Topic: Asking for help -- can't print anything from a domain login

[rgmhtt]

This is NOT an SME PDC, rather one I have kind of rolled myself, but at one time I was trying to get SME working for me and know that there are a number of VERY experienced Samba PDC and Win XP people here.

Anyway....

I have an XP pro workstation.  Nice new clean build up to date with patches.  I have a network attached HP 7310 printer.  I can print to this printer no problem from a local account.  I have gone through the process to get this workstation into the PDC and I have user based logon working, I get the shares assigned to a specific user.  But I cannot print to the "locally" defined printer.  I get an error.  I cannot connect to a printer share, I get a policy block.

I have added DOMAIN\USER into the permissions for the printer.  No help.

I have gone into the policy manager and added the policy object per recommendation over on the SAMBA mail list, but cannot find a policy that seems to be helpful.

So what might be blocking me from printing?  Why can't a domain user print to the local printer or connect to the PDC printer share.  Oh, a local user CAN connect to the printer share...

Thank you for any help you can give.

[cactus]

Moving to General Discussion where it is more appropriate.

[janet]

rgmhtt

Your query is way beyond the scope of this forum.

Apart from that, you have "rolled your own PDC system" about which you give no details.
How is anyone expected to give an answer when none of us know what you created and in technical detail how it is all setup.
There could be a thousand reasons why it doesn't work.
You are better off asking on the Samba, Windows & whatever other flavour of Linux you are using support forums.

[rgmhtt]

I know I gave probably too little information.  This seems to be an XP Pro policy problem, as a domain user is unable to print to the LOCAL printer, let alone connect to the server's printer.  The later gives a clear policy error, the former just an error.  So I ask a basic question on XP Pro clients to a Samba PDC where people run Samba PDCs, like here.  I HAVE asked on the samba@lists.samba.org list where I got it down to an XP policy problem and how to get into the group policy editor, but not what policy needs to be enabled.  I don't now about a Win list to go to, can you recommend one?

As for my Samba build.  I am using the Amahi.org distro.  We did the initial build by looking at smbldap-installer-3.1.1.tgz.  I am one of the testers, and we don't have everything right, I have put in a number of bug reports.

Here is my smb.conf, note all domain users have Linux user accounts.  I have found references on what to add to make password changes work, I have to add that in and test it.  But either there is some special smb.conf item that I missed or some instruction for XP policies, or something wrong with my XP build (it is a rebuilt with an OEM XP install with all patches).

[global]
   workgroup = Home
   server string = home.htt
   netbios name = hda
   printing = cups
   printcap name = cups
   load printers = yes
   cups options = raw
   log file = /var/log/samba/%m.log
   log level = 0
   max log size = 150
   socket options = TCP_NODELAY
   preferred master = yes
   os level = 65
   domain master = yes
   local master = yes
   domain logons = yes
   logon path = \\%L\profiles\%U
   logon drive = h:
   logon home = \\%N\%U
   time server = yes
   unix extensions = no
   wide links = yes
   veto files = /*.nws/riched20.dll/*.{*}/
   security = user
   username map script = /usr/share/hda-platform/hda-usermap
   large readwrite = yes
   encrypt passwords = yes
   dos charset = CP850
   unix charset = UTF8
   display charset =  LOCALE
   guest account = nobody
   map to guest = Bad User
   wins support = yes
   printer admin = root, @ntadmin, administrator
   admin user = me
   logon script = %U.bat
   # FIXME - is 99 (nobody) the right group?
   add machine script = /usr/sbin/useradd -d /dev/null -g 99 -s /bin/false -M %u
[netlogon]
   path = /var/hda/domain-settings/netlogon
   guest ok = yes
   writable = no
   share modes = no

[profiles]
   path = /var/hda/domain-settings/profiles
   writable = yes
   browseable = no
   read only = no
   create mode = 0777
   directory mode = 0777

[homes]
   comment = Home Directories
   read only = no
   writeable = yes
   browseable = yes
   create mask = 0640
   directory mask = 0750

[print$]
   path = /var/lib/samba/drivers
   read only = yes
   force group = root
   write list = @ntadmin root
   force group = root
   create mask = 0664
   directory mask = 0775
   guest ok = yes

[printers]
   path = /var/spool/samba
   writeable = yes
   browseable = yes
   printable = yes
   public = yes


Perhaps tomorrow I can put together an SME server and build an XP system to test with...

[janet]

rgmhtt

Perhaps tomorrow I can put together an SME server and build an XP system to test with...

Which should take about 2 hours, ie 30 minutes to install & setup SME, plus another 90 minutes to install & configure Win XP.
The good part is that it all works out of the box (XP needs a tweak or two).
On SME you can add network printers easily via the Hostnames and addresses panel and then the Printers panels.

[rgmhtt]

Getting XP installed and up to patch level takes a bit longer than 90 minutes      Well maybe not.   

Plus install the printer driver and set up the local printer which requires some network stuff.

But I will be doing this to find out how SME interacts with XP printing.

I already tried SME for my local service and found it not suited to my needs.  Perhaps if I ignored what it did for email and figured out how to run it in its own DNS sandbox, I might give it another go. I have tweeked the Amahi DNS and DHCP setups and have sent in feature patches.

Then there is the matter of pulling together the hardware.  I do think I got a couple boxes I can use...

[rgmhtt]

So I built an SME 7.5.1 server and set it up as a PDC on its own subnet; nobody there but it and a port on my firewall.  Yesterday I took delivery of a rebuilt HP SFF with XP Pro SP3 preloaded.  I did a little bit of customization (look and feel) and installed the latest HP 7310 software from HP.  During the printer software install, I had the workstation on the same subnet as the printer.  Once installed I moved the workstation to the SME's subnet and print testing (from printer properties) worked.  Now for the test.

I created a user joe on SME and the workstation.  I joined the workstation (named Test4) to my domain of sme-htt.  I rebooted the workstation and logged in as joe to the domain.  Windows Explorer Map Network Drive Browse for shows shares Joe and Primary.  I was able to access share Primary as drive Y and open Y:\html\index.htm in my browser, so I have share access.

I then opened Printers and Faxes and went to Properties for the HP 7310 printer.  I selected Print Test Page and the print failed.  It is waiting in my print spool showing an error.  This is the same behaviour I am getting on the other workstation joined to the Amahi PDC on a different subnet (I have LOTS of subnets here at home, 64 IPv4 addresses and I AM one of the authors of RFC 1918).

I have one pointer as to the problem from the Samba list:

Are any of the group policies in the following section set?  A previous email stated you were looking at templates under "Computer Configuration", so check under

User Configuration\Administrative Templates\Control Panel\Printers

Details here:
http://support.microsoft.com/kb/319939

This is about Point and Print Restrictions and the error it gives is EXACTLY the message when I tried to connect to the Amahi printer share (I have not set up the SME printer share, as I don't know how to set it up for HP raw port 9100 and the HP linux print driver, for Amahi I just used FC12 printer setup).

So now I have gone through the steps and found the same problem with SME, and it seems I need to use Security Policy Editor from the Win 2003 SP4 network install kit (which I have downloaded), but the KB only shows how to set a registry not how to build a template entry, and even then this is an educated hunch as to the problem.  Then I would have to put the .pol file on the netlogon share.  Sigh.

So has anyone here worked with SPE stuff and do you have sample .pol files.  I do have some starting URLs:

http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba

http://www.pcc-services.com/articles/create_custom_spe_templates.html

[Stefano]

In my experience, I first join the machine to the domain and then install printers as local administrator.. never had any kind of issue

HTH

[rgmhtt]

In my experience, I first join the machine to the domain and then install printers as local administrator.. never had any kind of issue

But a domain user does not have privileges to install a printer.  And now that I HAVE installed the printer, well we all know that you never really uninstall such stuff.  Something is always left behind.  Plus with the HP 7310 software install, it has a hard time installing if it is not on the same subnet as the printer.  I have fought this battle many times and just have take the easy way of first putting the workstation on the subnet with the printer then moving to where I want it.  The printer is on a subnet with some servers that do a lot of printing, and I have systems all over on lots of subnets that print, so moving the printer to the SME subnet for such a test is not so easy...

Oh and what sort of printers are you supporting?  Are any of them using HP raw port 9100?

[janet]

rgmhtt

Your setup is a little out of my league, but the following may help.

I then opened Printers and Faxes and went to Properties for the HP 7310 printer.  I selected Print Test Page and the print failed.

So the printer is now on a different subnet.
Generally you give access to other (local) networks via the  Local Networks panel of server manager.
See http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11

I have not set up the SME printer share, as I don't know how to set it up for HP raw port 9100 and the HP linux print driver

Add the printer details to the Hostnames and Addresses panel referring to it via LAN IP and/or mac address, then add the printer to the Printers panel as a network printer using the hostname created. No Linux driver is required as the SME passes raw through to the printer. The (Windows) driver on the workstation does the interfacing.
Usually you setup the printer on SME first and then add the network printer on the workstation, installing the software drivers at the same time.

[rgmhtt]

rgmhtt

Your setup is a little out of my league, but the following may help.

So the printer is now on a different subnet.
Generally you give access to other (local) networks via the  Local Networks panel of server manager.
See http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11


Add the printer details to the Hostnames and Addresses panel referring to it via LAN IP and/or mac address, then add the printer to the Printers panel as a network printer using the hostname created. No Linux driver is required as the SME passes raw through to the printer. The (Windows) driver on the workstation does the interfacing.
Usually you setup the printer on SME first and then add the network printer on the workstation, installing the software drivers at the same time.

How do you instruct SME to use port 9100 to connect to the remote printer?  I might suspect that either NetBios print or LPR is being used by default by SME, not HP's port 9100...

And this is only for the workstation to access the printer share, not for the workstation to directy print (which it can do when logged in with a local user).

More work to do.

[janet]

rgmhtt

SME passes the data straight through from the printer driver in the workstation to the printer. It uses raw.

I believe you can also configure a Hostname on SME which points at the printer connected to a workstation referencing via the IP or mac of the workstation. Then you can add that as a printer in SME, and the workstation printer is then accessible as a network share.

As I see it though, your printer is already a network device, so you do not really need to configure it in SME server as a printer, all workstations can access it directly via IP (or should be able to if everything is configured appropriately). If it is on a different subnet then you need to enable access in the Local Networks panel.

I think you should remove the printer from XP and then reinstall it as a user with Administrator privileges.

I'm not sure I understand your problem, so cannot offer anymore advice.

[rgmhtt]

rgmhtt

I think you should remove the printer from XP and then reinstall it as a user with Administrator privileges.

I DID install it with a user that had administrator privileges.  How do I have a domain user have admin privs so I can install the driver while logged into the domain?

[rgmhtt]

OK.  I've got it working on the SME setup.

I uninstalled the printer from the local admin user.  I then had to log in as the domain ADMIN user (took me a bit to get this through my head).  This gave me admin privs on the workstation so I could install the HP drivers.  Note that I could NOT login as a regular user and then run the driver install; I was never asked this by the HP installer.

Once I got the drivers installed I had some challenges connecting to the printer.   I don't know what ports HP uses, but it is NOT 80 or 9100 for discovering the printer.  Once I opened all ports between the networks, the install continued, then I shut the allowed ports back down (because of all the testing I do here, I have rather tight controls between internal networks).

Anyway, bottom line is FIRST you join the workstation to the domain.
THEN you log in with a domain admin user.
THEN you install your printer driver.
THEN you can use a regular domain user.

You might want to add something like this to your documentation.

Thank you for putting up with me; who knows I am stop back again!

[rgmhtt]

I guess I do have a question still.

What defines the user 'admin' as an administrator user for the domain?

I don't see any line for this in the smb.conf file.  When I go into the ssytem-manager web and looked at the User defs, there is nothing there to identify admin as and administrator, nor any way to make another user as an administrator.

I would have thought this is controlled by the smb.conf line of:

admin users = admin

But I don't see it....