unable to grant print operator privileges + workaround

David Mansfield samba at dm.cobite.com
Tue Dec 23 14:31:14 MST 2014



On 12/23/2014 02:24 PM, David Mansfield wrote:
> Hi All,
>
> I was trying to follow the wiki
> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
> and the command there didn't (doesn't?) work.  My system is set up with
> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
> worked. (NT_STATUS_LOGON_FAILURE).
>
> The workaround which I eventually found, and which I suggest be
> documented in said wiki page, was to set a local password for "root"
> user with smbpasswd -a root, then temporarily switch to "security =
> user", restart samba,  grant the privs., then switch back to "security =
> ads".
>
> I'm not sure why the password is not accepted.  When I use my own creds.
> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
> the error message changes to NT_STATUS_ACCESS_DENIED.
>
> At least the archives will have this solution and hopefully it'll be
> easier to find for the next guy/gal.
>
> Additional information:
>
> System is centos 7, samba installed from distro packages (4.1.1-37).
> Kerberos is set up and working (smbclient -k works). UNIX authentication
> and nss is via sssd which is set up and working.
>
> My DC are all samba 4.1.12 compiled from source.
>
>
>

I agree something is wrong, but not selinux! I already disabled it.

Another odd thing.  If I put the WRONG password in, I see:

auth_check_password_recv: sam_ignoredomain authentication for user 
[COBITE\administrator] FAILED with error NT_STATUS_WRONG_PASSWORD

In the server log, but if I put the right password in, that doesn't 
appear, but in both cases NT_STATUS_LOGON_FAILURE on the client.

On a different member server (centos 6, samba-3.5.10-125.el6.x86_64) , I 
also cannot use 'administrator' (or DOMAIN\administrator) with the exact 
same symptoms, but when I use myself it says 'Successfully granted 
rights'.  (I should be an administrator, I can join machines to domain 
etc. using my own account).

Here's the server log for the failed auth (with the right password):

2014/12/23 15:53:17.749887,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2014/12/23 15:53:17.750137,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2014/12/23 15:53:18.316385,  3] 
../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
   schannel_store_session_key_tdb: stored schannel info with key 
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.324654,  3] 
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2014/12/23 15:53:18.325216,  3] 
../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
   schannel_fetch_session_key_tdb: restored schannel info key 
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.329397,  3] 
../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
   schannel_fetch_session_key_tdb: restored schannel info key 
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.329813,  3] 
../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
   schannel_store_session_key_tdb: stored schannel info with key 
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.333683,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2014/12/23 15:53:18.333971,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2014/12/23 15:53:18.337922,  3] 
../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
   schannel_fetch_session_key_tdb: restored schannel info key 
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.338340,  3] 
../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
   schannel_store_session_key_tdb: stored schannel info with key 
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.338496,  3] 
../source4/auth/ntlm/auth.c:270(auth_check_password_send)
   auth_check_password_send: Checking password for unmapped user 
[COBITE]\[administrator]@[\\PRINTSERVER]
   auth_check_password_send: mapped user is: 
[COBITE]\[administrator]@[\\PRINTSERVER]
[2014/12/23 15:53:18.360187,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2014/12/23 15:53:18.360414,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]

--
Thanks,
David Mansfield
Cobite, INC.


More information about the samba-technical mailing list