The Samba-Bugzilla – Bug 10084
Guest user has wrong group membership when running the 'print command'
Last modified: 2013-08-14 05:00:05 UTC
I have a Samba print share set up, with a "print command" specified
that just 'cat's the file to /dev/ulpt0. The share is accessed by the
guest Samba account, which I have set to be the 'smbguest' username.
I can manually run the print command as root, and the file prints.
I can manually run the print command as 'smbguest' (through sudo) and
the file prints. Therefore, I know the printer hardware is set up correctly.
However, when run the command through Samba itself (by printing over
the network from another machine), I get:
cannot create /dev/ulpt0: Permission denied
which is the same message I would get if I don't have write permissions
to the device.
NOTE: I have recently done an upgrade of samba (might have been from 3.5, but I think it was an earlier 3.6.x - I can track that down if it's important). In the previous version, everything was working.
The device itself has the following permissions:
$ ls -l /dev/ulpt*
crw-rw---- 1 root print 0, 142 Aug 5 22:31 /dev/ulpt0
The 'smbguest' account is in the 'print' group, as evidenced below:
$ groups smbguest
smbguest smbguestgroup print
so it should be able to write to ulpt0. In fact, it can, when the
command is run through sudo -u smbguest ...
Further, if I change permissions on the device to, for instance, have a group of 'smbguest', everything works. Also, if I change permissions on the device to have read/write for the 'other' users, again everything works. I do not want to put that in place permanently, of course.
I have found that when the Samba 'print command' itself is run, the group
membership *only* includes the 'smbguest' group. I altered the print
command to write a log message including the output of `id`, for instance, and
it only includes the 'smbguest' group, rather than the above three groups.
NOTE: I have tried using 'force group = print' as a workaround, but that does not seem to have any effect for me. I don't know if that ever worked, because I had no reason to try, before.
I am happy to provide additional information if needed.