Samba 3.6 Printer Sharing from Linux Server to Windows 7 64-bit Client

For years, I have had Samba share the printer connected to my Debian Linux machine to various clients and Windows XP and 7 in particular. For Windows XP, Samba provided printer drivers to attaching clients. When it was time to attach Windows 7 (64 bit) computers, it did not work as Windows 7 would search (forever) for printer drivers via Windows update and so on. I tried to add drivers for Samba to hand out and failed, and by searching the web I found the suggestion to "add local printer" and then "create new port" and for the port use "\\my_linux_hostname\printer_name", which worked well. At least until recently.

Suddenly, the Windows 7 machine would not print. I did not know if it was due to some Debian updates or to some Windows 7 updates. For sure, no configurations were changed. I did a lot of searching in the web, and found a lot of recommendations on registry settings for DomainCompatibilityMode, DNSNameResolutionRequired and such (http://wiki.samba.org/index.php/Windows7), but that did not change anything.

If I would try to create a new local printer (on the Windows 7 machine), it would give me access denied. With loglevel 3 in Samba, I could see this in the logs:

  checking name: printer_name
[2012/01/18 10:20:48.667088, 3] rpc_server/spoolss/srv_spoolss_nt.c:520(set_printer_hnd_printertype)
  Setting printer type=printer_name
[2012/01/18 10:20:48.667339, 3] lib/access.c:338(allow_access)
  Allowed connection from 192.168.3.4 (192.168.3.4)
[2012/01/18 10:20:48.667382, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
  string_to_sid: SID root is not in a valid format
[2012/01/18 10:20:48.667450, 3] passdb/lookup_sid.c:1737(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for root
[2012/01/18 10:20:48.667796, 3] rpc_server/rpc_handles.c:281(close_policy_hnd)
Closed policy
  [2012/01/18 10:20:48.667831, 3] rpc_server/rpc_handles.c:281(close_policy_hnd)
Closed policy
[2012/01/18 10:20:48.667878, 3] rpc_server/spoolss/srv_spoolss_nt.c:1903(_spoolss_OpenPrinterEx)
  access DENIED for printer open

[2012/01/18 10:20:48.667899, 3] rpc_server/rpc_handles.c:281(close_policy_hnd)
  Closed policy
[2012/01/18 10:20:58.749883, 3] smbd/service.c:1291(close_cnum)
  windowsclient (192.168.3.4) closed connection to service IPC$

There is a reason _spoolss_OpenPrinterEx returns access DENIED:

"Because the client considers the printer to be local, it attempts to issue the OpenPrinterEx() call requesting access rights associated with the logged on user. If the user possesses local administrator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call fails. The result is that the client now displays an “Access Denied; Unable to connect” message in the printer queue window (even though jobs may be printed successfully)."

This is found in the description for the parameter use client driver (alt. disable spoolss in the Samba documentation (http://www.samba.org/samba/docs/man/Samba-Guide/simple.html#id2555247). Reading on, I realize using this parameter would disable the Point'n'Print Client Drivers on Samba Servers functionality, but since I was not using it for Windows 7 anyway it would be no sacrifice... Lo and behold, with that parameter set it all worked again!

Snippet from my smb.conf with the printer settings:

[printers]
  comment = All Printers
  path = /var/spool/samba
  guest ok = Yes
  printable = Yes
  print ok = Yes
  use client driver = Yes
  browseable = No

[print$]
  comment = Printer Drivers
  path = /var/lib/samba/printers
  write list = root, @lpadmin

I realize it should of course be possible to make it work with the drivers provided by the samba server even for Windows 7, and it should be possible to get the access things right. But it seems hard to find any info on how to achieve this on the web. I have seen many threads (without solutions) on people having problems with the same symptoms as I had, though. And the lack of solutions together with me having one (perhaps not the best one, but still one) is the reason I made this page. If you have any tips and tricks to share with me how to improve my configuration, please do not hesitate to e-mail me (address is found below).