diff --git a/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml b/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml
index 3b9976e3f41..e0c3c7cd4db 100644
--- a/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml
+++ b/docs-xml/Samba3-ByExample/SBE-2000UserNetwork.xml
@@ -1093,7 +1093,6 @@ index default sub
ldap://massive.abmas.biz10000-2000010000-20000
-rootcups
diff --git a/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml b/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml
index 23704fe716d..45a09a8fb1d 100644
--- a/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml
+++ b/docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml
@@ -674,7 +674,6 @@ Join to 'MEGANET2' failed.
10000-2000010000-20000Yes
-rootcups
@@ -948,7 +947,6 @@ MEGANET2+PIOps:x:10005:
"Domain Users"/bin/bash+
-root192.168.2., 192.168.3., 127.cups
@@ -1041,7 +1039,6 @@ Joined domain MEGANET2.
wins bcast hostsCUPS192.168.2.1
-root192.168.2., 192.168.3., 127.cups
@@ -1723,7 +1720,6 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt-
NoNoYes
-"KPAK\Domain Admins"
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml b/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml
index bb05de4d112..d0258fb492e 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml
@@ -188,7 +188,6 @@ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
yesnoyes
- root, @ntadmins, @smbprintadm
@@ -232,7 +231,6 @@ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
yesnoyes
- root, @ntadmins, @smbprintadmA special printer with his own settings
@@ -243,7 +241,6 @@ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
nonoyes
- kurt0.0.0.0turbo_xp, 10.160.50.23, 10.160.51.60
@@ -251,9 +248,8 @@ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
This special share is only for testing purposes. It does not write the print job to a file. It just logs the job parameters
- known to Samba into the /tmp/smbprn.log file and deletes the job-file. Moreover, the
- of this share is kurt (not the @ntadmins group),
- guest access is not allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it
+ known to Samba into the /tmp/smbprn.log file and deletes the job-file. Moreover, guest access is not
+ allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it
allows access from only three hosts. To prevent CUPS from kicking in and taking over the print jobs for that share, we need to set
sysv and lpstat.
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-FastStart.xml b/docs-xml/Samba3-HOWTO/TOSHARG-FastStart.xml
index 517bb0f7c37..08f6e493b26 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-FastStart.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-FastStart.xml
@@ -495,7 +495,6 @@ Added user jackb.
All Printers/var/spool/samba
-root, maryo0600YesYes
@@ -729,7 +728,6 @@ smb: \> qAll Printers/var/spool/samba
-root, maryo0600YesYes
@@ -961,7 +959,6 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
All Printers/var/spool/samba
-root, maryo0600YesYes
@@ -971,7 +968,6 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
Printer Drivers Share/var/lib/samba/driversmaryo, root
-maryo, rootNeeded to support domain logons
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-IDMAP.xml b/docs-xml/Samba3-HOWTO/TOSHARG-IDMAP.xml
index f590334ebe6..89bdec7f6da 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-IDMAP.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-IDMAP.xml
@@ -595,7 +595,6 @@ Join to domain 'MEGANET2' is not valid
500-10000000YesYes
-"BUTTERNET\Domain Admins"
@@ -728,7 +727,6 @@ Join to domain is not valid
NoNoYes
-"Domain Admins"
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-Printing.xml b/docs-xml/Samba3-HOWTO/TOSHARG-Printing.xml
index fff317bed09..6d4624c86dd 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-Printing.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-Printing.xml
@@ -282,7 +282,6 @@ with settings shown in the example above:
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
- printer admin =
min print space = 0
max print jobs = 1000
printable = No
@@ -404,7 +403,6 @@ be if you used this minimalistic configuration. Here is what you can expect to f
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
- printer admin =
min print space = 0
max print jobs = 1000
printable = No
@@ -480,7 +478,6 @@ are set by default. You could use a much leaner &smb.conf; file, or you can use
yesyes/etc/printcap
-@ntadmin, root10020no
@@ -498,7 +495,6 @@ are set by default. You could use a much leaner &smb.conf; file, or you can use
Printer with Restricted Access/var/spool/samba_my_printer
-kurtyesyesno
@@ -624,21 +620,6 @@ globally set share settings and specify other values).
cupsd.conf file.
- @ntadmin
-
-add drivers
-/etc/group
-printer share
-set printer properties
- Members of the ntadmin group should be able to add drivers and set printer properties
- (ntadmin is only an example name; it needs to be a valid UNIX group name); root is
- implicitly always a . The @ sign precedes group names
- in the /etc/group. A printer admin can do anything to printers via the remote
- administration interfaces offered by MS-RPC (see Printing Developments Since
- Samba-2.2). In larger installations, the parameter is normally a
- per-share parameter. This permits different groups to administer each printer share.
-
-
20 lpq command
@@ -789,13 +770,6 @@ finds one, it will connect to this and will not connect to a printer with the sa
- kurt
-
- The printer admin definition is different for this explicitly defined printer share from the general
- share. It is not a requirement; we did it to show that it is possible.
-
-
-
yes
This makes the printer browseable so the clients may conveniently find it when browsing the
@@ -1256,9 +1230,6 @@ site). See [print\$] Example.
[print$] Example
-members of the ntadmin group should be able to add drivers and set
-printer properties. root is implicitly always a 'printer admin'.
-@ntadmin...
@@ -1358,9 +1329,7 @@ The following parameters are frequently needed in this share section:
write-access (as an exception to the general public's read-only access), which they need to
update files on the share. Normally, you will want to name only administrative-level user
account in this setting. Check the file system permissions to make sure these accounts
- can copy files to the share. If this is a non-root account, then the account should also
- be mentioned in the global
- parameter. See the &smb.conf; man page for more information on configuring file shares.
+ can copy files to the share.
@@ -1403,10 +1372,6 @@ to support like this:
The account used to connect to the Samba host must have a UID of 0 (i.e., a root account).
-
-
- The account used to connect to the Samba host must be named in the printer admin list.
-
@@ -1495,15 +1460,14 @@ assign a driver to a printer is open. You now have the choice of:
Once the APW is started, the procedure is exactly the same as the one you are familiar with in Windows (we
assume here that you are familiar with the printer driver installations procedure on Windows NT). Make sure
-your connection is, in fact, set up as a user with
-privileges (if in doubt, use smbstatus to check for this). If you wish to install
+your connection is, in fact, set up as a user with printer administrator privileges
+(if in doubt, use smbstatus to check for this). If you wish to install
printer drivers for client operating systems other than Windows NT x86,
you will need to use the Sharing tab of the printer properties dialog.
-Assuming you have connected with an administrative (or root) account (as named by the
- parameter), you will also be able to modify
+Assuming you have connected with an administrative (or root) account, you will also be able to modify
other printer properties such as ACLs and default device settings using this dialog. For the default
device settings, please consider the advice given further in Installing
Print Drivers Using rpcclient.
@@ -2104,7 +2068,7 @@ user nobody. In a DOS box type:
net use \\SAMBA-SERVER\print$ /user:root
-Replace root, if needed, by another valid user as given in
+Replace root, if needed, by another valid printer administrator user as given in
the definition. Should you already be connected as a different user, you will get an error message. There
is no easy way to get rid of that connection, because Windows does not seem to know a concept of logging
off from a share connection (do not confuse this with logging off from the local workstation; that is
@@ -2204,7 +2168,7 @@ in the following paragraphs.
-Be aware that a valid device mode can only be initiated by a or root
+Be aware that a valid device mode can only be initiated by a printer administrator or root
(the reason should be obvious). Device modes can be correctly set only by executing the printer driver program
itself. Since Samba cannot execute this Win32 platform driver code, it sets this field initially to NULL
(which is not a valid setting for clients to use). Fortunately, most drivers automatically generate the
@@ -2315,12 +2279,12 @@ command... field from the Start menu.
-Always Make First Client Connection as root or printer admin
+Always Make First Client Connection as root or printer administrator
After you installed the driver on the Samba server (in its share), you
should always make sure that your first client installation completes correctly. Make it a habit for yourself
-to build the very first connection from a client as . This is to make
+to build the very first connection from a client as a printer administrator"/>. This is to make
sure that:
@@ -2354,8 +2318,8 @@ To connect as root to a Samba printer, try this command from a Windows 200x/XP D
You will be prompted for root's Samba password; type it, wait a few seconds, click on
Printing Defaults, and proceed to set the job options that should be used as defaults
-by all clients. Alternatively, instead of root you can name one other member of the from the setting.
+by all clients. Alternatively, instead of root you can give one other member printer adminadministrator
+privileges.
@@ -2458,7 +2422,7 @@ is how I reproduce it in an XP Professional:
Do you see any difference in the two settings dialogs? I do not either. However, only the last one, which you
arrived at with steps C.1 through C.6 will permanently save any settings which will then become the defaults
for new users. If you want all clients to have the same defaults, you need to conduct these steps as
-administrator () before a client downloads the driver (the clients can
+administrator before a client downloads the driver (the clients can
later set their own per-user defaults by following procedures A or B above). Windows 200x/XP allow per-user
default settings and the ones the administrator gives them before they set up their own. The parents of the
identical-looking dialogs have a slight difference in their window names; one is called
@@ -2602,7 +2566,7 @@ folder. Also located in this folder is the Windows NT Add Printer Wizard icon. T
The connected user is able to successfully execute an OpenPrinterEx(\\server) with
- administrative privileges (i.e., root or ).
+ administrative privileges (i.e., root or a printer administrator).
Try this from a Windows 200x/XP DOS box command prompt:
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
index 07efc463ab4..dc6125e1d60 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
@@ -333,13 +333,9 @@ mailing lists.
global rightadministrative rightsprinters admin
- This privilege operates identically to the
- option in the &smb.conf; file (see section 5 man page for &smb.conf;)
- except that it is a global right (not on a per-printer basis).
- Eventually the smb.conf option will be deprecated and administrative
- rights to printers will be controlled exclusively by this right and
- the security descriptor associated with the printer object in the
- ntprinters.tdb file.
+ Administrative rights to printers are only controlled exclusively
+ by this right and the security descriptor associated with the
+ printer object in the registry.
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml b/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml
index 4c9a1f08505..dfd4e7b529d 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml
@@ -287,7 +287,6 @@ The contents of the &smb.conf; file is shown in the A
All Printers/var/spool/samba
-rootYesYesYes
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml b/docs-xml/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml
index 7ae6fd5bc2c..8ef0c705b33 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml
@@ -350,7 +350,6 @@ In alphabetical order, these are the parameters eliminated from Samba-2.2.x thro
min password lengthnt smb supportpost script
- printer adminprinter driverprinter driver fileprinter driver location
diff --git a/docs-xml/smbdotconf/printing/showaddprinterwizard.xml b/docs-xml/smbdotconf/printing/showaddprinterwizard.xml
index 293cf9d1aaa..c912554fbfa 100644
--- a/docs-xml/smbdotconf/printing/showaddprinterwizard.xml
+++ b/docs-xml/smbdotconf/printing/showaddprinterwizard.xml
@@ -14,8 +14,8 @@
Under normal circumstances, the Windows NT/2000 client will
open a handle on the printer server with OpenPrinterEx() asking for
Administrator privileges. If the user does not have administrative
- access on the print server (i.e is not root or a member of the
- printer admin group), the OpenPrinterEx()
+ access on the print server (i.e is not root or the priviledge
+ SePrintOperatorPrivilege, the OpenPrinterEx()
call fails and the client makes another open call with a request for
a lower privilege level. This should succeed, however the APW
icon will not be displayed.
@@ -30,7 +30,6 @@
addprinter commanddeleteprinter command
-printer adminyes
diff --git a/docs-xml/smbdotconf/security/printeradmin.xml b/docs-xml/smbdotconf/security/printeradmin.xml
deleted file mode 100644
index a0dd9929c05..00000000000
--- a/docs-xml/smbdotconf/security/printeradmin.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-
-
-
- This lists users who can do anything to printers
- via the remote administration interfaces offered
- by MS-RPC (usually using a NT workstation).
- This parameter can be set per-share or globally.
- Note: The root user always has admin rights. Use
- caution with use in the global stanza as this can
- cause side effects.
-
-
-
- This parameter has been marked deprecated in favor
- of using the SePrintOperatorPrivilege and individual
- print security descriptors. It will be removed in a future release.
-
-
-
-
-
-admin, @staff
-
diff --git a/examples/printing/VampireDriversFunctions b/examples/printing/VampireDriversFunctions
index 3d46411e91d..f245c31ed58 100644
--- a/examples/printing/VampireDriversFunctions
+++ b/examples/printing/VampireDriversFunctions
@@ -90,7 +90,7 @@ echo -e " \n\
# driver info and related files from a Windows NT print server.
# It then uploads and installs the drivers to a Samba server. (The
# Samba server needs to be prepared for this: a valid [print$]
-# share, with write access set for a \"printer admin\".)
+# share, with write access set for a user with SePrintOperatorPrivilege.)
#
# The main commands used are \"smbclient\" and \"rpcclient\" combined
# with \"grep\", \"sed\" and \"awk\". Probably a Perl or Python script
@@ -143,15 +143,15 @@ echo -e " \n\
# #################################################################
#
# ntprinteradmin=Administrator # any account on the NT host
-# # with \"printer admin\" privileges
-# ntadminpasswd=not4you # the \"printer admin\" password on
+# # with SePrintOperatorPrivilege privileges
+# ntadminpasswd=not4you # the printer admin password on
# # the NT print server
# nthost=windowsntprintserverbox # the netbios name of the NT print
# # server
#
# smbprinteradmin=knoppix # an account on the Samba server
-# # with \"printer admin\" privileges
-# smbadminpasswd=2secret4you # the \"printer admin\" password on
+# # with SePrintOperatorPrivilege privileges
+# smbadminpasswd=2secret4you # the printer admin password on
# # the Samba server
# smbhost=knoppix # the netbios name of the Samba
# # print server
diff --git a/packaging/SGI/smb.conf b/packaging/SGI/smb.conf
index 03f2a4c9f81..5a8f464c9b7 100644
--- a/packaging/SGI/smb.conf
+++ b/packaging/SGI/smb.conf
@@ -90,9 +90,6 @@
; Uncomment the following if you wish to sync unix and smbpasswd
; unix password sync = yes
-; Printer admin account to allow uploading printer drivers
- printer admin = lp
-
; Sample winbindd configuration parameters - uncomment and
; change if necessary for your desired configuration
; winbind uid = 50000-60000