Univention Bugzilla – Bug 50776
Deleting a printdriver as non Administrator is not possible
Last modified: 2020-02-04 15:51:08 CET
In a school environment a customer complains that it is not possible to delete an already uploaded driver. Scenario: A school slave with printservicer installed. A user which is added to the Printer-Admins group A driver was uploaded via Windows and is not linked to the printer. I reproduced this issue: rpcclient -Ucscheini -c 'enumdrivers' localhost Enter SCHEIN\cscheini's password: [Windows x64] Printer Driver Info 1: Driver Name: [Epson ESC/P Standard 5 V4 Class Driver] --------------------------------------------------------------------------------------------------------------------------------------- root@slave-sun:/var/lib/samba/drivers# rpcclient -Ucscheini -c 'deldriver "Epson ESC/P Standard 5 V4 Class Driver"' localhost Enter SCHEIN\cscheini's password: Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows 4.0] - error WERR_ACCESS_DENIED! Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT x86] - error WERR_ACCESS_DENIED! Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT x86] - error WERR_ACCESS_DENIED! Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT R4000] - error WERR_ACCESS_DENIED! Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT Alpha_AXP] - error WERR_ACCESS_DENIED! Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT PowerPC] - error WERR_ACCESS_DENIED! Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows IA64] - error WERR_ACCESS_DENIED! Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows x64] - error WERR_ACCESS_DENIED! result was WERR_ACCESS_DENIED root@slave-sun:/var/lib/samba/drivers# rpcclient -UAdministrator -c 'deldriver "Epson ESC/P Standard 5 V4 Class Driver"' localhost Enter SCHEIN\Administrator's password: Driver Epson ESC/P Standard 5 V4 Class Driver removed for arch [Windows x64]. --------------------------------------------------------------------------------------------------------------------------------------- root@slave-sun:/var/lib/samba/drivers# getfacl x64 # file: x64 # owner: root # group: Printer-Admins # flags: -s- user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:group:Printer-Admins:rwx default:mask::rwx default:other::r-x --------------------------------------------------------------------------------------------------------------------------------------- univention-ldapsearch cn=Printer-Admins sambaSID # Printer-Admins, groups, schein.me dn: cn=Printer-Admins,cn=groups,dc=schein,dc=me sambaSID: S-1-5-32-550 --------------------------------------------------------------------------------------------------------------------------------------- univention-s4search cn=printer-admins → is not a group in samba --------------------------------------------------------------------------------------------------------------------------------------- samba-tool ntacl get x64 |less security_descriptor: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x8004 (32772) 0: SEC_DESC_OWNER_DEFAULTED 0: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED 0: SEC_DESC_SACL_PRESENT 0: SEC_DESC_SACL_DEFAULTED 0: SEC_DESC_DACL_TRUSTED 0: SEC_DESC_SERVER_SECURITY 0: SEC_DESC_DACL_AUTO_INHERIT_REQ 0: SEC_DESC_SACL_AUTO_INHERIT_REQ 0: SEC_DESC_DACL_AUTO_INHERITED 0: SEC_DESC_SACL_AUTO_INHERITED 0: SEC_DESC_DACL_PROTECTED 0: SEC_DESC_SACL_PROTECTED 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid : * owner_sid : S-1-22-1-0 group_sid : * group_sid : S-1-5-32-550 sacl : NULL dacl : * [...] --------------------------------------------------------------------------------------------------------------------------------------- # id cscheini uid=2040(cscheini) gid=5023(Domain Users sun) Gruppen=5023(Domain Users sun),5016(Printer-Admins),5020(schueler-sun),5031(schueler-moon),5034(Domain Users moon),5100(sun-1a) --------------------------------------------------------------------------------------------------------------------------------------- I could not find any hints in the samba logfiles.