Printer Admin Difficulties
in [Samba]
|
Prev: Compile Samba 3.5 for lenny
Next: [Samba] RHEL 5 compilation of Samba 3.5.2, termcap library problem, use '--no-as-needed'
From: Ryan Suarez on 9 Apr 2010 16:40 Might be simpler to assign users to the builtin administrators group. see if you have better luck: #net sam list builtin #net sam createbuiltingroup administrators #net sam addmem administrators #net sam listmem administrators # net rpc rights list administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Jeff Hardy wrote: > I have been trying to setup a new print server on Fedora 12 based > around samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All > looks good except for the ability for printer administrators to manage > printers. Whether I specify users in a system group using the > deprecated printer admin option, or specifically using net rpc rights > and the SePrinterOperatorPrivilege, it does not matter. This is > against an NT4 domain on samba-3.4.2. > > Interestingly, I have one user who can manage printers, whether or not > he is in the group or has the privilege. Also, the printer admin > pieces work correctly on an existing samba-3.0.28a print server > against that same domain controller. > > I have been looking at level 10 logs to compare two users, the mystery > adminuser, and the feckless denieduser, when running the following > command (again, both are members of the printer admin group): > > rpcclient -c 'setdriver ZZZ "HP LaserJet 4000 Series PS"' -U <user> > localhost > > Following are log snippets, both beginning with SPOOLSS_OPENPRINTEREX > and ending when printer access is either granted as > PRINTER_ACCESS_ADMINISTER or denied outright. Whether or not in the > proper printer admin group or given the privilege, the outcome does > not change for either user. > > First the user for whom administrative access is granted: > > -------------------------------------------- > [2010/03/31 13:43:35, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP) > api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: > SPOOLSS_OPENPRINTEREX > [2010/03/31 13:43:35, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP) > api_rpc_cmds[69].fn == 0x7f0e2d66c890 > [2010/03/31 13:43:35, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx > in: struct spoolss_OpenPrinterEx > printername : * > printername : '\\LOCALHOST\ZZZ' > datatype : NULL > devmode_ctr: struct spoolss_DevmodeContainer > _ndr_size : 0x00000000 (0) > devmode : NULL > access_mask : 0x000f000c (983052) > 0: SERVER_ACCESS_ADMINISTER > 0: SERVER_ACCESS_ENUMERATE > 1: PRINTER_ACCESS_ADMINISTER > 1: PRINTER_ACCESS_USE > 0: JOB_ACCESS_ADMINISTER > 0: JOB_ACCESS_READ > level : 0x00000001 (1) > userlevel : union spoolss_UserLevel(case 1) > level1 : * > level1: struct spoolss_UserLevel1 > size : 0x0000001c (28) > client : * > client : '\\TKNEW' > user : * > user : 'adminuser' > build : 0x00000565 (1381) > major : UNKNOWN_ENUM_VALUE (2) > minor : > SPOOLSS_MINOR_VERSION_0 (0) > processor : > PROCESSOR_ARCHITECTURE_INTEL (0) > checking name: \\LOCALHOST\ZZZ > [2010/03/31 13:43:35, 10] > rpc_server/srv_spoolss_nt.c:560(open_printer_hnd) > open_printer_hnd: name [\\LOCALHOST\ZZZ] > [2010/03/31 13:43:35, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd) > Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B C7 89 ........ .....K.. > [0010] F9 54 00 00 .T.. > [2010/03/31 13:43:35, 3] > rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype) > Setting printer type=\\LOCALHOST\ZZZ > Printer is a printer > [2010/03/31 13:43:35, 4] > rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name) > Setting printer name=\\LOCALHOST\ZZZ (len=15) > [2010/03/31 13:43:35, 8] lib/util.c:1879(is_myname) > is_myname("LOCALHOST") returns 0 > searching for [ZZZ] > [2010/03/31 13:43:35, 10] > printing/nt_printing.c:4630(get_a_printer_internal) > get_a_printer: [printers] level 2 > [2010/03/31 13:43:35, 10] > printing/nt_printing.c:3917(get_a_printer_2_default) > get_a_printer_2_default: driver name set to [] > printername: printers > [2010/03/31 13:43:35, 10] > printing/nt_printing.c:3917(get_a_printer_2_default) > get_a_printer_2_default: driver name set to [] > printername: CRBSTD-P > set_printer_hnd_name: Printer found: ZZZ -> ZZZ > [2010/03/31 13:43:35, 5] > rpc_server/srv_spoolss_nt.c:590(open_printer_hnd) > 1 printer handles active > [2010/03/31 13:43:35, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B C7 89 ........ .....K.. > [0010] F9 54 00 00 .T.. > [2010/03/31 13:43:35, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B C7 89 ........ .....K.. > [0010] F9 54 00 00 .T.. > [2010/03/31 13:43:35, 4] > rpc_server/srv_spoolss_nt.c:377(get_printer_snum) > short name:ZZZ > [2010/03/31 13:43:35, 3] lib/access.c:362(only_ipaddrs_in_list) > only_ipaddrs_in_list: list has non-ip address (127.) > [2010/03/31 13:43:35, 3] lib/access.c:396(check_access) > check_access: hostnames in host allow/deny list. > [2010/03/31 13:43:35, 2] lib/access.c:406(check_access) > Allowed connection from 127.0.0.1 (127.0.0.1) > [2010/03/31 13:43:35, 10] smbd/share_access.c:234(user_ok_token) > user_ok_token: share ZZZ is ok for unix user adminuser > [2010/03/31 13:43:35, 4] > rpc_server/srv_spoolss_nt.c:1726(_spoolss_OpenPrinterEx) > Setting printer access = PRINTER_ACCESS_ADMINISTER > [2010/03/31 13:43:35, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx > out: struct spoolss_OpenPrinterEx > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : > 00000002-0000-0000-b34b-c789f9540000 > result : WERR_OK > > -------------------------------------------- > > And now for a user who is denied access: > > -------------------------------------------- > [2010/03/31 13:44:33, 4] rpc_server/srv_pipe.c:2297(api_rpcTNP) > api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: > SPOOLSS_OPENPRINTEREX > [2010/03/31 13:44:33, 6] rpc_server/srv_pipe.c:2327(api_rpcTNP) > api_rpc_cmds[69].fn == 0x7f0e2d66c890 > [2010/03/31 13:44:33, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx > in: struct spoolss_OpenPrinterEx > printername : * > printername : '\\LOCALHOST\ZZZ' > datatype : NULL > devmode_ctr: struct spoolss_DevmodeContainer > _ndr_size : 0x00000000 (0) > devmode : NULL > access_mask : 0x000f000c (983052) > 0: SERVER_ACCESS_ADMINISTER > 0: SERVER_ACCESS_ENUMERATE > 1: PRINTER_ACCESS_ADMINISTER > 1: PRINTER_ACCESS_USE > 0: JOB_ACCESS_ADMINISTER > 0: JOB_ACCESS_READ > level : 0x00000001 (1) > userlevel : union spoolss_UserLevel(case 1) > level1 : * > level1: struct spoolss_UserLevel1 > size : 0x0000001c (28) > client : * > client : '\\TKNEW' > user : * > user : 'denieduser' > build : 0x00000565 (1381) > major : UNKNOWN_ENUM_VALUE (2) > minor : > SPOOLSS_MINOR_VERSION_0 (0) > processor : > PROCESSOR_ARCHITECTURE_INTEL (0) > checking name: \\LOCALHOST\ZZZ > [2010/03/31 13:44:33, 10] > rpc_server/srv_spoolss_nt.c:560(open_printer_hnd) > open_printer_hnd: name [\\LOCALHOST\ZZZ] > [2010/03/31 13:44:33, 4] rpc_server/srv_lsa_hnd.c:160(create_policy_hnd) > Opened policy hnd[1] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 3] > rpc_server/srv_spoolss_nt.c:394(set_printer_hnd_printertype) > Setting printer type=\\LOCALHOST\ZZZ > Printer is a printer > [2010/03/31 13:44:33, 4] > rpc_server/srv_spoolss_nt.c:434(set_printer_hnd_name) > Setting printer name=\\LOCALHOST\ZZZ (len=15) > [2010/03/31 13:44:33, 8] lib/util.c:1879(is_myname) > is_myname("LOCALHOST") returns 0 > searching for [ZZZ] > [2010/03/31 13:44:33, 10] > printing/nt_printing.c:4630(get_a_printer_internal) > get_a_printer: [printers] level 2 > [2010/03/31 13:44:33, 10] > printing/nt_printing.c:3917(get_a_printer_2_default) > get_a_printer_2_default: driver name set to [] > printername: printers > [2010/03/31 13:44:33, 10] > printing/nt_printing.c:3917(get_a_printer_2_default) > get_a_printer_2_default: driver name set to [] > printername: CRBSTD-P > set_printer_hnd_name: Printer found: ZZZ -> ZZZ > [2010/03/31 13:44:33, 5] > rpc_server/srv_spoolss_nt.c:590(open_printer_hnd) > 1 printer handles active > [2010/03/31 13:44:33, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 4] > rpc_server/srv_spoolss_nt.c:377(get_printer_snum) > short name:ZZZ > [2010/03/31 13:44:33, 3] lib/access.c:362(only_ipaddrs_in_list) > only_ipaddrs_in_list: list has non-ip address (127.) > [2010/03/31 13:44:33, 3] lib/access.c:396(check_access) > check_access: hostnames in host allow/deny list. > [2010/03/31 13:44:33, 2] lib/access.c:406(check_access) > Allowed connection from 127.0.0.1 (127.0.0.1) > [2010/03/31 13:44:33, 10] smbd/share_access.c:234(user_ok_token) > user_ok_token: share ZZZ is ok for unix user denieduser > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x20020008 to 0x00020008 > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x100f000c to 0x000f000c > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x100f000c to 0x000f000c > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x100f000c to 0x000f000c > [2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic) > se_map_generic(): mapped mask 0x100f000c to 0x000f000c > [2010/03/31 13:44:33, 4] printing/nt_printing.c:5733(print_access_check) > access check was FAILURE > [2010/03/31 13:44:33, 3] > rpc_server/srv_spoolss_nt.c:1707(_spoolss_OpenPrinterEx) > access DENIED for printer open > [2010/03/31 13:44:33, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 4] > rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 B3 > 4B 01 8A ........ .....K.. > [0010] FF 54 00 00 .T.. > [2010/03/31 13:44:33, 3] rpc_server/srv_lsa_hnd.c:218(close_policy_hnd) > Closed policy > [2010/03/31 13:44:33, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx > out: struct spoolss_OpenPrinterEx > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : > 00000000-0000-0000-0000-000000000000 > result : WERR_ACCESS_DENIED > -------------------------------------------- > > The only discernible difference to my eye is that for the denieduser, > se_map_generic() is called before ultimately denying the user. > > Finally, here is testparm output: > > -------------------------------------------- > [global] > workgroup = POTSDAM > server string = Printing Server > security = DOMAIN > password server = MEGA > restrict anonymous = 2 > log level = 1 > log file = /var/log/samba/%m.log > max log size = 10000 > time server = Yes > unix extensions = No > deadtime = 5 > printcap name = cups > wins server = 192.168.0.1 > printer admin = @printeradmins > hosts allow = 127., 192.168. > cups options = raw > veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > browsable = No > > [print$] > comment = Printer Drivers for Windows > path = /usr/share/samba/print > write list = @printeradmins > > [drivers] > comment = Vendor Printer Driver Paks > path = /usr/share/samba/drivers > write list = @printeradmins > create mask = 0775 > directory mask = 0775 > -------------------------------------------- > > If anyone could shed light on this issue, it would be much > appreciated. Thank you. > > -Jeff > > -- > Jeffrey M Hardy > Systems Analyst > hardyjm(a)potsdam.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Jeff Hardy on 4 May 2010 20:20 On 04/01/2010 05:39 PM, Jeff Hardy wrote: > I have been trying to setup a new print server on Fedora 12 based around > samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks good > except for the ability for printer administrators to manage printers. > Whether I specify users in a system group using the deprecated printer > admin option, or specifically using net rpc rights and the > SePrinterOperatorPrivilege, it does not matter. This is against an NT4 > domain on samba-3.4.2. After a tdb wipe, I ended up with no users who can manage printers. This at least made the behavior consistently broken. I ended up trying samba 3.3 and 3.2 seeking some way to manage printers. Only by going back to samba-3.2.15 built from a Fedora 10 source RPM was I able to restore functionality by way of the printer admin option. The SePrinterOperatorPrivilege did not seem to work in any version no matter what I did. Surely other folks are managing printers with sambas later than 3.2.x I would think. Anyone have any experience like this? -Jeff -- Jeffrey M Hardy Systems Analyst hardyjm(a)potsdam.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Ryan Suarez on 6 May 2010 12:30 Hi Jeff, Jeff Hardy wrote: > On 04/01/2010 05:39 PM, Jeff Hardy wrote: >> I have been trying to setup a new print server on Fedora 12 based around >> samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks good >> except for the ability for printer administrators to manage printers. >> Whether I specify users in a system group using the deprecated printer >> admin option, or specifically using net rpc rights and the >> SePrinterOperatorPrivilege, it does not matter. This is against an NT4 >> domain on samba-3.4.2. > > After a tdb wipe, I ended up with no users who can manage printers. > This at least made the behavior consistently broken. I ended up > trying samba 3.3 and 3.2 seeking some way to manage printers. Only by > going back to samba-3.2.15 built from a Fedora 10 source RPM was I > able to restore functionality by way of the printer admin option. The > SePrinterOperatorPrivilege did not seem to work in any version no > matter what I did. Surely other folks are managing printers with > sambas later than 3.2.x I would think. Anyone have any experience > like this? How about adding users as members to the BUILTIN\administrators group on the newer version of samba to see if that works? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: christoph.beyer on 6 May 2010 15:10
Hi Jeff, I fiddled around for a while with this too ;) Looks broken to me, anyway I did put it like this and it worked for me then: in smb.conf: username map = /opt/samba/smbusers.map admin users = root [print$] path = /opt/samba/samba_drivers write list = root uid(a)host:~$ cat /opt/samba/smbusers.map !root = <my win uid> !root = <WIN DOMAIN\uid> This worked for me only with the root account while in earlier versions I used the same mechanism with the uid lp and it worked fine ... good luck christoph On Thu, 6 May 2010, Ryan Suarez wrote: > Hi Jeff, > > Jeff Hardy wrote: >> On 04/01/2010 05:39 PM, Jeff Hardy wrote: >> > I have been trying to setup a new print server on Fedora 12 based around >> > samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks good >> > except for the ability for printer administrators to manage printers. >> > Whether I specify users in a system group using the deprecated printer >> > admin option, or specifically using net rpc rights and the >> > SePrinterOperatorPrivilege, it does not matter. This is against an NT4 >> > domain on samba-3.4.2. >> >> After a tdb wipe, I ended up with no users who can manage printers. This >> at least made the behavior consistently broken. I ended up trying samba >> 3.3 and 3.2 seeking some way to manage printers. Only by going back to >> samba-3.2.15 built from a Fedora 10 source RPM was I able to restore >> functionality by way of the printer admin option. The >> SePrinterOperatorPrivilege did not seem to work in any version no matter >> what I did. Surely other folks are managing printers with sambas later >> than 3.2.x I would think. Anyone have any experience like this? > > How about adding users as members to the BUILTIN\administrators group on the > newer version of samba to see if that works? > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > best regards ~christoph -- /* Christoph Beyer | Office: Building 2b / 23 *\ * DESY | Phone: 040-8998-2317 * * - IT - | Fax: 040-8998-4060 * \* 22603 Hamburg | http://www.desy.de */ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |