Description of problem: setting up a windows shared printer Laserjet 6p. select windownds shaing, get all info including smb// text box. No instructions, no documentation, no example, no man page. The only thing a user could put in there is the uncc as //computername/prtrsharename (I used computername/prtrsharename. It accepted it and ceated the printer. Test print got selinux audit on cupd.spool. I set cups sebool off test print seems to go but goes nowher. set to default printer. closed cups gui. opened again, printer was there, test print started print queue gui. documents were not printing. Checked ports, no ports involved. A lter reboot, the printer defition was gone. Reverted back to FC6 devel symtoms. Version-Release number of selected component (if applicable): all of them. How reproducible: Everytime I try it. Steps to Reproduce: 1. 2. 3. Actual results: Unusable printing Expected results: Sahred printing wiith windowss. Additional info:
There is meant to be a list of machines for you to click and select a queue from. Is that not showing any machines? > Test print got selinux audit on cupd.spool. Please tell me exactly what it said. Thanks.
New attemp on devel with latest system-config-printer and SELinux-policy triggered all of these audit conditions. audit]# tail -n 20 audit.log type=SYSCALL msg=audit(1163451265.414:129): arch=40000003 syscall=195 success=no exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899 pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="smb" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1163451265.414:129): path="/tmp/.X11-unix" type=AVC msg=audit(1163451265.414:130): avc: denied { getattr } for pid=4401 comm="smb" name=".font-unix" dev=dm-0 ino=1671173 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xfs_tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1163451265.414:130): arch=40000003 syscall=195 success=no exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899 pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="smb" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1163451265.414:130): path="/tmp/.font-unix" type=AVC msg=audit(1163451265.414:131): avc: denied { getattr } for pid=4401 comm="smb" name=".gdm819SIT" dev=dm-0 ino=1672624 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1163451265.414:131): arch=40000003 syscall=195 success=no exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899 pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="smb" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1163451265.414:131): path="/tmp/.gdm819SIT" type=AVC msg=audit(1163451265.414:132): avc: denied { getattr } for pid=4401 comm="smb" name=".gdm_socket" dev=dm-0 ino=1672302 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1163451265.414:132): arch=40000003 syscall=195 success=no exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899 pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="smb" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1163451265.414:132): path="/tmp/.gdm_socket" type=AVC msg=audit(1163451265.414:133): avc: denied { getattr } for pid=4401 comm="smb" name="sealert.log" dev=dm-0 ino=1671206 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1163451265.414:133): arch=40000003 syscall=195 success=no exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899 pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="smb" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1163451265.414:133): path="/tmp/sealert.log" type=AVC msg=audit(1163451265.415:134): avc: denied { getattr } for pid=4401 comm="smb" name=".X0-lock" dev=dm-0 ino=1672622 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1163451265.415:134): arch=40000003 syscall=195 success=no exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899 pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="smb" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1163451265.415:134): path="/tmp/.X0-lock" type=AVC msg=audit(1163451265.415:135): avc: denied { getattr } for pid=4401 comm="smb" name=".ICE-unix" dev=dm-0 ino=1671172 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ice_tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1163451265.415:135): arch=40000003 syscall=195 success=no exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899 pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="smb" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1163451265.415:135): path="/tmp/.ICE-unix" [root@Tasha-19 audit]# The print icon is showing with one doc queued but going nowhere. Still have trouble removong test print w/o close and re-open of printint. The WORKGROUP -------SERVER ---------PRINERSHARE dropdowns show the wrong workgroup, only the SERVER, and no Printershares. This is for FC6, FC7 devel system-config-printer-0.7.36-1.fc7 selinux-policy-2.4.3-10 cups-1.2.6-5.fc7
Also, eggcups crashes on FC6 shutdown, a popup about bugbuddy not available comes up but there is no logging at that time. Darwin
The AVC messages in comment #2 are harmless and are not preventing SMB browsing so far as I can tell. Darwin, there are several different issues here. Please let's concentrate on one of them per bug report, or else it gets very confusing. For other bugs, please file separate bug reports. So, back to the problem with browsing for an SMB printer. What exactly is going wrong with the tree-view of domains, servers and shares? What domain are you expecting to see, and what do you actually see?
OK, first, I think the SELinux avc messages are blocking the printing. Second, I'm not browsing for SMB printers, I'm using the dropdown Printers gui selection list (to see what it offers.) The program must differentiate between DOWMIAN and WORKGROUP. Why? Because the Linux clients would have to be authortized to browse a network to see printers. One can not assume that the Windows printer is on a DOMAIN or a simple WORKGROUP like win 98 or Win XP HOME which have no acl or acu (User rights and Authorized USers), because Win Xp PRO can be reset to the classic Security model that Win2K sever uses, and that is what I have. This means I can not use the dropdpwn menus to select the SMB windows share (because the gui program would not have authorzation to get a list, nor would it known the WORKGROUP name needed (as there can be more than one WOKGROUP with a shared printer.)) So for a WORKGROUP the gui must ask for Windows Username and Password. It does at the bootom. The test box labeled //smb needs the correct strig for //workgroupname/wincomputername/winprintshare. I did not know (and I'm sure many would not known) this format. I do now. //workgroupname/wincomputername/winprintshare along with the Username and password get chnaged into a more complex string. Something like //:Username:pasword:/workgroupname/cpmutername/printsharename What ever that string is is the only one that will eventually allow the apply button response to say that it is good. when I click next it says it is building the printer. The print is built and it is back to the orginal screen showing a local printer. I select that and ; 1. The enable button enabled. 2. the default button is enabled. 3. The test button is enabled. I cleck on set default, and then test print. That trigger SEtroubleshoot. There may or may not be a printer icon showing the print queue and the document. But nothing ever prints and the netwok is never accessed. A screenshot of the latest test I did for FC6 is on this link. http://www.fedoraforum.org/gallery/showimage.php?i=2692 Darwin
> OK, first, I think the SELinux avc messages are blocking the printing. I don't believe this is the case. I get the same avc messages for a successful print. I do believe there is a bug there, and it is in the SELinux policy for samba (or in samba). An easy test for whether printing is being blocked by the SELinux policy is to disable it and try a test print: 'setenforce 0'. Can you please clarify what you mean by the "dropdown printers gui selection list"? Do you mean the list on the left of the 'select connection' page, containing 'Windows Printer via SAMBA'? Or the 'Share | Comment' list view on the right hand side of that page once you have selected 'Windows Printer via SAMBA'? I am aware that it would be good to describe the URI on that page, and I will add a label to do that. But I would like to understand what needs to be fixed in the GUI to avoid people having to make up their own URIs. Does the Places->Network Servers file browser, accessible from the main desktop menu, allow you to browse to the printer you want?
"Does the Places->Network Servers file browser, accessible from the main desktop menu, allow you to browse to the printer you want?" NO! It is a on a workgroup on NTFS Windows SP2 classic security model. There is no such thing as browsing a Secured NTFS Win Xp SP2 system. It is addressed per share with smbclient. "I am aware that it would be good to describe the URI on that page, and I will add a label to do that. But I would like to understand what needs to be fixed in the GUI to avoid people having to make up their own URIs." There is only one string that is correct yet the gui accepts more than one as being acessiable. The correct string would be MYWORKGROUPNAME/WINCOMPNAME/WINPRINTSHARENAME w or w/o leading / or // (the program should make it correct. The currect strings accepted are, WINCOMPNAME/WINPRINTSHARE (This ignores the workgroupname and Windows will deny access. WORKGROUP/WINCOMPNAME/WINPRINTSHARE Any workgroup name is accepted but you get this string in the / Device URI smb://.../localhost/WORKGROUP which is completly invalid. Also, this same string is used after a change to the Device URI. Acceping the wrong WORKGROUP or no WORKGROUP will fail on NTFS access. "Can you please clarify what you mean by the "dropdown printers gui selection list"? Do you mean the list on the left of the 'select connection' page, containing 'Windows Printer via SAMBA'? Or the 'Share | Comment' list view on the right hand side of that page once you have selected 'Windows Printer via SAMBA'?" The right side. The arrow point to the test WORKGROUP. Clcik the arrow and I get WINCOMPNAME click that arrow and I get nothing which is correct. "I don't believe this is the case. I get the same avc messages for a successful print. I do believe there is a bug there, and it is in the SELinux policy for samba (or in samba). An easy test for whether printing is being blocked by the SELinux policy is to disable it and try a test print: 'setenforce 0'." This is comfusing because even after seenforce 0, the sealert keeps popping up. Sealrt needs to be tired into sestatus. But the messages are still occuing. I truned cupd boolen off for selinux. I then rebooted to make sure everything was off. This makes building the printer easy with WINCOMPNAME/PRINTSHARENAME (but it is missing myworkgroupname.) The next problem I see is in the audit,log which is showing my password in plan view. Is not this supposed to be encripted. Any admin could use someones accout. Thats much different than looking at files, or changing the password or fixing something. Here is an audit message showing no workgroup nd plain password (which I inked out.) type=LABEL_LEVEL_CHANGE msg=audit(1164064257.467:43): user pid=2582 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 msg='printer=HPLaserJ.2 uri=smb://Darwin%20H.%20Webb:********/URANUS-37/HPLaserJ.2 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=Jade-38.WinProxy, addr=90.0.0.8, terminal=? res=success)' Now back to CIFS. The print from my user name (not root or test peint) using gedit txt file, qued up and the printer icon popped up. The document was shown as sending but it didn't go anywhre. But how can samba-3.023c work fine on FC5 (late), FC6 (early) before this new prints system came down? (If is is CIFS.) To conclude with a TO-Do list. If you'll check out the gui for proper //smb strings, proper passwrods, proper workgroups that would reduce the setup problems. I will try a http net install of FC7 devl and see if anything clears up about printing. May take a few days. :) thanks, DArwin
Darwin -- please stay on FC6 to help me with testing. There are no changes in FC7 that will help with this problem.
I've added the string to 0.7.39-1.fc6, shortly to appear in updates-testing. Actually I've now taken '[username:password@]' out of it, because the entry widgets at the bottom of that screen are used to fill in those parts of the URI afterwards. It should read: smb://[workgroup/]server[:port]/printer
Tim, I tried the new packages from test. The gui stills allows any workgroupname in verify access. If missed typing in //smb text box, the username: [assword is extracted and put in bottom boxes, and SMB text reverts to //.../localhot/WORKGOUP. Anyway, I tried an many cobos as I could. I would delete the printer ans start over when the queue got missed up with jobs. But nothing would print. All indicate smb or NTFS denied. This is will SELinux on, Setroubleshot did not trigger, and the only AVC messages were the usuall /temp on smb and cups/spool Maybe you are correct about CIFS. I can not see any reason why it would not print? I'll try again when the packes change. Let me know. P. S. As for FC7, I only meant to re-install as to make it as valid as possible witout some broken script or conf or update error, To see if there was a difference. But Anaconda is broken so if you don't find something later, maybe I'll re-insatll FC6 and make sure that is valid. TTYL, Darwin
Darwin, please file separate bug reports. I'm taking this bug report to be that the label should be added, and will close it once the update is released. I have already filed a separate bug report for you for the audit log message: bug #216669. Please file other reports for the remaining problems, so they can be correctly tracked and fixed. Thanks.