Bug 2850 - Domain Administrator and Everyone set as privileged by default
Summary: Domain Administrator and Everyone set as privileged by default
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Printing (show other bugs)
Version: 3.0.13
Hardware: All Windows 2003
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-07-06 02:34 UTC by Guruswamy
Modified: 2005-07-15 09:43 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Guruswamy 2005-07-06 02:34:09 UTC
A printer is created from Windows 2003 server on to a samba server. The logged
in user account belongs to cups PrintAdmin group and also Administrators group.
However, once the printer is created, the security tab shows that
"DOMAIN\Administrator" and "Everyone" have access to this printer. Also the
printAdmin group or the user creating the printer are not included.

Now if the user logs in as Administrator and tries accessing this printer, he is
not able to add new drivers but is able to choose from already existing drivers.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-07-06 05:58:13 UTC
Are you really using version 3.0.1?  If so, could you please try 
to reproduce this against a more recent release such as 3.0.14a?
Are you running with drivers installed on the Samba host?
We'll need a lot more details here, but it sounds like you 
don't have the groups or access setup correctly.  Or possibly 
there is just a misunderstanding on how things should work.
Comment 2 Guruswamy 2005-07-06 07:49:01 UTC
(In reply to comment #1)

The version of samba being used is 3.0.13.

The drivers are installed in the Samba host. The user is able to choose between
the drivers already installed. However, the "New Driver" button of Add printer
wizard is disabled. 

The account used to create the printer is part of a group configured as cups
admin group in samba server.

Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-07-15 09:43:22 UTC
re-reading the original report I notice that what you 
are describing is behavior by design. The current default 
access control on new printers is 

Administrator - Full Control
DOmain Admins - Full Control
Everyone      - Print

We do not make use of the CREATOR OWNER built in SID.
You can only install new drivers on the server if
you are a printer admin on the Samba host (not for a 
specific printer) or possess the SePrintOperatorPrivilege
on the Samba server.  There's not bug here in that things work
as they are expected to work.