[Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks printing

Aaron de Bruyn aaron at heyaaron.com
Tue Dec 27 20:53:19 UTC 2022


Finally got it working.
Nothing useful in the error logs.

/var/spool/samba does not exist.
Creating it and chmoding it to 777 along with using tdbtool to create /var/cache/samba/printer_list.tdb seems to do the trick.

27 locations are printing again.

You'd think something would complain about /var/spool/samba not existing or try to create it. Maybe I just missed it in the mass of logs. 😉

-A

On Tue Dec 27, 2022, 07:49 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
> Printing is still borked in 2:4.17.3+dfsg-3~bpo11+1. Unfortunately I can no longer roll back to 2:4.13.13+dfsg-1~deb11u4 which was working.
>
> Documents spool to the printer and the Windows print queue has a status of "Printing". The documents are huge. A simple test page is 5.99 MB instead of the more typical "several KB".
>
> Strangely, if I connect to a printer and the print queue window is up, it will stay up for ~30-60 seconds, then the window simply disappears.
>
> Nothing shows up in the CUPS page, error, or access logs when printing.
>
> Sending a test page directly from the CUPS interface prints just fine.
>
> I disabled apparmor everywhere and restarted winbind, samba, and CUPS to make sure that wasn't interfering.
>
> According to CUPS debug logging, nothing is being submitted. Not even a blip when I submit a test page from Windows.
>
> When I submit from the CUPS interface, it prints just fine.
>
> There's definitely something wrong between Samba and CUPS.
>
> The only evidence I can find is in log.rpcd_spoolss:
> [2022/12/27 11:47:15, 0] ../../source3/printing/printer_list.c:58(get_printer_list_db)
> get_printer_list_db: Failed to open printer_list.tdb
>
> The printer_list.tdb file doesn't exist.
>
> I'm not sure what re-creates that file, but I've double-checked that apparmor is disabled and I even tried chmodding /var/cache/samba/printing to 777.
>
> I do notice that /var/cache/samba/printing contains 'printers.tdb'. Is it possible the file name changed in recent versions from printer_list.tdb to printers.tdb?
>
> -A
>
> On Sat Dec 24, 2022, 11:14 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
>> I've been fighting with this for a few months now.
>>
>> I removed the Louis' repos because there are starting to have more and more dependency issues, and updated to 2:4.17.3+dfsg-3~bpo11+1 from the Debian repos.
>> Printing was still gorked, but for a different reason.
>>
>> Windows would still pull up the printer and submit jobs, but new clients couldn't connect to the printers or install drivers.
>>
>> After a bit of digging, I found the changes discussed earlier in the thread about vfs_full_audit (open vs openat, etc...) were hitting me.
>> I temporarily disabled auditing and printing started working.
>>
>> I re-enabled auditing and corrected the success/failure names and everything appears to be working now.
>>
>> We'll see on Tuesday when everyone returns to the offices. 😉
>>
>> I hope Louis is doing well. I haven't seen any signs of him being online for a few months.
>>
>> -A
>>
>> On Wed Oct 19, 2022, 01:53 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
>>> Apologies for the very very late reply Louis.
>>>
>>> I didn't get a chance to enable debugging before the network got busy this morning, but here's is a lightly redacted smbd.conf showing my global section along with the two printer sections:
>>>
>>> [global]
>>> workgroup = REDACTED
>>> server string = uslogsdnas01
>>> netbios name = USLOGSDNAS01
>>> disable netbios = yes
>>> interfaces = lo vmbr0
>>> map archive = False
>>> map readonly = False
>>> map system = False
>>> map to guest = Never
>>> realm = REDACTED.LOCAL
>>> usershare path =
>>> local master = False
>>> socket options = TCP_NODELAY
>>> security = ADS
>>> idmap config * : backend = tdb
>>> idmap config * : range = 10000-50000
>>> winbind enum groups = yes
>>> winbind enum users = yes
>>> winbind nss info = template
>>> winbind cache time = 300
>>> template shell = /usr/bin/bash
>>> template homedir = /tank/users/%U
>>> obey pam restrictions = no
>>> client ldap sasl wrapping = seal
>>> server schannel = True
>>> client schannel = True
>>> winbind use default domain = yes
>>> winbind expand groups = 1
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> winbind refresh tickets = True
>>> min protocol = SMB2
>>> max protocol = SMB3
>>> server signing = mandatory
>>> client signing = mandatory
>>> smb encrypt = desired
>>> store dos attributes = False
>>> winbind offline logon = yes
>>> rpc_server:spoolss = external
>>> rpc_daemon:spoolssd = fork
>>> load printers = False
>>> printing = CUPS
>>> printcap = cups
>>> spoolss: architecture = Windows x64
>>>
>>> [printers]
>>> comment = Printer Drivers Share
>>> path = /var/spool/samba/
>>> write list = redacted-printer-admin-user
>>> printable = True
>>>
>>> available = yes
>>> hide dot files = yes
>>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>>> browseable = yes
>>> force create mode = 0666
>>> force directory mode = 0777
>>> recycle:repository = .recycle/%U
>>> recycle:keeptree = yes
>>> recycle:versions = yes
>>> recycle:touch = yes
>>> recycle:directory_mode = 0777
>>> recycle:subdir_mode = 0700
>>> shadow:snapdir = .zfs/snapshot
>>> shadow:sort = desc
>>> shadow:format = _%Y-%m-%d_%H:%M:%S
>>> shadow:snapprefix = ^autosnap
>>> shadow:delimiter = _
>>> shadow:localtime = no
>>> full_audit:prefix = %I|%u|%m|%S
>>> full_audit:facility = LOCAL6
>>> full_audit:priority = ALERT
>>> full_audit:success = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>>> full_audit:failure = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>>> vfs objects = shadow_copy2 full_audit
>>>
>>> [print$]
>>> comment = Printer Driver Share
>>> path = /tank/print
>>> guest ok = False
>>> write list = redacted-printer-admin-user
>>>
>>> available = yes
>>> hide dot files = yes
>>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>>> browseable = yes
>>> force create mode = 0666
>>> force directory mode = 0777
>>> recycle:repository = .recycle/%U
>>> recycle:keeptree = yes
>>> recycle:versions = yes
>>> recycle:touch = yes
>>> recycle:directory_mode = 0777
>>> recycle:subdir_mode = 0700
>>> shadow:snapdir = .zfs/snapshot
>>> shadow:sort = desc
>>> shadow:format = _%Y-%m-%d_%H:%M:%S
>>> shadow:snapprefix = ^autosnap
>>> shadow:delimiter = _
>>> shadow:localtime = no
>>> full_audit:prefix = %I|%u|%m|%S
>>> full_audit:facility = LOCAL6
>>> full_audit:priority = ALERT
>>> full_audit:success = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>>> full_audit:failure = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>>> vfs objects = shadow_copy2 full_audit
>>>
>>> I just tested this morning with the newer releases of Samba (2:4.16.2+dfsg-1nmu1~deb11.1) and the printing issue still exists.
>>> I did try after disabling apparmor for Samba and cups with no success.
>>>
>>> I rolled back to 2:4.13.13+dfsg-1~deb11u5.
>>>
>>> -A
>>>
>>> On Thu Sep 1, 2022, 07:20 AM GMT, L. van Belle via samba <mailto:samba at lists.samba.org> wrote:
>>>> Hm,,
>>>>
>>>> i've been reading the thread, On this.
>>>>>> Absolutely nothing prints except a test page submitted directly through
>>>> the CUPS web GUI
>>>>
>>>> So, then yes, this has to be the link between samba and cups.
>>>> so, I suggest to enable debugging and to not get overloaded in it.
>>>>
>>>> Read these first.
>>>> https://wiki.samba.org/index.php/Client_specific_logging
>>>> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>>>> And enable debugging for 1 client, makes debugging bit more easy.
>>>>
>>>> Can you also share a smb.conf and/or compare it to mine,
>>>> as im also running with this version : 2:4.16.2+dfsg-1nmu1~deb11.1 and no
>>>> problems here.
>>>>
>>>> I use backend AD with point and print setup.
>>>> All printer shares are pushed through AD with \\FQ.DN.TLD\printer
>>>> And my printer had A and PTR dns records.
>>>>
>>>> [global]
>>>>
>>>> # Workaround *na laatste CVE update.
>>>> min domain uid = 0
>>>>
>>>> #log level = 1 auth_audit:3
>>>> #log level = 0 full_audit:2@/var/log/samba_audit.log
>>>> log level = 0
>>>>
>>>> workgroup = ADDOM
>>>> security = ADS
>>>> realm = ADDOM.DOMAIN.TLD
>>>> netbios name = PRINT1
>>>>
>>>> preferred master = no
>>>> domain master = no
>>>> host msdfs = no
>>>>
>>>> interfaces = 192.168.1.11 127.0.0.1
>>>> bind interfaces only = yes
>>>>
>>>> dns proxy = yes
>>>>
>>>> # Add and Update TLS Key
>>>> tls enabled = yes
>>>> tls keyfile = /etc/ssl/local/private/XXXXXXX.key
>>>> tls certfile = /etc/ssl/local/certs/XXXXXXX.crt
>>>> tls cafile = /etc/ssl/local/XXXXXXX_CA_Intermediate.crt
>>>>
>>>>
>>>> ## map id's outside to domain to tdb files.
>>>> idmap config * :backend = tdb
>>>> idmap config * :range = 2000-9999
>>>>
>>>> ## map ids from the domain the range may not overlap !
>>>> idmap config ADDOM : backend = ad
>>>> idmap config ADDOM : schema_mode = rfc2307
>>>> idmap config ADDOM : range = 10000-3999999
>>>> idmap config ADDOM : unix_primary_group = yes
>>>> idmap config ADDOM : unix_nss_info = yes
>>>>
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>>
>>>> # Renew the kerberos ticket
>>>> winbind refresh tickets = yes
>>>>
>>>> # show domain prefix
>>>> # set to no, dont use the default domain, output shows: DOMAIN\user
>>>> # set to yes, use the default domain, output shows: user
>>>> winbind use default domain = yes
>>>>
>>>> # show users with getent passwd
>>>> winbind enum users = no
>>>> winbind enum groups = no
>>>>
>>>> # enable offline logins
>>>> winbind offline logon = yes
>>>>
>>>> # check depth of nested groups, ! slows down you samba, if to much
>>>> groups depth
>>>> winbind expand groups = 1
>>>>
>>>> # user Administrator workaround, without it you are unable to set
>>>> privileges
>>>> username map = /etc/samba/samba_usermapping
>>>>
>>>> # disable usershares creating, when set empty no error log messages.
>>>> usershare path =
>>>>
>>>> # For Windows ACL support on member file server, enabled globaly,
>>>> OBLIGATED
>>>> # For a mixed setup of rights, put this per share!
>>>> vfs objects = acl_xattr
>>>> map acl inherit = yes
>>>> store dos attributes = yes
>>>>
>>>> # Share Setting Globally
>>>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>>> hide unreadable = yes
>>>>
>>>> ##### PRINT SERVER PART #######
>>>> #enable asu support = yes
>>>>
>>>> ## Enabling spoolssd
>>>> rpc_server:spoolss = external
>>>> rpc_daemon:spoolssd = fork
>>>> spoolss:architecture = Windows x64
>>>> spoolssd:prefork_min_children = 5 # Minimum number of child
>>>> processes
>>>> spoolssd:prefork_max_children = 25 # Maximum number of child
>>>> processes
>>>> spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs
>>>> if one connection comes in (up to prefork_max_children)
>>>> spoolssd:prefork_max_allowed_clients = 100 # Number of clients, a child
>>>> process should be responsible for
>>>> spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a
>>>> child process (60 seconds
>>>>
>>>> # is the minimum, even a lower value has been configured)
>>>> load printers = yes
>>>>
>>>>
>>>> # Windows clients look for this share name as a source of downloadable
>>>> # printer drivers
>>>> [print$]
>>>> comment = Printer Drivers
>>>> path = /var/lib/samba/printers
>>>> acl_xattr:ignore system acl = yes
>>>> browseable = yes
>>>> writable = yes
>>>> guest ok = no
>>>> # Uncomment to allow remote administration of Windows print drivers.
>>>> # You may need to replace 'lpadmin' with the name of the group your
>>>> # admin users are members of.
>>>> # Please note that you also need to set appropriate Unix permissions
>>>> # to the drivers directory for these users to have write rights in it
>>>> write list = root, administrator, @"Domain Admins", @lpadmin, @"Print
>>>> Operators"
>>>>
>>>> [printers]
>>>> comment = All Printers
>>>> path = /var/lib/samba/printing/spool
>>>> acl_xattr:ignore system acl = yes
>>>> browseable = yes
>>>> printable = yes
>>>> printing = CUPS
>>>>
>>>>
>>>>
>>>> So far,
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba <samba-bounces at lists.samba.org> Namens Aaron de Bruyn via
>>>>> samba
>>>>> Verzonden: woensdag 31 augustus 2022 21:33
>>>>> Aan: Rowland penny <rpenny at samba.org>; samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks
>>>>> printing
>>>>>
>>>>> These machines are all domain members, not DCs.
>>>>>
>>>>> I'll do some more troubleshooting tonight and enable debugging when the
>>>>> network is quiet and see if I can find anything.
>>>>>
>>>>> -A
>>>>>
>>>>> On Wed Aug 31, 2022, 06:06 PM GMT, Rowland Penny via samba
>>>>> <mailto:samba at lists.samba.org> wrote:
>>>>> > On Wed, 2022-08-31 at 17:52 +0000, Aaron de Bruyn wrote:
>>>>> >> Hey Rowland,
>>>>> >>
>>>>> >> I did see that thread.
>>>>> >> I don't have a /var/cache/samba/printer_list.tdb.
>>>>> >
>>>>> > Funny that, I don't print, but I have, but only on Unix domain member.
>>>>> >>
>>>>> >> # find /var/cache/samba -iname '*print*'
>>>>> >> /var/cache/samba/printing
>>>>> >> /var/cache/samba/printing/printers.tdb
>>>>> >> #
>>>>> >>
>>>>> >> I did try stopping Samba and CUPS at one site and I removed the
>>>>> >> printers.tdb file, then started Samba and CUPS. That didn't resolve
>>>>> >> the issue.
>>>>> >
>>>>> > The fix was posted by Andreas and he should know, he writes some of
>>>>> > the code. I wouldn't have a clue about printing.
>>>>> >
>>>>> > Rowland
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > To unsubscribe from this list go to the following URL and read the
>>>>> > instructions: https://lists.samba.org/mailman/options/samba
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba


More information about the samba mailing list