Successfulle joined samba-3.0.8-server to w2k3-domain "net ads join". Everything regarding file and forlder-permissions seems to be working fine. Then, when connecting to nettwork-printer on samba-3.0.8-server from w2k- or w2k3-client, I recieve "access denied" and the network-printer will not install. How-ever, if the user logged on to the w2k- or w2k3-client is in the listed after the "printer admin" key-word in smb.conf, exapmple printer admin= domain+user then he get access to connect to printer and install the printer on the client machine and print out documents suse linux 9.1 with cups-1.1.20-103 or suse linux enterprise server 9 with cups-1.1.22 both with heimdal-0.6.3 smb.conf: [global] security=ADS realm=HJEMME.HOME encrypt passwords=yes password server=hjemme.home winbind cache time = 3 winbind separator = + workgroup = NETBIOS auth methods = winbind #obey pam restrictions = yes #winbind use default domain = yes interfaces = 127.0.0.1 eth0 eth1 #bind interfaces only = true printing = cups idmap uid = 10000-40000 idmap gid = 10000-40000 printcap name = cups printer admin = @ntadmin, root, administrator #map to guest = Bad User wins server = 192.168.2.200 log level = 10 username map = /usr/local/samba/lib/smbusers [groups] comment = All groups path = /home/groups writeable = Yes inherit permissions = Yes [pdf] comment = PDF creator path = /var/tmp printable = Yes print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z create mask = 0600 [printers] comment = All Printers path = /var/spool/samba printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /usr/local/samba/etc/drivers write list = @ntadmin root administrator netbios+administrator force group = ntadmin create mask = 0664 directory mask = 0775 read list = netbios+erso [lp] comment = på datarommet printable = yes path = /var/spool/samba guest ok = yes With debug level 10 i get the following from log.smbd: 006b id_auth[5] : 05 [2004/11/13 22:15:04, 5] rpc_parse/parse_prs.c:prs_uint32s(862) 006c sub_auths : 00000015 741b06e9 a4c28d22 364dd5fc 000001f4 [2004/11/13 22:15:04, 10] printing/nt_printing.c:nt_printing_getsec(4945) secdesc_ctr for lp has 3 aces: [2004/11/13 22:15:04, 10] printing/nt_printing.c:nt_printing_getsec(4954) S-0-0 0 2 0xe0000000 [2004/11/13 22:15:04, 10] printing/nt_printing.c:nt_printing_getsec(4954) S-1-5-21-1947928297-2764213538-911070716-500 0 9 0x10000000 [2004/11/13 22:15:04, 10] printing/nt_printing.c:nt_printing_getsec(4954) S-1-5-21-1947928297-2764213538-911070716-500 0 2 0x10000000 [2004/11/13 22:15:04, 10] lib/util_seaccess.c:se_map_generic(176) se_map_generic(): mapped mask 0xe0000000 to 0x00020008 [2004/11/13 22:15:04, 10] lib/util_seaccess.c:se_map_generic(176) se_map_generic(): mapped mask 0x10000000 to 0x000f000c [2004/11/13 22:15:04, 10] lib/util_seaccess.c:se_map_generic(176) se_map_generic(): mapped mask 0x10000000 to 0x000f000c [2004/11/13 22:15:04, 10] lib/util_seaccess.c:se_access_check(234) se_access_check: requested access 0x00000008, for NT token with 10 entries and first sid S-1-5-21-3188786 72-596377311-2124708558-21004. [2004/11/13 22:15:04, 3] lib/util_seaccess.c:se_access_check(251) [2004/11/13 22:15:04, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-318878672-596377311-2124708558-21004 se_access_check: also S-1-5-21-318878672-596377311-2124708558-21015 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-1947928297-2764213538-911070716-518 se_access_check: also S-1-5-21-1947928297-2764213538-911070716-519 se_access_check: also S-1-5-21-1947928297-2764213538-911070716-512 se_access_check: also S-1-5-21-1947928297-2764213538-911070716-513 se_access_check: also S-1-5-21-1947928297-2764213538-911070716-520 se_access_check: ACE 0: type 0, flags = 0x02, SID = S-0-0 mask = 20008, current desired = 8 se_access_check: ACE 1: type 0, flags = 0x09, SID = S-1-5-21-1947928297-2764213538-911070716-500 mask = f 000c, current desired = 8 se_access_check: ACE 2: type 0, flags = 0x02, SID = S-1-5-21-1947928297-2764213538-911070716-500 mask = f 000c, current desired = 8 [2004/11/13 22:15:04, 5] lib/util_seaccess.c:se_access_check(315) se_access_check: access (8) denied. [2004/11/13 22:15:04, 4] printing/nt_printing.c:print_access_check(5095) access check was FAILURE [2004/11/13 22:15:04, 3] rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1755) access DENIED for printer open
Tested with exactly same configuration, except SAMBA 3.0.1 and SAMBA 3.0.7: then the bug is not there - everybody can connect to networksprinters on the samba machine and print.
The bug is there also with mit-kerberos-1.3.5 + samba-3.0.8 + same config as before.
This bug does not appear when I use latest build from cvs samba_3.0 or samba_3.0_release. Seems like the bug has been fixed then...
Fixed then.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.