Bug 41849 - Point-and-print Windows driver upload fails as member of Printer-Admins
Point-and-print Windows driver upload fails as member of Printer-Admins
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.1
Other Linux
: P3 normal (vote)
: UCS 4.2-2-errata
Assigned To: Felix Botner
Arvid Requate
Depends on: 28517
Blocks: 41852
  Show dependency treegraph
Reported: 2016-07-25 14:14 CEST by Arvid Requate
Modified: 2017-09-13 16:35 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2016072221000163, 2016081221000519
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-07-25 14:14:12 CEST
Ticket#2016072221000163 reported with Windows printer driver upload:

A user (member of "Domain Admins") trying to upload a driver to the "Point-and-Print" print$ share received this error message:

"Ein Treiber EPSON Universal Print Driver Typ 3 – Benutzermodus, x64 konnte nicht installiert werden. Das Netzwerk ist ausgelastet."

On the print server (Samba/AD DC Master in this case) there are a couple of messages like this in log.smbd:
[2016/07/25 12:21:52.374761,  3, pid=13663] ../source3/smbd/open.c:881(open_file)
  Error opening file x64/SET64C8.tmp (NT_STATUS_NETWORK_BUSY) (local_flags=2048) (flags=2048)

Apparently two things where interfering normal operations here:

a) Bug #41848

b) /var/lib/samba/drivers/x64/3 had fACLs that only granted "r-x" to the group Printer-Admins. It even had default fACLs for that. I guess the Windows-Client (or rather smbd) sets this during driver upload (although the VFS module acl_xattr is not loaded for that particular share).

This bug is intended to address point b): We have a chrp & chomod -R in the 96univention-samba4.inst joinscript, but that's not enough. We probably should do a  setfacl -d -m g:Printer-Admins:rwx, at least to the x64 and W32X86 subdirectories.
Comment 1 Nico Stöckigt univentionstaff 2016-08-12 16:54:25 CEST
also requested at Ticket#2016081221000519
Comment 2 Felix Botner univentionstaff 2017-09-12 16:59:47 CEST

Added setfacl Printer-Admins to /var/lib/samba/drivers and the "known" sub directories.

Looks like this now:

-> ls -lad /var/lib/samba/drivers
drwxrwsr-x+ 10 root Printer-Admins 4096 Sep 12 16:46 /var/lib/samba/drivers
-> getfacl /var/lib/samba/drivers
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: var/lib/samba/drivers
# owner: root
# group: Printer-Admins
# flags: -s-

Also tried to add Domain\ Admins group, but even after adding a acl to /var/lib/samba/drivers, setting SePrintOperatorPrivilege for my "Domain\ Admins user", adding Domain\ Admins to the print$ share write list, the user had not rights to create files in the drivers directory.
=> We really have to fix Bug #41848 so that the Printer-Admins (Print Operators) group can be used to delegate print admin tasks.
Comment 3 Arvid Requate univentionstaff 2017-09-13 12:05:06 CEST
I think we should also fix it during package update by adding a version dependent if block to postinst.
Comment 4 Felix Botner univentionstaff 2017-09-13 13:21:46 CEST
OK done
Comment 5 Arvid Requate univentionstaff 2017-09-13 13:35:21 CEST
Comment 6 Arvid Requate univentionstaff 2017-09-13 16:35:05 CEST