consider a print$ share with the following settings: [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = $DRIVER_UPLOAD_USER force group = ntadmin create mask = 0664 directory mask = 0775 moose:~ # ls -ld /var/lib/samba/drivers/W32X86/ drwxrwxr-x 3 root ntadmin 4096 2011-01-14 19:06 /var/lib/samba/drivers/W32X86/ With the above configuration it would be reasonable to expect W32X86 printer driver upload/add attempts by $DRIVER_UPLOAD_USER (granted SePrintOperatorPrivilege) to be permitted - the print$ share settings force connections to the ntadmin group, which is granted write permission to the driver upload path. Currently if $DRIVER_UPLOAD_USER is not a member of the ntadmin group, the driver upload/add fails, this is explained by how the driver upload/add takes place: - the client connects to the [print$] share and uploads all driver files to the (/var/lib/samba/drivers/W32X86) directory. - This is permitted, as the /var/lib/samba/drivers/W32X86 is owned by group ntadmin, and the "force group = ntadmin" takes effect for the [print$] session. - Once all files are uploaded, the client connects to the [ipc$] share and issues an AddPrinterDriverEx spoolss request. - In handling this request move_driver_to_download_area() is called, which attempts to create the directory /var/lib/samba/drivers/W32X86/3 - The create directory fails, as it is done as the user connected to the [ipc$] share. The [print$] "force group = ntadmin" has no effect. This is a regression from previous behaviour. Prior to the commit 783ab0480b7c1454a95cdb414d3277a8fa543e9a, move_driver_to_download_area() would call become_user() for the print$ share.
What makes this bug even more confusing from a users perspective is that the error returned to the client is WERR_UNKNOWN_PRINTER_DRIVER. This is due to the missing and otherwise completely broken error paths in move_driver_to_download_area(): - the create_directory() call, which is where the initial access denied failure occurs, is not checked for error. - WERR_ACCESS_DENIED errors returned by move_driver_file_to_download_area() are changed to WERR_UNKNOWN_PRINTER_DRIVER. - move_driver_to_download_area() returns *the same* error status values to the caller via the *perr argument as well as the return value. _spoolss_AddPrinterDriver() uses the following invocation: err = move_driver_to_download_area(p, driver, level, &err)
fixed in master with: 61bf4699f0f8b353272c060b8309f339ed2a0f88 s3-printing: follow force user/group for driver IO
Actually it's commit 2a791861462977a82b33ad57a4d5203dc9270aff in v3-6-test that will be the change that releases the fix :-). Jeremy.