I have Samba 4.2.10 and CUPS 1.7.5 running on Debian 8. The server is domain member. In CUPS I have several printers, and I shared them with Samba. Printing test page from CUPS works fine, printing from Windows client via IPP and Samba works fine. I would like to set Point'n'Print - having Windows drivers shared in print$ share so Windows client can pick them up automagically when connecting to the printer.

I have stored the CUPS and Windows PS drivers to /usr/share/samba/drivers as stated in every tutorial I found and tried to export them by:

cupsaddsmb -U root -a -v

The command creates folders W32X86 and x64 within share print$, copies the driver files and then tries to associate the driver with printer using command:

rpcclient localhost -N -A /tmp/0141f574d8313 -c 'setdriver PV PV'

And that ends up with this error:

resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20> resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name localhost<0x20> Connecting to ::1 at port 445 Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 SetPrinter call failed! result was WERR_ACCESS_DENIED

As mentioned here, the user under which this command is executed should have the SePrintOperatorPrivilege. Since I'm running this as root, I added the user to samba:

smbpasswd -a root

and add the desired privilege:

net rpc rights grant root SePrintOperatorPrivilege

And I checked the settings:

# net rpc rights list root SeMachineAccountPrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege

Everything seems to be just fine. So lets associate the driver and printer once again, manually:

# rpcclient localhost -c 'setdriver PV PV' Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Enter root's password: Connecting to ::1 at port 445 Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 SetPrinter call failed! result was WERR_ACCESS_DENIED

Same problem and I'm running out of ideas. I can see the driver files in print$ share and I can see them via printmanagement.msc console on Windows client. In that management console I cannot do the association either. Upon saving the dialog I get "Printer settings could not be saved. Access denied.". Probably the same problem as above. But in this case I'm accessing this as domain user which doesn't have the SePrintOperatorPrivilege, so no blaming here:)