This article is heavily based on the official Samba Wiki.

• Add the following to `smb.conf`:

[print$]
   path = /var/lib/samba/printer_drivers/
   read only = no

• Create and configure the share directory. Let's assume `caponato` is a Domain Admin:

mkdir -p /var/lib/samba/printer_drivers/
chown -R caponato:"Domain Admins" /var/lib/samba/printer_drivers/
chmod -R 0775 /var/lib/samba/printer_drivers/

• Restart Samba:

systemctl restart smbd

By default, `BUILTIN\Administrators` (which includes “Domain Admins”) already has this privilege. You may not need to do anything. See: Granting Samba server privileges

Follow this guide to configure the share.

In step 5, assign:

• `Domain Admins`: Full Control
• `Domain Users`: Read & Execute, List Folder Contents, Read

Do not configure permissions on subfolders. All access is managed at the share level.

See this section for details.

• Use only version 3 printer drivers
• Use 64-bit drivers (as defined in `smb.conf`)
• Drivers must support installation on a print server
• Some drivers must be unpacked or installed locally before use (look in `%TEMP%`)

1. Ensure you have the driver folder (bare version-3 driver).
2. Log into Windows as a Domain Admin.
3. Launch Print Management.
4. Add your print server (`PS1`) under *Print Servers*.
5. Go to Drivers → Right-click → *Add Driver*. Follow the wizard and upload the files.

If the CUPS printer does not appear immediately, wait a few minutes for Samba to rescan, or reboot the server.

You can also trigger detection by browsing to `\\PS1` from Windows, double-clicking the printer (cancel any dialog), then returning to Print Manager.

1. In *Print Management*, expand the print server and go to *Printers*.
2. Right-click the printer → *Properties*. If asked to install a driver, click No.
3. Go to the *Advanced* tab → Select your driver from the dropdown.
4. Optionally rename the printer under the *Sharing* tab to control how it appears to clients.

1. Configure trays, duplexing, or finishers in the *Accessories* tab
2. Set user/group access in the *Security* tab

Note: With the `ad` idmap backend, groups must have a `gidNumber` or they won't be seen by Unix.

1. Set default print options under *Advanced* → *Printing Defaults*

Please note: Due to CVE-2021-34481 and related updates, installing printer drivers via Point and Print now requires local administrator rights. This cannot be bypassed with GPO alone. Preinstall drivers on client machines when possible.

See:

• Microsoft KB5005652
• PrintNightmare Article

Recommended GPO entries - warning due above CVE chances are these will not work. Install print drivers by an admin:

1. Computer Configuration → Policies → Windows Settings → Local Policies → Security Options
   1. *Devices: Prevent users from installing printer drivers*: Disabled

1. Computer Configuration → Policies → Administrative Templates → Printers
   1. *Limits print driver installation to Administrators*: Disabled
   2. *Package Point and Print - Approved servers*: Enabled
      1. Add the FQDNs of your print servers
   3. *Point and Print Restrictions*: Enabled
      1. Allow only connections to specified servers
      2. Add FQDNs separated by semicolons

1. Computer Configuration → Preferences → Windows Settings → Registry
   1. Path: `HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint`
   2. Value name: `RestrictDriverInstallationToAdministrators`
   3. Value type: `REG_DWORD`
   4. Value data: `0x0`

Note: This last registry setting overrides all GPOs and forces that only administrators can install print drivers, regardless of other policies.

Hopefully you now have a working print server with automatic driver download for Windows clients!

Caponato's Samba notebook. Start here or else Main menu