Bug 2850 - Domain Administrator and Everyone set as privileged by default
Domain Administrator and Everyone set as privileged by default
Product: Samba 3.0
Classification: Unclassified
Component: Printing
All Windows 2003
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2005-07-06 02:34 UTC by Guruswamy
Modified: 2005-07-15 09:43 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Guruswamy 2005-07-06 02:34:09 UTC
A printer is created from Windows 2003 server on to a samba server. The logged
in user account belongs to cups PrintAdmin group and also Administrators group.
However, once the printer is created, the security tab shows that
"DOMAIN\Administrator" and "Everyone" have access to this printer. Also the
printAdmin group or the user creating the printer are not included.

Now if the user logs in as Administrator and tries accessing this printer, he is
not able to add new drivers but is able to choose from already existing drivers.
Comment 1 Gerald (Jerry) Carter 2005-07-06 05:58:13 UTC
Are you really using version 3.0.1?  If so, could you please try 
to reproduce this against a more recent release such as 3.0.14a?
Are you running with drivers installed on the Samba host?
We'll need a lot more details here, but it sounds like you 
don't have the groups or access setup correctly.  Or possibly 
there is just a misunderstanding on how things should work.
Comment 2 Guruswamy 2005-07-06 07:49:01 UTC
(In reply to comment #1)

The version of samba being used is 3.0.13.

The drivers are installed in the Samba host. The user is able to choose between
the drivers already installed. However, the "New Driver" button of Add printer
wizard is disabled. 

The account used to create the printer is part of a group configured as cups
admin group in samba server.

Comment 3 Gerald (Jerry) Carter 2005-07-15 09:43:22 UTC
re-reading the original report I notice that what you 
are describing is behavior by design. The current default 
access control on new printers is 

Administrator - Full Control
DOmain Admins - Full Control
Everyone      - Print

We do not make use of the CREATOR OWNER built in SID.
You can only install new drivers on the server if
you are a printer admin on the Samba host (not for a 
specific printer) or possess the SePrintOperatorPrivilege
on the Samba server.  There's not bug here in that things work
as they are expected to work.