Univention Bugzilla – Bug 41849
Point-and-print Windows driver upload fails as member of Printer-Admins
Last modified: 2019-06-11 21:49:22 CEST
Ticket#2016072221000163 reported with Windows printer driver upload: A user (member of "Domain Admins") trying to upload a driver to the "Point-and-Print" print$ share received this error message: "Ein Treiber EPSON Universal Print Driver Typ 3 – Benutzermodus, x64 konnte nicht installiert werden. Das Netzwerk ist ausgelastet." On the print server (Samba/AD DC Master in this case) there are a couple of messages like this in log.smbd: =============================================================== [2016/07/25 12:21:52.374761, 3, pid=13663] ../source3/smbd/open.c:881(open_file) Error opening file x64/SET64C8.tmp (NT_STATUS_NETWORK_BUSY) (local_flags=2048) (flags=2048) =============================================================== Apparently two things where interfering normal operations here: a) Bug #41848 b) /var/lib/samba/drivers/x64/3 had fACLs that only granted "r-x" to the group Printer-Admins. It even had default fACLs for that. I guess the Windows-Client (or rather smbd) sets this during driver upload (although the VFS module acl_xattr is not loaded for that particular share). This bug is intended to address point b): We have a chrp & chomod -R in the 96univention-samba4.inst joinscript, but that's not enough. We probably should do a setfacl -d -m g:Printer-Admins:rwx, at least to the x64 and W32X86 subdirectories.
also requested at Ticket#2016081221000519
univention-samba4 c17fbc45938572b460be99898e4fdef2b78333bc 7e5785bde1497ac668504f25e81ccfc4baa4ea9a Added setfacl Printer-Admins to /var/lib/samba/drivers and the "known" sub directories. Looks like this now: -> ls -lad /var/lib/samba/drivers drwxrwsr-x+ 10 root Printer-Admins 4096 Sep 12 16:46 /var/lib/samba/drivers -> getfacl /var/lib/samba/drivers getfacl: Entferne führende '/' von absoluten Pfadnamen # file: var/lib/samba/drivers # owner: root # group: Printer-Admins # flags: -s- user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:group:Printer-Admins:rwx default:mask::rwx default:other::r-x Also tried to add Domain\ Admins group, but even after adding a acl to /var/lib/samba/drivers, setting SePrintOperatorPrivilege for my "Domain\ Admins user", adding Domain\ Admins to the print$ share write list, the user had not rights to create files in the drivers directory. => We really have to fix Bug #41848 so that the Printer-Admins (Print Operators) group can be used to delegate print admin tasks.
I think we should also fix it during package update by adding a version dependent if block to postinst.
OK done
Ok.
<http://errata.software-univention.de/ucs/4.2/164.html>
*** Bug 37864 has been marked as a duplicate of this bug. ***