Web lists-archives.com

[Samba] RSAT Print Management won't show shared printers under the "Printers" section




Hello,

currently I am trying to setup a Samba environment (Samba AD DC, Samba Fileserver, Samba Printserver) using Samba version 4.5.8-Debian and CUPS version 2.2.1-8 on Debian 9 "Stretch". I am trying to setup "Point'n'Print" atm.
While my Active Directory domain and the fileserver work well with my Windows 7 clients, I am having some issues with the printserver. Config files will be down below.

What I have so far in this setup and a quick rundown of what I've done already:
1.) Samba is configured for an AD membership and both the "printers" as well as the "print$" share are configured. Permissions seem OK.
2.) The printserver is properly joined to the domain ("net ads testjoin" and some other tests are OK)
3.) CUPS is installed and configure to accept global connections for administration
4.) A printer is configured in CUPS and is also listed using either smbclient or the "enumpriners" command
5.) I have RSAT tools installed on a domain joined Windows 7 client and I am logged in as such a Domain Admin
6.) The Domain Admins group (which my admin user is in) has the "SePrintOperator" privilege, the "Print Operator" group is shown using "Active Directory Users and Computers" in the "Member Of" tab in the "Domain Admins" group.
7.) The printer is listed in the Explorer when I browse to \\printserver and I can connect to it and also print with the printer if I set it up manually
8.) I can open up the Print Management tool and upload drivers just fine, they get listed (both in Windows and using the "enumdrivers" command)
9.) Under "Ports" I can see the "Samba Printer Port" that also has my configured printer under "Printer Name"
10.) Under "Printers", it's just empty, so I can never link up the driver with the printer or preconfigure the driver like I want to in Windows. However, if I do connect the driver from the shell on the printserver (using the "setdriver" command) itself, the command gets completed successfully and the driver gets installed on connection on a Windows client.
11.) Samba on log level 3 doesn't list any errors trying to access the "Printers" option in the Print Management tool. 
12.) I get the same problem using Debian 8 "Jessie" with Samba 4.2.14-Debian and CUPS 1.0.61-5+deb8u3 in the same domain

Here are screenshots from the Print Management tool on Windows 7 using a Domain Admin member account: https://imgur.com/a/iwtAh
You will see that the printer is listed in "Ports" but not in "Printers".

Screenshots of the "Domain Admins" group using "Active Directory Users and Computers", currently logged in user is "Administrator": https://imgur.com/a/fp9Ad
You can see that everything seems to be alright.

The articles I followed were from the German book "Samba 4 - Das Praxisbuch für Administratoren" (pp. 403 - 417) and the Samba Wiki and in both texts they get their printers listed.

I honestly have no idea what to do next. No one on the net seems to have the same issue I am facing because either it work correctly or it doesn't work at all for most people. Are there any more places to look for errors or more places to check where I went wrong? Is an issue on the DC the main issue and is it only showing that way?

Thanks for any suggestions.

--
Best regards
Thomas

Additional information:

smb.conf (on the printserver)
----------- 8< ------------
[global]
security = ADS
workgroup = EXAMPLE
realm = AD.EXAMPLE.COM

log file = /var/log/samba/%m.log
log level = 3

idmap config * : backend = tdb
idmap config * : range = 10000 - 19999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 1000000 - 1999999

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes

template homedir = /home/%D/%U
template shell = /bin/bash

client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2

domain master = no
local master = no
preferred master = no

os level = 0

rpc_server:spoolss = external
rpc_daemon:spoolssd = fork

[printers]
comment = All printers
path = /var/spool/samba
browseable = yes
printable = yes
create mask = 0700
guest ok = no
read only = no

[print$]
comment = Print drivers
path = /var/lib/samba/drivers
create mask = 0775
inherit permissions = yes
guest ok = no
read only = no
------------ >8 ------------

krb5.conf (on the printserver)
----------- 8< ------------
[libdefaults]
   default_realm = AD.EXAMPLE.COM
   dns_lookup_realm = false
   dns_lookup_kdc = true
------------ >8 ------------

cupsd.conf (on the printserver, the parts not shown here are left as is in the original distribution)
----------- 8< ------------
[...]
Listen 192.168.0.251:631
[...]
# Restrict access to the server...
<Location />
 Order allow,deny
 Allow from 192.168.0.*
</Location>

# Restrict access to the admin pages...
<Location /admin>
 Order allow,deny
 Allow from 192.168.0.*
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
 AuthType Default
 Require user @SYSTEM
 Order allow,deny
 Allow from 192.168.0.*
</Location>

# Restrict access to log files...
<Location /admin/log>
 AuthType Default
 Require user @SYSTEM
 Order allow,deny
 Allow from 192.168.0.*
</Location>
[...]
------------ >8 ------------

Checking permissions of the shares
----------- 8< ------------
root@printserver:~# ls -ld /var/spool/samba/
drwxrwxrwt 2 root domain admins 4096 Okt  7 23:18 /var/spool/samba

root@printserver:~# ls -ld /var/lib/samba/drivers/
drwsrwsr-x 9 root domain admins 4096 Okt  7 19:33 /var/lib/samba/drivers/
------------ >8 ------------

"smbclient -L printserver -U Administrator"
----------- 8< -------------
Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Print drivers
	IPC$            IPC       IPC Service (Samba 4.5.8-Debian)
	Brother_HL-3040CN_series_MANUAL Printer   Brother HL-3040CN manuell hinzugefuegt
[...]
------------ >8 ------------

"rpcclient printserver -U Administrator -c enumprinters"
----------- 8< -------------
[...]
	flags:[0x800000]
	name:[\\PRINTSERVER\Brother_HL-3040CN_series_MANUAL]
	description:[\\PRINTSERVER\Brother_HL-3040CN_series_MANUAL,Brother HL-3040CN series,Brother HL-3040CN manuell hinzugefuegt]
	comment:[Brother HL-3040CN manuell hinzugefuegt]
[...]
------------ >8 ------------

"rpcclient printserver -U Administrator -c enumdrivers"
----------- 8< ------------
[Windows NT x86]
Printer Driver Info 1:
	Driver Name: [Brother HL-3040CN series]


[Windows x64]
Printer Driver Info 1:
	Driver Name: [Brother HL-3040CN series
------------ >8 -----------

"net rpc rights list accounts -U Administrator -S printserver"
----------- 8< ------------
EXAMPLE\Domain Admins
SePrintOperatorPrivilege
------------ >8 -----------

How the samba domain was provisioned (on the DC)
----------- 8< ------------
samba-tool domain provision \
                   --use-rfc2307 \
                   --server-role=dc \
                   --dns-backend=BIND9_DLZ \
                   --realm="ad.example.com" \
                   --domain="example" \
                   --adminpass="Test1234"
------------ >8 -----------
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba