Bug 7491 - Printer Admin Difficulties
Printer Admin Difficulties
Status: RESOLVED DUPLICATE of bug 7255
Product: Samba 3.4
Classification: Unclassified
Component: Printing
x64 Linux
: P3 major
: ---
Assigned To: Guenther Deschner
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2010-06-03 15:12 UTC by Jeff Hardy
Modified: 2010-06-07 09:25 UTC (History)
0 users

See Also:

Testparm output. (823 bytes, text/plain)
2010-06-03 15:20 UTC, Jeff Hardy
no flags Details
Level 10 snippet of openprinterex. (6.04 KB, text/plain)
2010-06-03 15:25 UTC, Jeff Hardy
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Hardy 2010-06-03 15:12:28 UTC
I have been trying to setup a new print server on Fedora 12 based around samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64.  All looks good except for the ability for printer administrators to manage printers.  Whether I specify users in a system group using the deprecated printer admin option, or specifically using net rpc rights and the SePrinterOperatorPrivilege, it does not matter.  This is against an NT4-style domain on samba-3.4.2. 

I have been running the following command, the result always WERR_ACCESS_DENIED:

rpcclient -c 'setdriver ZZZ "HP LaserJet 4000 Series PS"' -U <user> localhost 

Corresponding behavior in Windows XP and Windows 7 clients was that all of the printer options were grayed out in Printer Properties.

I went back to samba-3.3.2-0.33 (F11 source RPM) and same issue presented.  Going further back to 3.2.15-0.36 (F10 source RPM) finally re-enabled administrative access via the printer admin option.  In no case did setting the SePrinterOperatorPrivilege on the domain controller work.
Comment 1 Jeff Hardy 2010-06-03 15:20:05 UTC
Created attachment 5759 [details]
Testparm output.
Comment 2 Jeff Hardy 2010-06-03 15:25:19 UTC
Created attachment 5760 [details]
Level 10 snippet of openprinterex.
Comment 3 Guenther Deschner 2010-06-07 07:04:41 UTC
You need to set the privilege on the printserver, not on your domain controller. And yes, there has been a bug related to the printer admin option, which is resolved in 3.5.2 and 3.4.8

*** This bug has been marked as a duplicate of bug 7255 ***
Comment 4 Jeff Hardy 2010-06-07 09:25:49 UTC
I tried adding privileges like this:

net rpc rights grant "DOMAIN\user" SePrintOperatorPrivilege -U 'DOMAIN\administrator' -S smbserver

The command would report success when smbserver was the domain controller, but did not work when smbserver was the print server itself, reporting:

Failed to grant privileges for POTSDAM\hardyjm (NT_STATUS_ACCESS_DENIED)

The same username/password combo for the administrator was used in both cases, and seems to successfully set the privileges on the domain controller judging by ensuing net rpc list commands succeeding.  Because of this I assumed it needed to be done on the DC.  Am I missing something for this to work on the print server itself?