Created attachment 7334 [details] debug 10 log Just updated our Samba PDC to 3.6.3 from 3.5.10. Now it appears that non-Domain Admins cannot print due to permission issues. Some possibly relevant messages in the log: [2012/02/20 14:52:42.375350, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 7000 Primary group is 1001 and contains 1 supplementary groups Group[ 0]: 1001 [2012/02/20 14:52:42.375605, 5] smbd/uid.c:317(change_to_user_internal) Impersonated user: uid=(0,7000), gid=(0,1001) [2012/02/20 14:52:42.381455, 10] smbd/share_access.c:241(user_ok_token) user_ok_token: share miro is ok for unix user winguest [2012/02/20 14:52:42.382989, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/02/20 14:52:42.383077, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/02/20 14:52:42.411867, 4] printing/nt_printing.c:1793(print_access_check) access check was FAILURE [2012/02/20 14:52:42.413505, 3] rpc_server/spoolss/srv_spoolss_nt.c:1904(_spoolss_OpenPrinterEx ) access DENIED for printer open root user in ldap is as follows: dn: uid=root,ou=People,dc=nwra,dc=com homeDirectory: /root gidNumber: 0 uidNumber: 0 cn: root sambaPwdLastSet: 1329756400 sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaNTPassword: XXX uid: root sambaSID: S-1-5-21-2426356435-4251213716-997332971-1000 displayName: root sambaPwdCanChange: 1210023657 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account objectClass: top objectClass: posixAccount # root, Groups, nwra.com dn: cn=root,ou=Groups,dc=nwra,dc=com sambaSID: S-1-5-21-2426356435-4251213716-997332971-1001 sambaGroupType: 2 gidNumber: 0 objectClass: top objectClass: groupOfUniqueNames objectClass: posixGroup objectClass: sambaGroupMapping cn: root dn: cn=Domain Admins,ou=Groups,dc=nwra,dc=com memberUid: orion memberUid: winadmin memberUid: root objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping objectClass: groupofuniquenames cn: Domain Admins gidNumber: 1008 sambaSID: S-1-5-21-2426356435-4251213716-997332971-512 sambaGroupType: 2 displayName: Domain Admins description: Domain Unix group uniqueMember: uid=winadmin,ou=People,dc=nwra,dc=com sambaSIDList: S-1-5-21-2426356435-4251213716-997332971-15002
I appears to have the same problem, but it exhibits itself in a more generally way since it happens when printing from all Windows clients I tested as well as with the smbclient tool. I've stripped down the smb.conf to the bare essentials, with smbpasswd holding one or two test users. [global] workgroup = TEST server string = Test Samba Server netbios name = BLAH security = user # Will not work as a general-use printer without this workaround #printer admin = %U [test] printable = yes # Dummy command to simulate printing print command = rm '%s' path = /var/samba/var/spool You must promote client users to a printer administrator before thery are able to print. Debug logs looks similar to Orion's, but can generate if that helps.
Another workaround that won't bloat your logs with WARNING: The "printer admin" option is deprecated is to use the net rpc interface instead net rpc rights grant Everyone SePrintOperatorPrivilege -S server -Uanyuser I'm not sure if it's a another bug, but it appears that any authenticated samba user can grant/revoke this privilege to everybody else.
I'm marking this bug private while we evaluate the suggestion of a security bug.
Same problem here. Upgraded from 3.5.11 to 3.6.5 on Fedora 16 x64 Printing from windows(xp and 7) working for both(domain admins and users). Printing from dos box to 'net use lpt1' mapped printers working only for domain admins. Problem solved assigning SePrintOperatorPrivilege to users.
commment #1 isn't mentioning that this is a "DOS box only" problem. comment #4 does says so but then this seems to be a different bug. So Vytautas, if you still see your DOS box issue in 3.6.6 please open a NEW bug report for that. Orion: can you please test your printer problems with the latest 3.6 release and if it still fails attach more the level 10 log file with more context?
Created attachment 7698 [details] smb debug 10 log Here's an updated log with samba 3.6.6. Hopefully it has enough context.
Created attachment 7755 [details] Logs showing non-print-admins users trying to print
The latest samba 3.6.7 does not solve this problem. These are my test conditions, and full logs demonstrating the failure. TDBs: ... all deleted ... smb.conf: [global] workgroup = TESTGROUP netbios name = TESTSRV security = user log level = 10 log file = /var/samba/test/log passdb backend = smbpasswd [tprint] printable = yes # Dummy print command print command = rm '%s' path = /var/samba/var/spool # Printing works if user promoted to admin #printer admin = %U [tshare] path = /tmp Transcript of smbclient: # smbclient //127.0.0.1/tprint -U tuser Enter tuser's password: Domain=[TESTGROUP] OS=[Unix] Server=[Samba 3.6.7] smb: \> print Policy NT_STATUS_ACCESS_DENIED opening remote file Policy smb: \> quit Logs excerpts of starting/ending before/after smbclient "print Policy" (attached in previous post)
I think you should up the priority on this. It is affecting many more than 3 users. See the "High" priority bug on the Ubuntu bugs launch pad: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/967410
I think I fixed this. Is someone able to apply and test a patch?
Ok, the errors in the logs match mine.
Simple reproducer: echo test-nr | smbclient //localhost/laserjet1018 -Ubob%secret -I 127.0.0.1 -c 'print -'
Created attachment 8004 [details] v3-6-test patch
Created attachment 8005 [details] v4-0-test patch
Karolin, please add the patches to 3.6 and 4.0, thanks!
That does seem better now. Can print using the supplied reproducer with a guest user. The following messages go away: [2012/10/08 10:57:30.648782, 1] printing/printer_list.c:94(printer_list_get_printer) Failed to fetch record! But I am seeing: [2012/10/08 11:46:41.951787, 1] smbd/service.c:1114(make_connection_snum) ares (10.10.20.204) connect to service print$ initially as user frahm (uid=7002, gid=1001) (pid 20988) [2012/10/08 11:46:44.034942, 0] rpc_server/spoolss/srv_spoolss_nt.c:1748(_spoolss_OpenPrinterEx) _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\earth [2012/10/08 11:46:59.275371, 1] smbd/service.c:1378(close_cnum) ares (10.10.20.204) closed connection to service print$ Perhaps a config issue? \\earth isn't a printer, just the server.
Pushed patch to v3-6-test and autobuild-v4-0-test. Re-assigning to Andreas to comment the other error message.
spoolss_OpenPrinter retrieves a handle for a printer, port, port monitor, print job, or print server. See http://msdn.microsoft.com/en-us/library/cc244808%28prot.20%29.aspx Orion: What's the error you're getting?
(In reply to comment #19) > Orion: What's the error you're getting? [2012/10/08 11:46:44.034942, 0] rpc_server/spoolss/srv_spoolss_nt.c:1748(_spoolss_OpenPrinterEx) _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\earth is what I'm wondering about. But I also have other errors with that machine: [2012/10/08 13:27:02.199343, 0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind) pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2 [2012/10/08 13:27:02.637276, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client ARES machine account ARES$ [2012/10/08 17:00:47.155971, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED So I'm thinking it is in a bad state.
Orion: I don't get if you just see something in the log file or if you actually trying to print something and it doesn't work. The information you provide are not enough in case something is wrong. SAMBA BUG REPORTING ++++++++++++++++++++ This is a small howto to help you to provide all information which are needed to find out what's going on your machine. This is a general howto so maybe it will cover more things you don't use. Providing Samba log files ========================== Post the output of 'rpm -qi samba' or 'rpm -qi samba-<subpackage>' if you're on a RPM based system. It gives detailed information about the installed packages. We need that information to reconstruct what happened and possibly to reproduce the bug on our machines. Provide all log files from '/var/log/samba/' directory and the tdb files from '/var/lib/samba' and the configuration file '/etc/samba/smb.conf'. If winbind for logging in is part of the problem please provide '/etc/security/pam_winbind.conf' and if you have enabled debug in 'pam_winbind.conf' '/var/log/messages' or '/var/log/secure' is required too. More detailed description about different Samba components can be found below this section. Providing backtraces ===================== If you discover a crash in one of the Samba components, please make sure that you have installed debuginfo packages. Often the backtrace can be found in the log files. If you have installed debuginfo packages, you can find a short backtrace in the log files and a few lines later the full backtrace. Make sure you provide the full backtrace. Testing daemons (winbind, smb, nmb) ==================================== 1. Stop all running Samba processes (winbind, smb, nmb) 2. Remove all log files from /var/log/samba/ With this approach we ensure to have the start date of the testing in the log files. 3. Edit /etc/samba/smb.conf and set the following variables in the in the [general] section of the config: debug level = 10 debug pid = true max log size = 0 Instead of setting a global debug level in smb.conf it's also visible to use smbcontrol <damon_name> debug 10 to increase the debug level of the Samba daemon in question to 10 at run time. If winbind is part of the scenario edit /etc/security/pam_winbind.conf and set: debug = yes 4. Start the processes again (winbind, smb, nmb) 5. Reproduce the error and note the time when you start any test. If a problem occurs while testing note the time (use date on the system you perform the tests on to get a time fitting to the log files). Attach the log files from '/var/log/samba/' and the tdb files from '/var/lib/samba/' to the bug. If possible, remove the tdb files and provide clean files. Therefore it's best to bond them to one compressed tar archive. The relevant parts of '/var/log/messages' could be interesting too. Network traces =============== If possible create network traces with tcpdump or wireshark from the problem and attach them too. Always make sure to capture only one problem per network trace file. This makes it easier to understand the problem. tcpdump -n -i eth0 -s 0 -w samba-problem-description.pcap Network topology ================= If you have a special network setup especially with Active Domain controllers please describe how you're network looks like and what the domain names are. Tell us which version of Windows you're using and which functional level of AD.
Okay, sorry for the noise. I'll file a new bug if there is a problem. Printing does work now.
Closing cause the described bug is fixed. Please open a new bug if something still doesn't work.