diff --git a/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml b/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml index 3b9976e3f41..e0c3c7cd4db 100644 --- a/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml +++ b/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml @@ -1093,7 +1093,6 @@ index default sub ldap://massive.abmas.biz 10000-20000 10000-20000 -root cups diff --git a/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml b/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml index 23704fe716d..45a09a8fb1d 100644 --- a/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml +++ b/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml @@ -674,7 +674,6 @@ Join to 'MEGANET2' failed. 10000-20000 10000-20000 Yes -root cups @@ -948,7 +947,6 @@ MEGANET2+PIOps:x:10005: "Domain Users" /bin/bash + -root 192.168.2., 192.168.3., 127. cups @@ -1041,7 +1039,6 @@ Joined domain MEGANET2. wins bcast hosts CUPS 192.168.2.1 -root 192.168.2., 192.168.3., 127. cups @@ -1723,7 +1720,6 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- No No Yes -"KPAK\Domain Admins" diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml b/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml index bb05de4d112..d0258fb492e 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml @@ -188,7 +188,6 @@ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) yes no yes - root, @ntadmins, @smbprintadm @@ -232,7 +231,6 @@ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) yes no yes - root, @ntadmins, @smbprintadm A special printer with his own settings @@ -243,7 +241,6 @@ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) no no yes - kurt 0.0.0.0 turbo_xp, 10.160.50.23, 10.160.51.60 @@ -251,9 +248,8 @@ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) This special share is only for testing purposes. It does not write the print job to a file. It just logs the job parameters - known to Samba into the /tmp/smbprn.log file and deletes the job-file. Moreover, the - of this share is kurt (not the @ntadmins group), - guest access is not allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it + known to Samba into the /tmp/smbprn.log file and deletes the job-file. Moreover, guest access is not + allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it allows access from only three hosts. To prevent CUPS from kicking in and taking over the print jobs for that share, we need to set sysv and lpstat. diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-FastStart.xml b/docs-xml/Samba3-HOWTO/TOSHARG-FastStart.xml index 517bb0f7c37..08f6e493b26 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-FastStart.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-FastStart.xml @@ -495,7 +495,6 @@ Added user jackb. All Printers /var/spool/samba -root, maryo 0600 Yes Yes @@ -729,7 +728,6 @@ smb: \> q All Printers /var/spool/samba -root, maryo 0600 Yes Yes @@ -961,7 +959,6 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false All Printers /var/spool/samba -root, maryo 0600 Yes Yes @@ -971,7 +968,6 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false Printer Drivers Share /var/lib/samba/drivers maryo, root -maryo, root Needed to support domain logons diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-IDMAP.xml b/docs-xml/Samba3-HOWTO/TOSHARG-IDMAP.xml index f590334ebe6..89bdec7f6da 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-IDMAP.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-IDMAP.xml @@ -595,7 +595,6 @@ Join to domain 'MEGANET2' is not valid 500-10000000 Yes Yes -"BUTTERNET\Domain Admins" @@ -728,7 +727,6 @@ Join to domain is not valid No No Yes -"Domain Admins" diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-Printing.xml b/docs-xml/Samba3-HOWTO/TOSHARG-Printing.xml index fff317bed09..6d4624c86dd 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-Printing.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-Printing.xml @@ -282,7 +282,6 @@ with settings shown in the example above: deleteprinter command = show add printer wizard = Yes os2 driver map = - printer admin = min print space = 0 max print jobs = 1000 printable = No @@ -404,7 +403,6 @@ be if you used this minimalistic configuration. Here is what you can expect to f deleteprinter command = show add printer wizard = Yes os2 driver map = - printer admin = min print space = 0 max print jobs = 1000 printable = No @@ -480,7 +478,6 @@ are set by default. You could use a much leaner &smb.conf; file, or you can use yes yes /etc/printcap -@ntadmin, root 100 20 no @@ -498,7 +495,6 @@ are set by default. You could use a much leaner &smb.conf; file, or you can use Printer with Restricted Access /var/spool/samba_my_printer -kurt yes yes no @@ -624,21 +620,6 @@ globally set share settings and specify other values). cupsd.conf file. - @ntadmin - -add drivers -/etc/group -printer share -set printer properties - Members of the ntadmin group should be able to add drivers and set printer properties - (ntadmin is only an example name; it needs to be a valid UNIX group name); root is - implicitly always a . The @ sign precedes group names - in the /etc/group. A printer admin can do anything to printers via the remote - administration interfaces offered by MS-RPC (see Printing Developments Since - Samba-2.2). In larger installations, the parameter is normally a - per-share parameter. This permits different groups to administer each printer share. - - 20 lpq command @@ -789,13 +770,6 @@ finds one, it will connect to this and will not connect to a printer with the sa - kurt - - The printer admin definition is different for this explicitly defined printer share from the general - share. It is not a requirement; we did it to show that it is possible. - - - yes This makes the printer browseable so the clients may conveniently find it when browsing the @@ -1256,9 +1230,6 @@ site). See [print\$] Example. [print$] Example -members of the ntadmin group should be able to add drivers and set -printer properties. root is implicitly always a 'printer admin'. -@ntadmin ... @@ -1358,9 +1329,7 @@ The following parameters are frequently needed in this share section: write-access (as an exception to the general public's read-only access), which they need to update files on the share. Normally, you will want to name only administrative-level user account in this setting. Check the file system permissions to make sure these accounts - can copy files to the share. If this is a non-root account, then the account should also - be mentioned in the global - parameter. See the &smb.conf; man page for more information on configuring file shares. + can copy files to the share. @@ -1403,10 +1372,6 @@ to support like this: The account used to connect to the Samba host must have a UID of 0 (i.e., a root account). - - - The account used to connect to the Samba host must be named in the printer admin list. - @@ -1495,15 +1460,14 @@ assign a driver to a printer is open. You now have the choice of: Once the APW is started, the procedure is exactly the same as the one you are familiar with in Windows (we assume here that you are familiar with the printer driver installations procedure on Windows NT). Make sure -your connection is, in fact, set up as a user with -privileges (if in doubt, use smbstatus to check for this). If you wish to install +your connection is, in fact, set up as a user with printer administrator privileges +(if in doubt, use smbstatus to check for this). If you wish to install printer drivers for client operating systems other than Windows NT x86, you will need to use the Sharing tab of the printer properties dialog. -Assuming you have connected with an administrative (or root) account (as named by the - parameter), you will also be able to modify +Assuming you have connected with an administrative (or root) account, you will also be able to modify other printer properties such as ACLs and default device settings using this dialog. For the default device settings, please consider the advice given further in Installing Print Drivers Using rpcclient. @@ -2104,7 +2068,7 @@ user nobody. In a DOS box type: net use \\SAMBA-SERVER\print$ /user:root -Replace root, if needed, by another valid user as given in +Replace root, if needed, by another valid printer administrator user as given in the definition. Should you already be connected as a different user, you will get an error message. There is no easy way to get rid of that connection, because Windows does not seem to know a concept of logging off from a share connection (do not confuse this with logging off from the local workstation; that is @@ -2204,7 +2168,7 @@ in the following paragraphs. -Be aware that a valid device mode can only be initiated by a or root +Be aware that a valid device mode can only be initiated by a printer administrator or root (the reason should be obvious). Device modes can be correctly set only by executing the printer driver program itself. Since Samba cannot execute this Win32 platform driver code, it sets this field initially to NULL (which is not a valid setting for clients to use). Fortunately, most drivers automatically generate the @@ -2315,12 +2279,12 @@ command... field from the Start menu. -Always Make First Client Connection as root or <quote>printer admin</quote> +Always Make First Client Connection as root or printer administrator After you installed the driver on the Samba server (in its share), you should always make sure that your first client installation completes correctly. Make it a habit for yourself -to build the very first connection from a client as . This is to make +to build the very first connection from a client as a printer administrator"/>. This is to make sure that: @@ -2354,8 +2318,8 @@ To connect as root to a Samba printer, try this command from a Windows 200x/XP D You will be prompted for root's Samba password; type it, wait a few seconds, click on Printing Defaults, and proceed to set the job options that should be used as defaults -by all clients. Alternatively, instead of root you can name one other member of the from the setting. +by all clients. Alternatively, instead of root you can give one other member printer adminadministrator +privileges. @@ -2458,7 +2422,7 @@ is how I reproduce it in an XP Professional: Do you see any difference in the two settings dialogs? I do not either. However, only the last one, which you arrived at with steps C.1 through C.6 will permanently save any settings which will then become the defaults for new users. If you want all clients to have the same defaults, you need to conduct these steps as -administrator () before a client downloads the driver (the clients can +administrator before a client downloads the driver (the clients can later set their own per-user defaults by following procedures A or B above). Windows 200x/XP allow per-user default settings and the ones the administrator gives them before they set up their own. The parents of the identical-looking dialogs have a slight difference in their window names; one is called @@ -2602,7 +2566,7 @@ folder. Also located in this folder is the Windows NT Add Printer Wizard icon. T The connected user is able to successfully execute an OpenPrinterEx(\\server) with - administrative privileges (i.e., root or ). + administrative privileges (i.e., root or a printer administrator). Try this from a Windows 200x/XP DOS box command prompt: diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml index 07efc463ab4..dc6125e1d60 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml @@ -333,13 +333,9 @@ mailing lists. global right administrative rights printers admin - This privilege operates identically to the - option in the &smb.conf; file (see section 5 man page for &smb.conf;) - except that it is a global right (not on a per-printer basis). - Eventually the smb.conf option will be deprecated and administrative - rights to printers will be controlled exclusively by this right and - the security descriptor associated with the printer object in the - ntprinters.tdb file. + Administrative rights to printers are only controlled exclusively + by this right and the security descriptor associated with the + printer object in the registry. diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml b/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml index 4c9a1f08505..dfd4e7b529d 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml @@ -287,7 +287,6 @@ The contents of the &smb.conf; file is shown in the A All Printers /var/spool/samba -root Yes Yes Yes diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml b/docs-xml/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml index 7ae6fd5bc2c..8ef0c705b33 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml @@ -350,7 +350,6 @@ In alphabetical order, these are the parameters eliminated from Samba-2.2.x thro min password length nt smb support post script - printer admin printer driver printer driver file printer driver location diff --git a/docs-xml/smbdotconf/printing/showaddprinterwizard.xml b/docs-xml/smbdotconf/printing/showaddprinterwizard.xml index 293cf9d1aaa..c912554fbfa 100644 --- a/docs-xml/smbdotconf/printing/showaddprinterwizard.xml +++ b/docs-xml/smbdotconf/printing/showaddprinterwizard.xml @@ -14,8 +14,8 @@ Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges. If the user does not have administrative - access on the print server (i.e is not root or a member of the - printer admin group), the OpenPrinterEx() + access on the print server (i.e is not root or the priviledge + SePrintOperatorPrivilege, the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level. This should succeed, however the APW icon will not be displayed. @@ -30,7 +30,6 @@ addprinter command deleteprinter command -printer admin yes diff --git a/docs-xml/smbdotconf/security/printeradmin.xml b/docs-xml/smbdotconf/security/printeradmin.xml deleted file mode 100644 index a0dd9929c05..00000000000 --- a/docs-xml/smbdotconf/security/printeradmin.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - This lists users who can do anything to printers - via the remote administration interfaces offered - by MS-RPC (usually using a NT workstation). - This parameter can be set per-share or globally. - Note: The root user always has admin rights. Use - caution with use in the global stanza as this can - cause side effects. - - - - This parameter has been marked deprecated in favor - of using the SePrintOperatorPrivilege and individual - print security descriptors. It will be removed in a future release. - - - - - -admin, @staff - diff --git a/examples/printing/VampireDriversFunctions b/examples/printing/VampireDriversFunctions index 3d46411e91d..f245c31ed58 100644 --- a/examples/printing/VampireDriversFunctions +++ b/examples/printing/VampireDriversFunctions @@ -90,7 +90,7 @@ echo -e " \n\ # driver info and related files from a Windows NT print server. # It then uploads and installs the drivers to a Samba server. (The # Samba server needs to be prepared for this: a valid [print$] -# share, with write access set for a \"printer admin\".) +# share, with write access set for a user with SePrintOperatorPrivilege.) # # The main commands used are \"smbclient\" and \"rpcclient\" combined # with \"grep\", \"sed\" and \"awk\". Probably a Perl or Python script @@ -143,15 +143,15 @@ echo -e " \n\ # ################################################################# # # ntprinteradmin=Administrator # any account on the NT host -# # with \"printer admin\" privileges -# ntadminpasswd=not4you # the \"printer admin\" password on +# # with SePrintOperatorPrivilege privileges +# ntadminpasswd=not4you # the printer admin password on # # the NT print server # nthost=windowsntprintserverbox # the netbios name of the NT print # # server # # smbprinteradmin=knoppix # an account on the Samba server -# # with \"printer admin\" privileges -# smbadminpasswd=2secret4you # the \"printer admin\" password on +# # with SePrintOperatorPrivilege privileges +# smbadminpasswd=2secret4you # the printer admin password on # # the Samba server # smbhost=knoppix # the netbios name of the Samba # # print server diff --git a/packaging/SGI/smb.conf b/packaging/SGI/smb.conf index 03f2a4c9f81..5a8f464c9b7 100644 --- a/packaging/SGI/smb.conf +++ b/packaging/SGI/smb.conf @@ -90,9 +90,6 @@ ; Uncomment the following if you wish to sync unix and smbpasswd ; unix password sync = yes -; Printer admin account to allow uploading printer drivers - printer admin = lp - ; Sample winbindd configuration parameters - uncomment and ; change if necessary for your desired configuration ; winbind uid = 50000-60000