Setting up Automatic Printer Driver Downloads for Windows Clients
Introduction
If you are running a Samba print server for Windows clients, you can upload drivers and preconfigure printers. If a user connects to a printer on the Samba server, Windows automatically downloads the driver and installs it locally. The user does not require local administrator permissions for the installation. Additionally, Windows applies preconfigured driver settings, such as paper sizes and the number of trays.
 | Before you can set up automatic printer driver download, configure Samba as a print server and share a printer. For details, see Setting up Samba as a Print Server. |
Supported Printer Drivers
General Information
Many driver are provided in a way that enables you to upload them to your Samba print server:
- If the driver is provided in a compressed format, unpack the archive.
- Some drivers are require to start a setup application that installs the driver locally on a Windows host. In certain cases, the installer extracts the individual files into the operating system's temporary folder during the setup. To use the driver files for uploading them to a Samba print Server, start the installer, copy the files from the temporary folder to a new location, and cancel the installation.
Ask your printer vendor, if the driver supports uploading to a print server for automatic download by Windows operating systems.
Supported Windows Printer Drivers
Samba only supports the printer driver model version 3 that is supported in Windows 2000 to 10 and Windows Server 2000 to 2016.
To use package-aware drivers:
- Run Samba 4.7 and later
- Enable the
spoolssdservice. For details, see Enabling the spoolssd Service.
The driver model version 4, introduced in Windows 8 and Windows Server 2012, is not supported in Samba. Use version 3 drivers instead.
32-bit and 64-bit Drivers
Printer drivers for the 64-bit Windows architecture, you can only upload from a Windows 64-bit operating system. 32-bit drivers you can upload from both 32-bit and 64-bit Windows operating systems.
To provide driver for both architectures, you must upload 32-bit and 64-bit drivers that uses exactly the same name for both architectures. For example, if you are uploading the 32-bit HP Universal Printing PS driver and the 64-bit HP Universal Printing PS (v5.5.0) driver for Windows, the driver names are different and cannot be used and preconfigured for the same printer.
Uploading Only 64-bit Drivers to a Samba Print Server
Using the default setting, Samba reports itself as Windows NT x86 architecture. Thus, 64-bit drivers stored on this print server can only be assigned to a printer if additionally a 32-bit driver with exactly the same name is uploaded. Otherwise, Windows does not display the driver in the list displayed in the printer's properties when assigning the driver.
To provide only 64-bit driver on the Samba print server:
- Add the following setting to the
[global]section in yoursmb.conffile:
spoolss: architecture = Windows x64
- Reload Samba:
# smbcontrol all reload-config
Granting the SePrintOperatorPrivilege Privilege
Only users and groups having the SePrintOperatorPrivilege privilege granted can upload and preconfigure printer drivers. You can grant this privilege to any user or group.
For example, to grant the privilege to the Domain Admins group, enter:
# net rpc rights grant "SAMDOM\Domain Admins" SePrintOperatorPrivilege -U "SAMDOM\administrator" Enter SAMDOM\administrator's password: Successfully granted rights.
| It is recommended to grant the privilege to a group instead of individual accounts. This enables you to add and revoke the privilege by updating the group membership. |
If you get the following error:
Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE
- Create in /etc/samba the file "user.map"
- Edit /etc/samba/user.map and add line:
!root = SAMDOM\administrator SAMDOM\Administrator
- Add in smb.conf to the [Global] section:
username map = /etc/samba/user.map
- Reload Samba:
# smbcontrol all reload-config
If you get the following error:
Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_INVALID_TOKEN
- Add in smb.conf to the [Global] section:
min domain uid = 0
- Reload Samba:
# smbcontrol all reload-config
To list all users and groups having the SePrintOperatorPrivilege privilege granted, enter:
# net rpc rights list privileges SePrintOperatorPrivilege -U "SAMDOM\administrator" SePrintOperatorPrivilege: BUILTIN\Administrators SAMDOM\Domain Admins
Windows downloads printer drivers from the print$ share of a print server. This share name is hard-coded in Windows and cannot be changed.
To share the /srv/samba/printer_drivers/ folder using the print$ share name:
- Add the following section to your
smb.conffile:
[print$]
path = /srv/samba/printer_drivers/
read only = no
- Reload Samba:
# smbcontrol all reload-config
- Create the directory:
# mkdir -p /srv/samba/printer_drivers/
- Set the permissions on the share. Users or groups having the
SePrintOperatorPrivilegeprivilege granted must be able to to write to the share. For example, to set write access for theDomain Adminsgroup and read permissions for other users to be able to download the drivers:
- Using POSIX access control lists (ACL):
# chgrp -R "SAMDOM\Domain Admins" /srv/samba/printer_drivers/ # chmod -R 2775 /srv/samba/printer_drivers/
When setting up a Samba print server on an Active Directory (AD) domain controller (DC), you cannot use POSIX access control lists (ACL). Use the Windows utilities to set extended ACLs. For details, see Enable Extended ACL Support in the smb.conf File.
- Using Windows ACLs:
- Set the following permissions using the Windows utilities:
Principal Access Apply to Creator Owner Full control Subfolders and files only Authenticated Users Read & execute, List folder contents, Read This folder, subfolders and files Domain Admins Full control This folder, subfolders and files
- For details, see Setting Share Permissions and ACLs.
Samba automatically creates the architecture subdirectories on the print$ share when uploading a driver.
Creating a GPO for Trusting the Print Server
 | In July 2016, Microsoft released an update to fix security issues in the Windows print spooler. This update changes the behaviour and limited support for non-package-aware printer drivers. In October 2016, Microsoft published an update to mitigate these problems in an Active Directory (AD). For further details, see MS16-087. This section describes the procedure to work around the problems in an AD. |
To avoid installing malicious drivers from untrusted sources, Windows asks you if you trust the print server when you preconfigure a printer or when a user installs a printer. Create a group policy object (GPO) to trust the Samba print server and work around the known issues introduced by the Windows print spooler security update:
- Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain
Administratoraccount.
- Open the
Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
- Right-click to your AD domain and select
Create a GPO in this domain, and Link it here.
- Enter a name for the GPO, such as
Legacy Printer Driver Policy. The new GPO is shown below the domain entry.
- Right-click to the newly-created GPO and select
Editto open theGroup Policy Management Editor.
- Navigate to the
Computer Configuration→Policies→Administrative Templates→Printersentry.
- Double-click to the
Point and Print Restrictionpolicy to edit the policy:
- Enable the policy and set the following options:
- Enable
Users can only point and print to these serversand enter the fully-qualified domain name (FQDN) to the field. - Select
Do not show warning or elevation promptin both theWhen installing drivers for a new connectionandWhen updating drivers for an existing connectionlist.
- Enable
- Click
OK.
- Click
- Double-click to the
Package Point and Print - Approved serverspolicy to edit the policy:
- Enable the policy and click the
Showbutton.
- Enter the print server's FQDN. For example:
- Enable the policy and click the
- Close both the content and policy properties by clicking
OK.
- Close both the content and policy properties by clicking
- Close the
Group Policy Management Editor. The GPOs are automatically saved on theSysvolshare on the domain controller (DC).
- Close the
Group Policy Management Console.
Wait until the Windows domain members applied the group policy automatically. To apply the policy manually:
- Reboot the domain member.
- Run the following command using an account having local administrator permissions:
> gpupdate /force /target:computer
Creating a GPO for RPC connection updates for print in Windows 11
| Windows 11, version 22H2 (October 2022) introduces changes to print components that modify how Windows machines communicate with each other during printing or print related operations. For example, the changes come into effect when you print to a printer shared out by a print server or another computer on the network. These changes were made to further improve the overall security of printing in Windows. The default configuration of the RPC connection settings enforces newer and more secure communication methods. Home users and enterprise administrators can also customize the settings for their environment. |
- Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain
Administratoraccount.
- Open the
Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
- Navigate to the
Computer Configuration→Policies→Administrative Templates→Configure RPC Connection settingsentry.
- Double-click to the
Configure RPC Connection settingspolicy to edit the policy:
- Enable the policy and set the following options:
- Enable
RPC over named pipes.
- Enable
- Close both the content and policy properties by clicking
OK.
- Close both the content and policy properties by clicking
- Close the
Group Policy Management Editor. The GPOs are automatically saved on theSysvolshare on the domain controller (DC).
- Close the
Group Policy Management Console.
Wait until the Windows domain members applied the group policy automatically. To apply the policy manually:
- Reboot the domain member.
- Run the following command using an account having local administrator permissions:
> gpupdate /force /target:computer
Connecting to the Print Server Using the Print Management Console
To connect to the Samba print server:
- Log on to a Windows host using an account that has the
SeDiskOperatorPrivilegeprivilege granted and write permissions on theprint$share.
- Click
Start, enterPrint Management, and start the application.
- Right-click to the
Print Serversentry and selectAdd/Remove Servers.
- Enter the name of the Samba print server in the
Add serversfield, and clickAdd to List.
- Click
OK.
When you are connected to the print server, you can perform certain tasks, such as uploading drivers and preconfiguring printers.
Uploading a Printer Driver to a Samba Print Server
To upload a printer driver:
- Connect to the print server. See Connecting to the Print Server Using the Print Management Console
- Navigate to the
Print Serversentry, double-click your print server, and right-click to theDriversentry.
- Select
Add Driver.
- In upcoming wizard, select the architecture you want to upload a driver for, and select
Next.
- Click
Have Diskand navigate to the folder containing the printer driver for the selected architecture.
- Select the driver to upload from the list.
When you upload 32-bit and 64-bit drivers for the same printer, both drivers must have exactly the same driver name. For details, see 32-bit and 64-bit Drivers.
- Click
Finishto start uploading the driver to theprint$share.
- After uploading, the driver is shown in the
Driversmenu.
Optionally, upload drivers for additional architectures.
Assigning a Driver to a Printer
Using the Print Management Console
To assign a driver to a printer using the Windows Print Management console:
- Connect to the print server. See Connecting to the Print Server Using the Print Management Console
- Navigate to the
Print Serversentry, double-click your print server, and select thePrintersentry.
- Right-click to the printer and select
Properties.
- When no driver is associated with the printer, the following warning is shown:
- Click
No. The driver is selected in a later step from the list of uploaded drivers.
- Navigate to the
Advancedtab and select the driver from the list. For example:
- If you uploaded only a 64-bit driver and the driver is not displayed in the list, see Uploading Only 64-bit Drivers to a Samba Print Server.
- Click
OKto set the driver for the printer.
- If a warning is displayed, cancel the operation and set up a group policy to trust drivers provided by this print server. For details, see Creating a GPO for Trusting the Print Server.
- After the driver is assigned to the printer, Windows automatically renames the printer to the name of the printer driver. It is recommended, to manually reset the name to the printer name set in the
smb.conffile:
- Right-click to the printer and select
Rename. - Reset the printer name to the name set in the
smb.conffile, and pressEnter. - If the printer list is not refreshed automatically, press the
[F5]key.
- Right-click to the printer and select
Using the Samba rpcclient Utility
To assign a driver to a printer locally on a Samba print server using the rpcclient utility:
- List all drivers available on the
print$share:
# rpcclient localhost -U "SAMDOM\administrator" -c "enumdrivers"
- Assign the driver to the printer. For example, to assign the
HP Universal Printing PSdriver to theDemoPrinterprinter, enter:
# rpcclient localhost -U "SAMDOM\administrator" -c 'setdriver "DemoPrinter" "HP Universal Printing PS"'
- To verify the result:
# rpcclient localhost -U "SAMDOM\administrator" -c "enumprinters"
Preconfiguring a Printer
If the administrator preconfigured the driver on the print server, users connecting to the printer getting automatically the settings applied as default. Preconfigured settings are applied automatically to all driver platforms for the printer, if drivers for multiple architectures are installed on the server. For details, see 32-bit and 64-bit Drivers.
To preconfigure a printer:
- Connect to the print server. See Connecting to the Print Server Using the Print Management Console.
- Navigate to the
Print Serversentry, double-click your print server, and select thePrintersentry.
- Right-click to the printer and select
Properties.
- Depending on the driver, a tab, such as
Device Settings, is provided that enables you to set general settings, such as installed paper trays.
- To preconfigure further settings, navigate to the
Advancedtab and clickPrinting Defaults.
- Update all settings you want to preconfigure. For example, paper sizes and the default paper source.
- Save the advanced settings and the printer properties by clicking
OK.