[Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks printing

Aaron de Bruyn aaron at heyaaron.com
Tue Dec 27 21:14:19 UTC 2022 

One small side effect I'm noticing is that while jobs spool, CUPS prints them successfully, and they no longer show up in the "active" job list for CUPS, Windows is now "remembering" all print jobs and displaying them in the queue. (See: https://imgur.com/a/BFkGhWs <https://imgur.com/a/BFkGhWs>)

I'm not sure if that's a feature or a bug. CUPS has always been set to save job files and history for 7 days, but jobs have always disappeared out of the Windows print queue after a successful printing.

-A

On Tue Dec 27, 2022, 08:53 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
> Finally got it working.
> Nothing useful in the error logs.
>
> /var/spool/samba does not exist.
> Creating it and chmoding it to 777 along with using tdbtool to create /var/cache/samba/printer_list.tdb seems to do the trick.
>
> 27 locations are printing again.
>
> You'd think something would complain about /var/spool/samba not existing or try to create it. Maybe I just missed it in the mass of logs. 😉
>
> -A
>
> On Tue Dec 27, 2022, 07:49 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
>> Printing is still borked in 2:4.17.3+dfsg-3~bpo11+1. Unfortunately I can no longer roll back to 2:4.13.13+dfsg-1~deb11u4 which was working.
>>
>> Documents spool to the printer and the Windows print queue has a status of "Printing". The documents are huge. A simple test page is 5.99 MB instead of the more typical "several KB".
>>
>> Strangely, if I connect to a printer and the print queue window is up, it will stay up for ~30-60 seconds, then the window simply disappears.
>>
>> Nothing shows up in the CUPS page, error, or access logs when printing.
>>
>> Sending a test page directly from the CUPS interface prints just fine.
>>
>> I disabled apparmor everywhere and restarted winbind, samba, and CUPS to make sure that wasn't interfering.
>>
>> According to CUPS debug logging, nothing is being submitted. Not even a blip when I submit a test page from Windows.
>>
>> When I submit from the CUPS interface, it prints just fine.
>>
>> There's definitely something wrong between Samba and CUPS.
>>
>> The only evidence I can find is in log.rpcd_spoolss:
>> [2022/12/27 11:47:15, 0] ../../source3/printing/printer_list.c:58(get_printer_list_db)
>> get_printer_list_db: Failed to open printer_list.tdb
>>
>> The printer_list.tdb file doesn't exist.
>>
>> I'm not sure what re-creates that file, but I've double-checked that apparmor is disabled and I even tried chmodding /var/cache/samba/printing to 777.
>>
>> I do notice that /var/cache/samba/printing contains 'printers.tdb'. Is it possible the file name changed in recent versions from printer_list.tdb to printers.tdb?
>>
>> -A
>>
>> On Sat Dec 24, 2022, 11:14 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
>>> I've been fighting with this for a few months now.
>>>
>>> I removed the Louis' repos because there are starting to have more and more dependency issues, and updated to 2:4.17.3+dfsg-3~bpo11+1 from the Debian repos.
>>> Printing was still gorked, but for a different reason.
>>>
>>> Windows would still pull up the printer and submit jobs, but new clients couldn't connect to the printers or install drivers.
>>>
>>> After a bit of digging, I found the changes discussed earlier in the thread about vfs_full_audit (open vs openat, etc...) were hitting me.
>>> I temporarily disabled auditing and printing started working.
>>>
>>> I re-enabled auditing and corrected the success/failure names and everything appears to be working now.
>>>
>>> We'll see on Tuesday when everyone returns to the offices. 😉
>>>
>>> I hope Louis is doing well. I haven't seen any signs of him being online for a few months.
>>>
>>> -A
>>>
>>> On Wed Oct 19, 2022, 01:53 PM GMT, Aaron de Bruyn <mailto:aaron at heyaaron.com> wrote:
>>>> Apologies for the very very late reply Louis.
>>>>
>>>> I didn't get a chance to enable debugging before the network got busy this morning, but here's is a lightly redacted smbd.conf showing my global section along with the two printer sections:
>>>>
>>>> [global]
>>>> workgroup = REDACTED
>>>> server string = uslogsdnas01
>>>> netbios name = USLOGSDNAS01
>>>> disable netbios = yes
>>>> interfaces = lo vmbr0
>>>> map archive = False
>>>> map readonly = False
>>>> map system = False
>>>> map to guest = Never
>>>> realm = REDACTED.LOCAL
>>>> usershare path =
>>>> local master = False
>>>> socket options = TCP_NODELAY
>>>> security = ADS
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 10000-50000
>>>> winbind enum groups = yes
>>>> winbind enum users = yes
>>>> winbind nss info = template
>>>> winbind cache time = 300
>>>> template shell = /usr/bin/bash
>>>> template homedir = /tank/users/%U
>>>> obey pam restrictions = no
>>>> client ldap sasl wrapping = seal
>>>> server schannel = True
>>>> client schannel = True
>>>> winbind use default domain = yes
>>>> winbind expand groups = 1
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>> winbind refresh tickets = True
>>>> min protocol = SMB2
>>>> max protocol = SMB3
>>>> server signing = mandatory
>>>> client signing = mandatory
>>>> smb encrypt = desired
>>>> store dos attributes = False
>>>> winbind offline logon = yes
>>>> rpc_server:spoolss = external
>>>> rpc_daemon:spoolssd = fork
>>>> load printers = False
>>>> printing = CUPS
>>>> printcap = cups
>>>> spoolss: architecture = Windows x64
>>>>
>>>> [printers]
>>>> comment = Printer Drivers Share
>>>> path = /var/spool/samba/
>>>> write list = redacted-printer-admin-user
>>>> printable = True
>>>>
>>>> available = yes
>>>> hide dot files = yes
>>>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>>>> browseable = yes
>>>> force create mode = 0666
>>>> force directory mode = 0777
>>>> recycle:repository = .recycle/%U
>>>> recycle:keeptree = yes
>>>> recycle:versions = yes
>>>> recycle:touch = yes
>>>> recycle:directory_mode = 0777
>>>> recycle:subdir_mode = 0700
>>>> shadow:snapdir = .zfs/snapshot
>>>> shadow:sort = desc
>>>> shadow:format = _%Y-%m-%d_%H:%M:%S
>>>> shadow:snapprefix = ^autosnap
>>>> shadow:delimiter = _
>>>> shadow:localtime = no
>>>> full_audit:prefix = %I|%u|%m|%S
>>>> full_audit:facility = LOCAL6
>>>> full_audit:priority = ALERT
>>>> full_audit:success = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>>>> full_audit:failure = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>>>> vfs objects = shadow_copy2 full_audit
>>>>
>>>> [print$]
>>>> comment = Printer Driver Share
>>>> path = /tank/print
>>>> guest ok = False
>>>> write list = redacted-printer-admin-user
>>>>
>>>> available = yes
>>>> hide dot files = yes
>>>> hide files = /.stfolder/ /*.sync-conflict-*/ /~$*/
>>>> browseable = yes
>>>> force create mode = 0666
>>>> force directory mode = 0777
>>>> recycle:repository = .recycle/%U
>>>> recycle:keeptree = yes
>>>> recycle:versions = yes
>>>> recycle:touch = yes
>>>> recycle:directory_mode = 0777
>>>> recycle:subdir_mode = 0700
>>>> shadow:snapdir = .zfs/snapshot
>>>> shadow:sort = desc
>>>> shadow:format = _%Y-%m-%d_%H:%M:%S
>>>> shadow:snapprefix = ^autosnap
>>>> shadow:delimiter = _
>>>> shadow:localtime = no
>>>> full_audit:prefix = %I|%u|%m|%S
>>>> full_audit:facility = LOCAL6
>>>> full_audit:priority = ALERT
>>>> full_audit:success = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>>>> full_audit:failure = connect disconnect renameat read write pwrite sendfile ftruncate linkat symlinkat unlinkat mknodat pwrite open getlock kernel_flock lock brl_lock_windows brl_unlock_windows create_dfs_pathat get_dfs_referrals
>>>> vfs objects = shadow_copy2 full_audit
>>>>
>>>> I just tested this morning with the newer releases of Samba (2:4.16.2+dfsg-1nmu1~deb11.1) and the printing issue still exists.
>>>> I did try after disabling apparmor for Samba and cups with no success.
>>>>
>>>> I rolled back to 2:4.13.13+dfsg-1~deb11u5.
>>>>
>>>> -A
>>>>
>>>> On Thu Sep 1, 2022, 07:20 AM GMT, L. van Belle via samba <mailto:samba at lists.samba.org> wrote:
>>>>> Hm,,
>>>>>
>>>>> i've been reading the thread, On this.
>>>>>>> Absolutely nothing prints except a test page submitted directly through
>>>>> the CUPS web GUI
>>>>>
>>>>> So, then yes, this has to be the link between samba and cups.
>>>>> so, I suggest to enable debugging and to not get overloaded in it.
>>>>>
>>>>> Read these first.
>>>>> https://wiki.samba.org/index.php/Client_specific_logging
>>>>> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>>>>> And enable debugging for 1 client, makes debugging bit more easy.
>>>>>
>>>>> Can you also share a smb.conf and/or compare it to mine,
>>>>> as im also running with this version : 2:4.16.2+dfsg-1nmu1~deb11.1 and no
>>>>> problems here.
>>>>>
>>>>> I use backend AD with point and print setup.
>>>>> All printer shares are pushed through AD with \\FQ.DN.TLD\printer
>>>>> And my printer had A and PTR dns records.
>>>>>
>>>>> [global]
>>>>>
>>>>> # Workaround *na laatste CVE update.
>>>>> min domain uid = 0
>>>>>
>>>>> #log level = 1 auth_audit:3
>>>>> #log level = 0 full_audit:2@/var/log/samba_audit.log
>>>>> log level = 0
>>>>>
>>>>> workgroup = ADDOM
>>>>> security = ADS
>>>>> realm = ADDOM.DOMAIN.TLD
>>>>> netbios name = PRINT1
>>>>>
>>>>> preferred master = no
>>>>> domain master = no
>>>>> host msdfs = no
>>>>>
>>>>> interfaces = 192.168.1.11 127.0.0.1
>>>>> bind interfaces only = yes
>>>>>
>>>>> dns proxy = yes
>>>>>
>>>>> # Add and Update TLS Key
>>>>> tls enabled = yes
>>>>> tls keyfile = /etc/ssl/local/private/XXXXXXX.key
>>>>> tls certfile = /etc/ssl/local/certs/XXXXXXX.crt
>>>>> tls cafile = /etc/ssl/local/XXXXXXX_CA_Intermediate.crt
>>>>>
>>>>>
>>>>> ## map id's outside to domain to tdb files.
>>>>> idmap config * :backend = tdb
>>>>> idmap config * :range = 2000-9999
>>>>>
>>>>> ## map ids from the domain the range may not overlap !
>>>>> idmap config ADDOM : backend = ad
>>>>> idmap config ADDOM : schema_mode = rfc2307
>>>>> idmap config ADDOM : range = 10000-3999999
>>>>> idmap config ADDOM : unix_primary_group = yes
>>>>> idmap config ADDOM : unix_nss_info = yes
>>>>>
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>>
>>>>> # Renew the kerberos ticket
>>>>> winbind refresh tickets = yes
>>>>>
>>>>> # show domain prefix
>>>>> # set to no, dont use the default domain, output shows: DOMAIN\user
>>>>> # set to yes, use the default domain, output shows: user
>>>>> winbind use default domain = yes
>>>>>
>>>>> # show users with getent passwd
>>>>> winbind enum users = no
>>>>> winbind enum groups = no
>>>>>
>>>>> # enable offline logins
>>>>> winbind offline logon = yes
>>>>>
>>>>> # check depth of nested groups, ! slows down you samba, if to much
>>>>> groups depth
>>>>> winbind expand groups = 1
>>>>>
>>>>> # user Administrator workaround, without it you are unable to set
>>>>> privileges
>>>>> username map = /etc/samba/samba_usermapping
>>>>>
>>>>> # disable usershares creating, when set empty no error log messages.
>>>>> usershare path =
>>>>>
>>>>> # For Windows ACL support on member file server, enabled globaly,
>>>>> OBLIGATED
>>>>> # For a mixed setup of rights, put this per share!
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = yes
>>>>> store dos attributes = yes
>>>>>
>>>>> # Share Setting Globally
>>>>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>>>> hide unreadable = yes
>>>>>
>>>>> ##### PRINT SERVER PART #######
>>>>> #enable asu support = yes
>>>>>
>>>>> ## Enabling spoolssd
>>>>> rpc_server:spoolss = external
>>>>> rpc_daemon:spoolssd = fork
>>>>> spoolss:architecture = Windows x64
>>>>> spoolssd:prefork_min_children = 5 # Minimum number of child
>>>>> processes
>>>>> spoolssd:prefork_max_children = 25 # Maximum number of child
>>>>> processes
>>>>> spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs
>>>>> if one connection comes in (up to prefork_max_children)
>>>>> spoolssd:prefork_max_allowed_clients = 100 # Number of clients, a child
>>>>> process should be responsible for
>>>>> spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a
>>>>> child process (60 seconds
>>>>>
>>>>> # is the minimum, even a lower value has been configured)
>>>>> load printers = yes
>>>>>
>>>>>
>>>>> # Windows clients look for this share name as a source of downloadable
>>>>> # printer drivers
>>>>> [print$]
>>>>> comment = Printer Drivers
>>>>> path = /var/lib/samba/printers
>>>>> acl_xattr:ignore system acl = yes
>>>>> browseable = yes
>>>>> writable = yes
>>>>> guest ok = no
>>>>> # Uncomment to allow remote administration of Windows print drivers.
>>>>> # You may need to replace 'lpadmin' with the name of the group your
>>>>> # admin users are members of.
>>>>> # Please note that you also need to set appropriate Unix permissions
>>>>> # to the drivers directory for these users to have write rights in it
>>>>> write list = root, administrator, @"Domain Admins", @lpadmin, @"Print
>>>>> Operators"
>>>>>
>>>>> [printers]
>>>>> comment = All Printers
>>>>> path = /var/lib/samba/printing/spool
>>>>> acl_xattr:ignore system acl = yes
>>>>> browseable = yes
>>>>> printable = yes
>>>>> printing = CUPS
>>>>>
>>>>>
>>>>>
>>>>> So far,
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba <samba-bounces at lists.samba.org> Namens Aaron de Bruyn via
>>>>>> samba
>>>>>> Verzonden: woensdag 31 augustus 2022 21:33
>>>>>> Aan: Rowland penny <rpenny at samba.org>; samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Upgrade to 2:4.16.2+dfsg-1nmu1~deb11.1 borks
>>>>>> printing
>>>>>>
>>>>>> These machines are all domain members, not DCs.
>>>>>>
>>>>>> I'll do some more troubleshooting tonight and enable debugging when the
>>>>>> network is quiet and see if I can find anything.
>>>>>>
>>>>>> -A
>>>>>>
>>>>>> On Wed Aug 31, 2022, 06:06 PM GMT, Rowland Penny via samba
>>>>>> <mailto:samba at lists.samba.org> wrote:
>>>>>> > On Wed, 2022-08-31 at 17:52 +0000, Aaron de Bruyn wrote:
>>>>>> >> Hey Rowland,
>>>>>> >>
>>>>>> >> I did see that thread.
>>>>>> >> I don't have a /var/cache/samba/printer_list.tdb.
>>>>>> >
>>>>>> > Funny that, I don't print, but I have, but only on Unix domain member.
>>>>>> >>
>>>>>> >> # find /var/cache/samba -iname '*print*'
>>>>>> >> /var/cache/samba/printing
>>>>>> >> /var/cache/samba/printing/printers.tdb
>>>>>> >> #
>>>>>> >>
>>>>>> >> I did try stopping Samba and CUPS at one site and I removed the
>>>>>> >> printers.tdb file, then started Samba and CUPS. That didn't resolve
>>>>>> >> the issue.
>>>>>> >
>>>>>> > The fix was posted by Andreas and he should know, he writes some of
>>>>>> > the code. I wouldn't have a clue about printing.
>>>>>> >
>>>>>> > Rowland
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > --
>>>>>> > To unsubscribe from this list go to the following URL and read the
>>>>>> > instructions: https://lists.samba.org/mailman/options/samba
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list