not sure what re-creates that file, but I've double-checked that apparmor is disabled and I even tried chmodding /var/cache/samba/printing to 777.

I do notice that /var/cache/samba/printing contains 'printers.tdb'. Is it possible the file name changed in recent versions from printer_list.tdb to printers.tdb?

-A

On Sat Dec 24, 2022, 11:14 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
> I've been fighting with this for a few months now.
>
> I removed the Louis' repos because there are starting to have more and more dependency issues, and updated to 2:4.17.3+dfsg-3~bpo11+1 from the Debian repos.
> Printing was still gorked, but for a different reason.
>
> Windows would still pull up the printer and submit jobs, but new clients couldn't connect to the printers or install drivers.
>
> After a bit of digging, I found the changes discussed earlier in the thread about vfs_full_audit (open vs openat, etc...) were hitting me.
> I temporarily disabled auditing and printing started working.
>
> I re-enabled auditing and corrected the success/failure names and everything appears to be working now.
>
> We'll see on Tuesday when everyone returns to the offices. 😉
>
> I hope Louis is doing well. I haven't seen any signs of him being online for a few months.
>
> -A
>
> On Wed Oct 19, 2022, 01:53 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
>> Apologies for the very very late reply Louis.
>>
>> I didn't get a chance to enable debugging before the network got busy this morning, but here's is a lightly redacted smbd.conf showing my global section along with the two printer sections:
>>
>> [global]
>> workgroup = REDACTED
>> server string = uslogsdnas01
>> netbios name = USLOGSDNAS01
>> disable netbios = yes
>> interfaces = lo vmbr0
>> map archive = False
>> map readonly = False
>> map system = False
>> map to guest = Never
>> realm = REDACTED.LOCAL
>> usershare path =
>> local master = False
>> socket options = TCP_NODELAY
>> security = ADS
>> idmap config * : backend = tdb
>> idmap config * : range = 10000-50000
>> winbind enum groups = yes
>> winbind enum users = yes
>> winbind nss info = template
>> winbind cache time = 300
>> template shell = /usr/bin/bash
>> template homedir = /tank/users/%U
>> obey pam restrictions = no
>> client ldap sasl wrapping = seal
>> server schannel = True
>> client schannel = True
>> winbind use default domain = yes
>> winbind expand groups = 1
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind refresh tickets = True
>> min protocol = SMB2
>> max protocol = SMB3
>> server signing = mandatory
>> client signing = mandatory
>> smb encrypt = desired
>> store dos attributes = False
>> winbind offline logon = yes
>> rpc_server:spoolss = external
>> rpc_daemon:spoolssd = fork
>> load printers = False
>> printing = CUPS
>> printcap = cups
>> spoolss: architecture = Windows x64
>>
>> [printers]
>> comment = Printer Drivers Share
>> path = /var/spool/samba/
>> write list = redacted-printer-admin-user
>> printable = True
>>
>> available = yes
>> hide dot files = yes
>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>> browseable = yes
>> force create mode = 0666
>> force directory mode = 0777
>> recycle:repository = .recycle/%U
>> recycle:keeptree = yes
>> recycle:versions = yes
>> recycle:touch = yes
>> recycle:directory_mode = 0777
>> recycle:subdir_mode = 0700
>> shadow:snapdir = .zfs/snapshot
>> shadow:sort = desc
>> shadow:format = _%Y-%m-%d_%H:%M:%S
>> shadow:snapprefix = ^autosnap
>> shadow:delimiter = _
>> shadow:localtime = no
>> full_audit:prefix = %I|%u|%m|%S
>> full_audit:facility = LOCAL6
>> full_audit:priority = ALERT
>> full_audit:success = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>> full_audit:failure = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>> vfs objects = shadow_copy2 full_audit
>>
>> [print$]
>> comment = Printer Driver Share
>> path = /tank/print
>> guest ok = False
>> write list = redacted-printer-admin-user
>>
>> available = yes
>> hide dot files = yes
>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>> browseable = yes
>> force create mode = 0666
>> force directory mode = 0777
>> recycle:repository = .recycle/%U
>> recycle:keeptree = yes
>> recycle:versions = yes
>> recycle:touch = yes
>> recycle:directory_mode = 0777
>> recycle:subdir_mode = 0700
>> shadow:snapdir = .zfs/snapshot
>> shadow:sort = desc
>> shadow:format = _%Y-%m-%d_%H:%M:%S
>> shadow:snapprefix = ^autosnap
>> shadow:delimiter = _
>> shadow:localtime = no
>> full_audit:prefix = %I|%u|%m|%S
>> full_audit:facility = LOCAL6
>> full_audit:priority = ALERT
>> full_audit:success = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>> full_audit:failure = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>> vfs objects = shadow_copy2 full_audit
>>
>> I just tested this morning with the newer releases of Samba (2:4.16.2+dfsg-1nmu1~deb11.1) and the printing issue still exists.
>> I did try after disabling apparmor for Samba and cups with no success.
>>
>> I rolled back to 2:4.13.13+dfsg-1~deb11u5.
>>
>> -A
>>
>> On Thu Sep 1, 2022, 07:20 AM GMT, L. van Belle via samba <mailto:samba at lists.samba.org> wrote:
>>> Hm,,
>>>
>>> i've been reading the thread, On this.
>>>>> Absolutely nothing prints except a test page submitted directly through
>>> the CUPS web GUI
>>>
>>> So, then yes, this has to be the link between samba and cups.
>>> so, I suggest to enable debugging and to not get overloaded in it.
>>>
>>> Read these first.
>>> https://wiki.samba.org/index.php/Client_specific_logging
>>> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>>> And enable debugging for 1 client, makes debugging bit more easy.
>>>
>>> Can you also share a smb.conf and/or compare it to mine,
>>> as im also running with this version : 2:4.16.2+dfsg-1nmu1~deb11.1 and no
>>> problems here.
>>>
>>> I use backend AD with point and print setup.
>>> All printer shares are pushed through AD with \\FQ.DN.TLD\printer
>>> And my printer had A and PTR dns records.
>>>
>>> [global]
>>>
>>> # Workaround *na laatste CVE update.
>>> min domain uid = 0
>>>
>>> #log level = 1 auth_audit:3
>>> #log level = 0 full_audit:2@/var/log/samba_audit.log
>>> log level = 0
>>>
>>> workgroup = ADDOM
>>> security = ADS
>>> realm = ADDOM.DOMAIN.TLD
>>> netbios name = PRINT1
>>>
>>> preferred master = no
>>> domain master = no
>>> host msdfs = no
>>>
>>> interfaces = 192.168.1.11 127.0.0.1
>>> bind interfaces only = yes
>>>
>>> dns proxy = yes
>>>
>>> # Add and Update TLS Key
>>> tls enabled = yes
>>> tls keyfile = /etc/ssl/local/private/XXXXXXX.key
>>> tls certfile = /etc/ssl/local/certs/XXXXXXX.crt
>>> tls cafile = /etc/ssl/local/XXXXXXX_CA_Intermediate.crt
>>>
>>>
>>> ## map id's outside to domain to tdb files.
>>> idmap config * :backend = tdb
>>> idmap config * :range = 2000-9999
>>>
>>> ## map ids from the domain the range may not overlap !
>>> idmap config ADDOM : backend = ad
>>> idmap config ADDOM : schema_mode = rfc2307
>>> idmap config ADDOM : range = 10000-3999999
>>> idmap config ADDOM : unix_primary_group = yes
>>> idmap config ADDOM : unix_nss_info = yes
>>>
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> # Renew the kerberos ticket
>>> winbind refresh tickets = yes
>>>
>>> # show domain prefix
>>> # set to no, dont use the default domain, output shows: DOMAIN\user
>>> # set to yes, use the default domain, output shows: user
>>> winbind use default domain = yes
>>>
>>> # show users with getent passwd
>>> winbind enum users = no
>>> winbind enum groups = no
>>>
>>> # enable offline logins
>>> winbind offline logon = yes
>>>
>>> # check depth of nested groups, ! slows down you samba, if to much
>>> groups depth
>>> winbind expand groups = 1
>>>
>>> # user Administrator workaround, without it you are unable to set
>>> privileges
>>> username map = /etc/samba/samba_usermapping
>>>
>>> # disable usershares creating, when set empty no error log messages.
>>> usershare path =
>>>
>>> # For Windows ACL support on member file server, enabled globaly,
>>> OBLIGATED
>>> # For a mixed setup of rights, put this per share!
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> store dos attributes = yes
>>>
>>> # Share Setting Globally
>>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>> hide unreadable = yes
>>>
>>> ##### PRINT SERVER PART #######
>>> #enable asu support = yes
>>>
>>> ## Enabling spoolssd
>>> rpc_server:spoolss = external
>>> rpc_daemon:spoolssd = fork
>>> spoolss:architecture = Windows x64
>>> spoolssd:prefork_min_children = 5 # Minimum number of child
>>> processes
>>> spoolssd:prefork_max_children = 25 # Maximum number of child
>>> processes
>>> spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs
>>> if one connection comes in (up to prefork_max_children)
>>> spoolssd:prefork_max_allowed_clients = 100 # Number of clients, a child
>>> process should be responsible for
>>> spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a
>>> child process (60 seconds
>>>
>>> # is the minimum, even a lower value has been configured)
>>> load printers = yes
>>>
>>>
>>> # Windows clients look for this share name as a source of downloadable
>>> # printer drivers
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/printers
>>> acl_xattr:ignore system acl = yes
>>> browseable = yes
>>> writable = yes
>>> guest ok = no
>>> # Uncomment to allow remote administration of Windows print drivers.
>>> # You may need to replace 'lpadmin' with the name of the group your
>>> # admin users are members of.
>>> # Please note that you also need to set appropriate Unix permissions
>>> # to the drivers directory for these users to have write rights in it
>>> write list = root, administrator, @"Domain Admins", @lpadmin, @"Print
>>> Operators"
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/lib/samba/printing/spool
>>> acl_xattr:ignore system acl = yes
>>> browseable = yes
>>> printable = yes
>>> printing = CUPS
>>>
>>>
>>>
>>> So far,
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba <samba-bounces at lists.samba.org> Namens Aaron de Bruyn via
>>>> samba
>>>> Verzonden: woensdag 31 augustus 2022 21:33
>>>> Aan: Rowland penny <rpenny at samba.org>; samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks
>>>> printing
>>>>
>>>> These machines are all domain members, not DCs.
>>>>
>>>> I'll do some more troubleshooting tonight and enable debugging when the
>>>> network is quiet and see if I can find anything.
>>>>
>>>> -A
>>>>
>>>> On Wed Aug 31, 2022, 06:06 PM GMT, Rowland Penny via samba
>>>> <mailto:samba at lists.samba.org> wrote:
>>>> > On Wed, 2022-08-31 at 17:52 +0000, Aaron de Bruyn wrote:
>>>> >> Hey Rowland,
>>>> >>
>>>> >> I did see that thread.
>>>> >> I don't have a /var/cache/samba/printer_list.tdb.
>>>> >
>>>> > Funny that, I don't print, but I have, but only on Unix domain member.
>>>> >>
>>>> >> # find /var/cache/samba -iname '*print*'
>>>> >> /var/cache/samba/printing
>>>> >> /var/cache/samba/printing/printers.tdb
>>>> >> #
>>>> >>
>>>> >> I did try stopping Samba and CUPS at one site and I removed the
>>>> >> printers.tdb file, then started Samba and CUPS. That didn't resolve
>>>> >> the issue.
>>>> >
>>>> > The fix was posted by Andreas and he should know, he writes some of
>>>> > the code. I wouldn't have a clue about printing.
>>>> >
>>>> > Rowland
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > To unsubscribe from this list go to the following URL and read the
>>>> > instructions: https://lists.samba.org/mailman/options/samba
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba


More information about the samba mailing list