Caponato's Notebook

User Tools

Site Tools

samba:automatic-drivers

Automatic Printer Driver Downloads for Windows Clients

This article is heavily based in the official Samba wiki.

Let's create a share to hold the print drivers in the print server.

  • Add printer driver's share to smb.conf. 
  [print$]
     path = /var/lib/samba/printer_drivers/
     read only = no
  • Create an configure the print driver share (Substitute Domain Admins with Unix Admins if using the 'ad' backend)
mkdir -p /var/lib/samba/printer_drivers/
# In the next line use "Unix Admins" if you are using the 'ad' idmap backend
chown -R root:"Domain Admins" /var/lib/samba/printer_drivers/
chmod -R 2775 /var/lib/samba/printer_drivers/
  • Restart Samba
systemctl restart smbd

Grant SeDiskOperatorPrivilege

This is needed to properly set up printer drivers share.

See granting privileges

Configure permissions and Security of the 'print$' share in Windows

Please follow this article to configure the share:

In step 5, give “Domain Admins” (“Unix Admins if you are using the 'ad' idmap backend) full control of the share, and configure “Domain Users” to have only Read and execute, List Folder contents, and Read permissions in the security tab.

Note there is no security to configure in folders whithin this share, so we will only assign permissions and security at share level.

About Windows Drivers

See this for a better explanation.

  1. Your driver must be “uploadable” to a print server. If in doubt, ask your printer manufacturer
  2. Only driver version 3 is supported in Samba.
  3. Save yourself trouble and use only 64bit drivers. (already defined in smb.conf)
  4. Sometimes your drivers must be decompressed to be installed.
  5. Sometimes you need to start a local installation for the driver package to decompress the actual driver. (Search for the driver in the temp directory in your local windows machine)

Configure the Printer with Printer Management tool in Windows

  • Upload drivers to your print server

You have a folder with your bare version-3 Windows driver for you printer. Then in your Windows machine:

  1. Log in as Admistrator
  2. Lauch “Printer Management”
  3. Right click “Print Servers”, Add/Remove servers, and add your print server. In our example, PS1, add to list, and ok.
  4. Expand you newly added print server, Right click in “Drivers”, Add Driver. Follow the wizard and have the files uploaded.
  • Link the printer and the corresponding driver:
  1. In Printer Management, expand you newly added print server, click on printers. You should see a list of printers you have added in CUPS before.
  2. Right click the printer you want to link the driver with, properties, if no driver is previously attached to the driver, you may get an error asking “Would you like to install a driver?”, click no.
  3. Select the Advanced tab. Choose the driver form the pull down menu, and click OK.
  4. Sometimes after adding the driver, the name of the shared printer is updated with the name in the driver. Right click again on the printer, properties, select the Sharing tab, and re-name the printer to your liking. This is the name Windows clients will see when browsing your print server.
  • Other configurations:
  1. If you have a complex printer with finishing accessories, this is where you need to configure them, in the Accessories tab of the printer properties pane.
  2. In the security tab of the printer you can configure access to users and groups (remember, if using the 'ad' idmap backend, you must assign a gidNumber to groups or they will be invisible to Unix). If you don't, then 'Everyone' can print.
  3. You can configure the default settings for this printer in the Advanced tab, select printing default, configure to your liking.

Create a GPO to allow Windows Clients to trust the print server, and allow driver download (Point and Print)

You need to create this GPO or otherwise your domain users will not be able to install drivers without an Admin account. (An error will be shown asking if the printserver is trusted, and will ask for an Admin password). Assing this GPO to the domain, or to an OU.

Last entry on the GPO is a result of CVE-2021-34481. This registry key will override all Point and Print Restrictions Group Policy settings and ensures that only administrators can install printer drivers from a print server using Point and Print. There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.

  1. Computer Configuration / Policies / Windows Settings / Local Policies-Security Options / Devices / Policy : Devices: Prevent users from installing printer drivers : Disable
  2. Computer Configuration / Policies / Administrative Templates / Printers / Policy: Limits print driver installation to Administrators : Disable
  3. Computer Configuration / Policies / Administrative Templates / Printers / Policy: Approved servers”Package Point and print - Approved servers : Enable, and declare the FQDN of all your printservers
  4. Computer Configuration / Policies / Administrative Templates / Printers / Policy: Point and Print Restrictions : Enable and also, Users can only point and print to these servers: Enable, and Enter FQDN server names separated by semicolons.
  5. Computer Configuration / Preferences / Windows Settings / Registry / RestrictDriverInstallationToAdministrators: Value type : REG_DWORD, and Value Data: 0x0

Hopefully you have a working print server with automatic driver download !

Caponato's Samba notebook. Start here or else Main menu

samba/automatic-drivers.txt · Last modified: 2024/05/17 09:35 by caponato