'Re: [Samba] Point-and-Print driver installation asks for confirmation on current Windows'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba
Subject:    Re: [Samba] Point-and-Print driver installation asks for confirmation on current Windows
From:       "=?windows-1252?Q?L.P.H._van_Belle?= via samba" <samba () lists ! samba ! org>
Date:       2016-08-29 15:02:09
Message-ID: vmime.57c44e71.39fa.2343bf1734b67f01 () ms249-lin-003 ! rotterdam ! bazuin ! nl
[Download RAW message or body]

Hai, 

One thing. 
> Another point I observed during testing: Windows 10 1607 supports
> (shared) driver isolation for this driver while Samba does not seem to
> allow for this.
You really cant compare a windows PC config to a Server config. 
If you want to test "correct" setup a virtual windows 2008R2. 
https://www.microsoft.com/en-us/download/details.aspx?id=11093 
a 180 trail..  and you wil see, if you setup the GPO wrong it errors. 
I also have a win 2003 for print testing, that have the same problem when the GPO is \
wrongly configured. 

Check these GPO setttings
Computer Configuration\Policies\Administrative Templates\Printers\Execute Print \
Drivers In Isolated Processes This policy setting determines whether the print \
spooler will execute printer drivers in an isolated or separate process. If you \
enable or do not configure this policy setting, the print spooler will attempt to \
execute printer drivers in an isolated process.

Computer Configuration\Policies\Administrative Templates\Printers\Override Print \
Driver Compatibility Execution Setting Reported By Print Driver This policy setting \
determines whether the print spooler will override the driver isolation compatibility \
reported by the printer driver via the DriverIsolation entry in its .inf file

That said..  this works for me, all info i know/have set below is below. 
OS running debian Jessie, samba 4.4.5 (debian package), cups.  ( all debian packages \
no source packages used )  Works for me with : for win7sp1 Win10 1511/1607  (all \
64bit)

https://wiki.samba.org/index.php/Defining_printer_driver_sources_trusts 
is incomplete imo. 

Enable: User can only point and print to these servers. 
You MUST also define the fully qualified servers, due to the MS patches. 
At least i did.   !! again very important in FQDN !! 

My setup..  
Setup 1 ) 
https://wiki.samba.org/index.php/Setup_a_Samba_print_server

I do use spoolssd: 
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork 

added : 
spoolss: architecture = Windows x64 
I have mostly 64 bits here so preffered to 64bit arch. 

The "CUPS" part i used : socket://ip:port 

And i  implemented : 
https://wiki.samba.org/index.php/Configure_network_printer_ports

Setup a small script : 
#/bin/bash
# you dont want to loose your old port, this makes swithing more easy.
echo "Samba Printer Port"
# Default local domain. ( internal.domain.tld )
IPRANGE=$(hostname -i | cut -d"." -f1,2,3)
DOMAIN=$(hostname -d)
# my printer are in the default range as the server starting from ip .10 to 40. 
for ip in {10..40}
do
 echo "${IPRANGE}.${ip}"
 echo "ptr-ip-0${ip}.${DOMAIN}"
done


setup 2)
https://wiki.samba.org/index.php/Configuring_Point%27n%27Print_automatic_printer_driver_deployment \
 here : 
net rpc rights grant 'Domain Admins' SePrintOperatorPrivilege \
-U'SAMDOM\administrator'  I also added the default windows printer groups with the \
needed rights, these : 

BUILTIN\Print Operators
SePrintOperatorPrivilege

BUILTIN\Administrators
SePrintOperatorPrivilege

NTDOMAIN\Domain Admins 
SePrintOperatorPrivilege

And NTDOMAIN\Domain Admin,  should not be needed since its by default added in the \
BUILTIN\Administrators. There were some problems here, which has to do with sid/xid \
mappings, cant recall it, but i added it also. 

And im using for a better ACL matchin on the print shares 
acl_xattr:ignore system acl = yes 
after setting this you MUST set the right from within windows and DONT change \
anything from linux cli anymore. I added a local linux user to lpadmin and normal \
windows users was also added to lpadmin to control my cups. 

Handy links : 
https://msdn.microsoft.com/en-us/library/windows/hardware/ff560836(v=vs.85).aspx
https://support.microsoft.com/en-us/kb/2793718
https://technet.microsoft.com/en-us/library/cc732946.aspx 
https://technet.microsoft.com/en-us/library/cc753269(v=ws.11).aspx  
http://sourcedaddy.com/windows-7/understanding-printer-driver-isolation.html 


Tested  (
HP Universal PCL6  6.0.0  No driver isolation support  ( works fine for me ) 
HP Universal PCL6  6.2.1  With driver isolation support. ( works also fine for me ) 
Original Windows Kyocera drivers 
Toshiba Universal printer 2 driver.  PCL6, latest ( from juli 2016 ) 
A Kyocera Beta ( unrelease to public, expected release end september/begin october, \
is waiting now for ms signing. )  This one is optimized for samba installs. 

And best is setup a new OU, put a computer and users in there. 
And now configure the printer GPO deployment there. 


Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic