Univention Bugzilla – Bug 41849
Point-and-print Windows driver upload fails as member of Printer-Admins
Last modified: 2017-09-13 16:35:05 CEST
Ticket#2016072221000163 reported with Windows printer driver upload:
A user (member of "Domain Admins") trying to upload a driver to the "Point-and-Print" print$ share received this error message:
"Ein Treiber EPSON Universal Print Driver Typ 3 – Benutzermodus, x64 konnte nicht installiert werden. Das Netzwerk ist ausgelastet."
On the print server (Samba/AD DC Master in this case) there are a couple of messages like this in log.smbd:
[2016/07/25 12:21:52.374761, 3, pid=13663] ../source3/smbd/open.c:881(open_file)
Error opening file x64/SET64C8.tmp (NT_STATUS_NETWORK_BUSY) (local_flags=2048) (flags=2048)
Apparently two things where interfering normal operations here:
a) Bug #41848
b) /var/lib/samba/drivers/x64/3 had fACLs that only granted "r-x" to the group Printer-Admins. It even had default fACLs for that. I guess the Windows-Client (or rather smbd) sets this during driver upload (although the VFS module acl_xattr is not loaded for that particular share).
This bug is intended to address point b): We have a chrp & chomod -R in the 96univention-samba4.inst joinscript, but that's not enough. We probably should do a setfacl -d -m g:Printer-Admins:rwx, at least to the x64 and W32X86 subdirectories.
also requested at Ticket#2016081221000519
Added setfacl Printer-Admins to /var/lib/samba/drivers and the "known" sub directories.
Looks like this now:
-> ls -lad /var/lib/samba/drivers
drwxrwsr-x+ 10 root Printer-Admins 4096 Sep 12 16:46 /var/lib/samba/drivers
-> getfacl /var/lib/samba/drivers
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: var/lib/samba/drivers
# owner: root
# group: Printer-Admins
# flags: -s-
Also tried to add Domain\ Admins group, but even after adding a acl to /var/lib/samba/drivers, setting SePrintOperatorPrivilege for my "Domain\ Admins user", adding Domain\ Admins to the print$ share write list, the user had not rights to create files in the drivers directory.
=> We really have to fix Bug #41848 so that the Printer-Admins (Print Operators) group can be used to delegate print admin tasks.
I think we should also fix it during package update by adding a version dependent if block to postinst.