Bug 8769 - Network printing for non domain admins from Win 7 broken from 3.5 -> 3.6
Network printing for non domain admins from Win 7 broken from 3.5 -> 3.6
Product: Samba 3.6
Classification: Unclassified
Component: Printing
All Linux
: P5 normal
: ---
Assigned To: Andreas Schneider
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2012-02-20 23:59 UTC by Orion Poplawski
Modified: 2012-10-09 18:07 UTC (History)
4 users (show)

See Also:

debug 10 log (1.34 MB, text/x-log)
2012-02-20 23:59 UTC, Orion Poplawski
no flags Details
smb debug 10 log (34.92 KB, application/x-gzip)
2012-07-12 22:00 UTC, Orion Poplawski
no flags Details
Logs showing non-print-admins users trying to print (55.49 KB, text/plain)
2012-08-10 23:24 UTC, Joseph Tam
no flags Details
v3-6-test patch (877 bytes, patch)
2012-10-08 11:46 UTC, Andreas Schneider
ddiss: review+
jra: review+
v4-0-test patch (877 bytes, patch)
2012-10-08 11:47 UTC, Andreas Schneider
ddiss: review+
jra: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Orion Poplawski 2012-02-20 23:59:00 UTC
Created attachment 7334 [details]
debug 10 log

Just updated our Samba PDC to 3.6.3 from 3.5.10.  Now it appears that non-Domain Admins cannot print due to permission issues.

Some possibly relevant messages in the log:

[2012/02/20 14:52:42.375350,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 7000
  Primary group is 1001 and contains 1 supplementary groups
  Group[  0]: 1001
[2012/02/20 14:52:42.375605,  5] smbd/uid.c:317(change_to_user_internal)
  Impersonated user: uid=(0,7000), gid=(0,1001)
[2012/02/20 14:52:42.381455, 10] smbd/share_access.c:241(user_ok_token)
  user_ok_token: share miro is ok for unix user winguest
[2012/02/20 14:52:42.382989,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2012/02/20 14:52:42.383077,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/02/20 14:52:42.411867,  4] printing/nt_printing.c:1793(print_access_check)
  access check was FAILURE
[2012/02/20 14:52:42.413505,  3] rpc_server/spoolss/srv_spoolss_nt.c:1904(_spoolss_OpenPrinterEx
  access DENIED for printer open

root user in ldap is as follows:

dn: uid=root,ou=People,dc=nwra,dc=com
homeDirectory: /root
gidNumber: 0
uidNumber: 0
cn: root
sambaPwdLastSet: 1329756400
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
sambaNTPassword: XXX
uid: root
sambaSID: S-1-5-21-2426356435-4251213716-997332971-1000
displayName: root
sambaPwdCanChange: 1210023657
sambaAcctFlags: [U          ]
objectClass: sambaSamAccount
objectClass: account
objectClass: top
objectClass: posixAccount

# root, Groups, nwra.com
dn: cn=root,ou=Groups,dc=nwra,dc=com
sambaSID: S-1-5-21-2426356435-4251213716-997332971-1001
sambaGroupType: 2
gidNumber: 0
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: root

dn: cn=Domain Admins,ou=Groups,dc=nwra,dc=com
memberUid: orion
memberUid: winadmin
memberUid: root
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
objectClass: groupofuniquenames
cn: Domain Admins
gidNumber: 1008
sambaSID: S-1-5-21-2426356435-4251213716-997332971-512
sambaGroupType: 2
displayName: Domain Admins
description: Domain Unix group
uniqueMember: uid=winadmin,ou=People,dc=nwra,dc=com
sambaSIDList: S-1-5-21-2426356435-4251213716-997332971-15002
Comment 1 Joseph Tam 2012-04-19 02:09:32 UTC
I appears to have the same problem, but it exhibits itself in a more generally way since it happens when printing from all Windows clients I tested as well as with  the smbclient tool.

I've stripped down the smb.conf to the bare essentials, with smbpasswd holding one or two test users.

        workgroup = TEST
        server string = Test Samba Server
        netbios name = BLAH
        security = user
        # Will not work as a general-use printer without this workaround
        #printer admin = %U

        printable = yes
        # Dummy command to simulate printing
        print command = rm '%s'
        path = /var/samba/var/spool

You must promote client users to a printer administrator before thery are able to print.  Debug logs looks similar to Orion's, but can generate if that helps.
Comment 2 Joseph Tam 2012-04-19 09:38:22 UTC
Another workaround that won't bloat your logs with

    WARNING: The "printer admin" option is deprecated

is to use the net rpc interface instead

   net rpc rights grant Everyone SePrintOperatorPrivilege -S server -Uanyuser

I'm not sure if it's a another bug, but it appears that any authenticated samba user can grant/revoke this privilege to everybody else.
Comment 3 Andrew Bartlett 2012-04-20 02:05:52 UTC
I'm marking this bug private while we evaluate the suggestion of a security bug.
Comment 4 Vytautas Kasparavicius 2012-05-14 12:44:39 UTC
Same problem here. Upgraded from 3.5.11 to 3.6.5 on Fedora 16 x64
Printing from windows(xp and 7) working for both(domain admins and users). Printing from dos box to 'net use lpt1' mapped printers working only for domain admins. Problem solved assigning SePrintOperatorPrivilege to users.
Comment 5 Vytautas Kasparavicius 2012-05-15 05:11:56 UTC
Same problem here. Upgraded from 3.5.11 to 3.6.5 on Fedora 16 x64
Printing from windows(xp and 7) working for both(domain admins and users). Printing from dos box to 'net use lpt1' mapped printers working only for domain admins. Problem solved assigning SePrintOperatorPrivilege to users.
Comment 6 Björn Jacke 2012-07-12 15:02:16 UTC
commment #1 isn't mentioning that this is a "DOS box only" problem. comment #4 does says so but then this seems to be a different bug. So Vytautas, if you still see your DOS box issue in 3.6.6 please open a NEW bug report for that.

Orion: can you please test your printer problems with the latest 3.6 release and if it still fails attach more the level 10 log file with more context?
Comment 7 Orion Poplawski 2012-07-12 22:00:15 UTC
Created attachment 7698 [details]
smb debug 10 log

Here's an updated log with samba 3.6.6.  Hopefully it has enough context.
Comment 8 Joseph Tam 2012-08-10 23:24:16 UTC
Created attachment 7755 [details]
Logs showing non-print-admins users trying to print
Comment 9 Joseph Tam 2012-08-10 23:25:56 UTC
The latest samba 3.6.7 does not solve this problem.  These are my test
conditions, and full logs demonstrating the failure.

        ... all deleted ...

                workgroup = TESTGROUP
                netbios name = TESTSRV
                security = user

                log level = 10
                log file = /var/samba/test/log

                passdb backend = smbpasswd

                printable = yes
                # Dummy print command
                print command = rm '%s'
                path = /var/samba/var/spool
                # Printing works if user promoted to admin
                #printer admin = %U

                path = /tmp

Transcript of smbclient:

        # smbclient // -U tuser
        Enter tuser's password: 
        Domain=[TESTGROUP] OS=[Unix] Server=[Samba 3.6.7]
        smb: \> print Policy
        NT_STATUS_ACCESS_DENIED opening remote file Policy
        smb: \> quit

Logs excerpts of starting/ending before/after smbclient "print Policy"
        (attached in previous post)
Comment 10 crlb 2012-09-15 15:01:52 UTC
I think you should up the priority on this. It is affecting many more than 3 users. See the "High" priority bug on the Ubuntu bugs launch pad: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/967410
Comment 11 Andreas Schneider 2012-10-08 10:34:51 UTC
I think I fixed this. Is someone able to apply and test a patch?
Comment 12 Andreas Schneider 2012-10-08 10:37:31 UTC
Ok, the errors in the logs match mine.
Comment 13 Andreas Schneider 2012-10-08 10:40:33 UTC
Simple reproducer:

echo test-nr | smbclient //localhost/laserjet1018 -Ubob%secret -I -c 'print -'
Comment 14 Andreas Schneider 2012-10-08 11:46:16 UTC
Created attachment 8004 [details]
v3-6-test patch
Comment 15 Andreas Schneider 2012-10-08 11:47:16 UTC
Created attachment 8005 [details]
v4-0-test patch
Comment 16 Andreas Schneider 2012-10-08 12:38:20 UTC
Karolin, please add the patches to 3.6 and 4.0, thanks!
Comment 17 Orion Poplawski 2012-10-08 18:22:09 UTC
That does seem better now.  Can print using the supplied reproducer with a guest user.  The following messages go away:

[2012/10/08 10:57:30.648782,  1] printing/printer_list.c:94(printer_list_get_printer)
  Failed to fetch record!

But I am seeing:

[2012/10/08 11:46:41.951787,  1] smbd/service.c:1114(make_connection_snum)
  ares ( connect to service print$ initially as user frahm (uid=7002, gid=1001) (pid 20988)
[2012/10/08 11:46:44.034942,  0] rpc_server/spoolss/srv_spoolss_nt.c:1748(_spoolss_OpenPrinterEx)
  _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\earth
[2012/10/08 11:46:59.275371,  1] smbd/service.c:1378(close_cnum)
  ares ( closed connection to service print$

Perhaps a config issue?  \\earth isn't a printer, just the server.
Comment 18 Karolin Seeger 2012-10-09 07:28:52 UTC
Pushed patch to v3-6-test and autobuild-v4-0-test.

Re-assigning to Andreas to comment the other error message.
Comment 19 Andreas Schneider 2012-10-09 08:34:39 UTC
spoolss_OpenPrinter retrieves a handle for a printer, port, port monitor, print job, or print server.

See http://msdn.microsoft.com/en-us/library/cc244808%28prot.20%29.aspx

Orion: What's the error you're getting?
Comment 20 Orion Poplawski 2012-10-09 14:55:14 UTC
(In reply to comment #19)
> Orion: What's the error you're getting?

[2012/10/08 11:46:44.034942,  0]
  _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\earth

is what I'm wondering about.  But I also have other errors with that machine:

[2012/10/08 13:27:02.199343,  0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind)
  pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2
[2012/10/08 13:27:02.637276,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client ARES machine account ARES$

[2012/10/08 17:00:47.155971,  1] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

So I'm thinking it is in a bad state.
Comment 21 Andreas Schneider 2012-10-09 15:30:23 UTC

I don't get if you just see something in the log file or if you actually trying to print something and it doesn't work.

The information you provide are not enough in case something is wrong.


This is a small howto to help you to provide all information which are needed
to find out what's going on your machine. This is a general howto so maybe it
will cover more things you don't use.

Providing Samba log files

Post the output of 'rpm -qi samba' or 'rpm -qi samba-<subpackage>' if you're on
a RPM based system. It gives detailed information about the installed packages.
We need that information to reconstruct what happened and possibly to reproduce
the bug on our machines.

Provide all log files from '/var/log/samba/' directory and the tdb files from
'/var/lib/samba' and the configuration file '/etc/samba/smb.conf'.

If winbind for logging in is part of the problem please provide
'/etc/security/pam_winbind.conf' and if you have enabled debug in
'pam_winbind.conf' '/var/log/messages' or '/var/log/secure' is required too.

More detailed description about different Samba components can be found below
this section.

Providing backtraces

If you discover a crash in one of the Samba components, please make sure that
you have installed debuginfo packages. Often the backtrace can be found in the
log files. If you have installed debuginfo packages, you can find a short
backtrace in the log files and a few lines later the full backtrace. Make sure
you provide the full backtrace.

Testing daemons (winbind, smb, nmb)

1. Stop all running Samba processes (winbind, smb, nmb)

2. Remove all log files from /var/log/samba/

    With this approach we ensure to have the start date of the testing in the
    log files.

3. Edit /etc/samba/smb.conf and set the following variables in the in the
   [general] section of the config:

     debug level = 10
     debug pid = true
     max log size = 0

    Instead of setting a global debug level in smb.conf it's also visible to

     smbcontrol <damon_name> debug 10

    to increase the debug level of the Samba daemon in question to 10 at run

    If winbind is part of the scenario edit /etc/security/pam_winbind.conf
    and set:

     debug = yes

4. Start the processes again (winbind, smb, nmb)

5. Reproduce the error and note the time when you start any test. If a problem
   occurs while testing note the time (use date on the system you perform the
   tests on to get a time fitting to the log files).

Attach the log files from '/var/log/samba/' and the tdb files from
'/var/lib/samba/' to the bug. If possible, remove the tdb files and provide clean
files. Therefore it's best to bond them to one compressed tar archive. The
relevant parts of '/var/log/messages' could be interesting too.

Network traces

If possible create network traces with tcpdump or wireshark from the problem and
attach them too. Always make sure to capture only one problem per network trace
file. This makes it easier to understand the problem.

tcpdump -n -i eth0 -s 0 -w samba-problem-description.pcap

Network topology

If you have a special network setup especially with Active Domain controllers
please describe how you're network looks like and what the domain names are.

Tell us which version of Windows you're using and which functional level of AD.
Comment 22 Orion Poplawski 2012-10-09 16:27:18 UTC
Okay, sorry for the noise.  I'll file a new bug if there is a problem.  Printing does work now.
Comment 23 Andreas Schneider 2012-10-09 18:07:14 UTC
Closing cause the described bug is fixed. Please open a new bug if something still doesn't work.