consider a print$ share with the following settings:
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = $DRIVER_UPLOAD_USER
force group = ntadmin
create mask = 0664
directory mask = 0775
moose:~ # ls -ld /var/lib/samba/drivers/W32X86/
drwxrwxr-x 3 root ntadmin 4096 2011-01-14 19:06 /var/lib/samba/drivers/W32X86/
With the above configuration it would be reasonable to expect W32X86 printer driver upload/add attempts by $DRIVER_UPLOAD_USER (granted SePrintOperatorPrivilege) to be permitted - the print$ share settings force connections to the ntadmin group, which is granted write permission to the driver upload path.
Currently if $DRIVER_UPLOAD_USER is not a member of the ntadmin group, the driver upload/add fails, this is explained by how the driver upload/add takes place:
- the client connects to the [print$] share and uploads all driver
files to the (/var/lib/samba/drivers/W32X86) directory.
- This is permitted, as the /var/lib/samba/drivers/W32X86 is owned
by group ntadmin, and the "force group = ntadmin" takes effect
for the [print$] session.
- Once all files are uploaded, the client connects to the [ipc$]
share and issues an AddPrinterDriverEx spoolss request.
- In handling this request move_driver_to_download_area() is called,
which attempts to create the directory
- The create directory fails, as it is done as the user connected to
the [ipc$] share. The [print$] "force group = ntadmin" has no
This is a regression from previous behaviour. Prior to the commit
783ab0480b7c1454a95cdb414d3277a8fa543e9a, move_driver_to_download_area() would call become_user() for the print$ share.
What makes this bug even more confusing from a users perspective is that the error returned to the client is WERR_UNKNOWN_PRINTER_DRIVER.
This is due to the missing and otherwise completely broken error paths in move_driver_to_download_area():
- the create_directory() call, which is where the initial access denied
failure occurs, is not checked for error.
- WERR_ACCESS_DENIED errors returned by move_driver_file_to_download_area()
are changed to WERR_UNKNOWN_PRINTER_DRIVER.
- move_driver_to_download_area() returns *the same* error status values to
the caller via the *perr argument as well as the return value.
_spoolss_AddPrinterDriver() uses the following invocation:
err = move_driver_to_download_area(p, driver, level, &err)
fixed in master with:
s3-printing: follow force user/group for driver IO
Actually it's commit 2a791861462977a82b33ad57a4d5203dc9270aff in v3-6-test that will be the change that releases the fix :-).