Bug 2034 - access denied when connecting to a printer and not being "printer admin"
access denied when connecting to a printer and not being "printer admin"
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Printing
3.0.8
x86 Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-13 16:09 UTC by Erik Sørnes
Modified: 2005-08-24 10:27 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Sørnes 2004-11-13 16:09:01 UTC
Successfulle joined samba-3.0.8-server to w2k3-domain "net ads join".
Everything regarding file and forlder-permissions seems to be working fine.

Then, when connecting to nettwork-printer on samba-3.0.8-server from w2k- or
w2k3-client, I  recieve "access denied" and the network-printer will not install.
How-ever, if the user logged on to the w2k- or w2k3-client is in the listed
after the "printer admin" key-word in smb.conf, exapmple

printer admin= domain+user

then he get access to connect to printer and install the printer on the client
machine and print out documents

suse linux 9.1 with cups-1.1.20-103 or suse linux enterprise server 9 with
cups-1.1.22
both with heimdal-0.6.3

smb.conf: 

[global]
        security=ADS
        realm=HJEMME.HOME
        encrypt passwords=yes
        password server=hjemme.home
        winbind cache time = 3
        winbind separator = +
        workgroup = NETBIOS
        auth methods = winbind
        #obey pam restrictions = yes
        #winbind use default domain = yes
        interfaces = 127.0.0.1 eth0 eth1
        #bind interfaces only = true
        printing = cups
        idmap uid = 10000-40000
        idmap gid = 10000-40000
        printcap name = cups
        printer admin = @ntadmin, root, administrator
        #map to guest = Bad User
        wins server = 192.168.2.200
        log level = 10
        username map = /usr/local/samba/lib/smbusers

[groups]
        comment = All groups
        path = /home/groups
        writeable = Yes
        inherit permissions = Yes
[pdf]
        comment = PDF creator
        path = /var/tmp
        printable = Yes
        print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z
        create mask = 0600
[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        create mask = 0600
        browseable = No

[print$]
        comment = Printer Drivers
        path = /usr/local/samba/etc/drivers
        write list = @ntadmin root administrator netbios+administrator
        force group = ntadmin
        create mask = 0664
        directory mask = 0775
        read list = netbios+erso
[lp]
        comment = på datarommet
        printable = yes
        path = /var/spool/samba
        guest ok = yes

With debug level 10 i get the following from log.smbd:

                          006b id_auth[5] : 05
[2004/11/13 22:15:04, 5] rpc_parse/parse_prs.c:prs_uint32s(862)
                          006c sub_auths : 00000015 741b06e9 a4c28d22 364dd5fc
000001f4 
[2004/11/13 22:15:04, 10] printing/nt_printing.c:nt_printing_getsec(4945)
  secdesc_ctr for lp has 3 aces:
[2004/11/13 22:15:04, 10] printing/nt_printing.c:nt_printing_getsec(4954)
  S-0-0 0 2 0xe0000000
[2004/11/13 22:15:04, 10] printing/nt_printing.c:nt_printing_getsec(4954)
  S-1-5-21-1947928297-2764213538-911070716-500 0 9 0x10000000
[2004/11/13 22:15:04, 10] printing/nt_printing.c:nt_printing_getsec(4954)
  S-1-5-21-1947928297-2764213538-911070716-500 0 2 0x10000000
[2004/11/13 22:15:04, 10] lib/util_seaccess.c:se_map_generic(176)
  se_map_generic(): mapped mask 0xe0000000 to 0x00020008
[2004/11/13 22:15:04, 10] lib/util_seaccess.c:se_map_generic(176)
  se_map_generic(): mapped mask 0x10000000 to 0x000f000c
[2004/11/13 22:15:04, 10] lib/util_seaccess.c:se_map_generic(176)
  se_map_generic(): mapped mask 0x10000000 to 0x000f000c
[2004/11/13 22:15:04, 10] lib/util_seaccess.c:se_access_check(234)
  se_access_check: requested access 0x00000008, for NT token with 10 entries and
first sid S-1-5-21-3188786
72-596377311-2124708558-21004.
[2004/11/13 22:15:04, 3] lib/util_seaccess.c:se_access_check(251)
[2004/11/13 22:15:04, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-318878672-596377311-2124708558-21004
  se_access_check: also S-1-5-21-318878672-596377311-2124708558-21015
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-1947928297-2764213538-911070716-518
  se_access_check: also S-1-5-21-1947928297-2764213538-911070716-519
  se_access_check: also S-1-5-21-1947928297-2764213538-911070716-512
  se_access_check: also S-1-5-21-1947928297-2764213538-911070716-513
  se_access_check: also S-1-5-21-1947928297-2764213538-911070716-520
  se_access_check: ACE 0: type 0, flags = 0x02, SID = S-0-0 mask = 20008,
current desired = 8
  se_access_check: ACE 1: type 0, flags = 0x09, SID =
S-1-5-21-1947928297-2764213538-911070716-500 mask = f
000c, current desired = 8
  se_access_check: ACE 2: type 0, flags = 0x02, SID =
S-1-5-21-1947928297-2764213538-911070716-500 mask = f
000c, current desired = 8
[2004/11/13 22:15:04, 5] lib/util_seaccess.c:se_access_check(315)
  se_access_check: access (8) denied.
[2004/11/13 22:15:04, 4] printing/nt_printing.c:print_access_check(5095)
  access check was FAILURE
[2004/11/13 22:15:04, 3] rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex(1755)
  access DENIED for printer open
Comment 1 Erik Sørnes 2004-11-13 18:04:13 UTC
Tested with exactly same configuration, except SAMBA 3.0.1 and SAMBA 3.0.7:
then the bug is not there - everybody can connect to networksprinters on the
samba machine and print.
Comment 2 Erik Sørnes 2004-11-14 08:26:46 UTC
The bug is there also with mit-kerberos-1.3.5 + samba-3.0.8 + same config as before.

Comment 3 Erik Sørnes 2004-11-14 17:21:35 UTC
This bug does not appear when I use latest build from cvs samba_3.0 or
samba_3.0_release.

Seems like the bug has been fixed then...
Comment 4 Gerald (Jerry) Carter 2004-11-23 07:26:21 UTC
Fixed then.
Comment 5 Gerald (Jerry) Carter 2005-08-24 10:27:55 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.