unable to grant print operator privileges + workaround

Tue Dec 23 14:44:35 MST 2014

On Tue, Dec 23, 2014 at 1:31 PM, David Mansfield <samba at dm.cobite.com> wrote:
>
>
> On 12/23/2014 02:24 PM, David Mansfield wrote:
>>
>> Hi All,
>>
>> I was trying to follow the wiki
>>
>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>> and the command there didn't (doesn't?) work.  My system is set up with
>> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
>> worked. (NT_STATUS_LOGON_FAILURE).
>>
>> The workaround which I eventually found, and which I suggest be
>> documented in said wiki page, was to set a local password for "root"
>> user with smbpasswd -a root, then temporarily switch to "security =
>> user", restart samba,  grant the privs., then switch back to "security =
>> ads".
>>
>> I'm not sure why the password is not accepted.  When I use my own creds.
>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>> the error message changes to NT_STATUS_ACCESS_DENIED.
>>
>> At least the archives will have this solution and hopefully it'll be
>> easier to find for the next guy/gal.
>>
>> Additional information:
>>
>> System is centos 7, samba installed from distro packages (4.1.1-37).
>> Kerberos is set up and working (smbclient -k works). UNIX authentication
>> and nss is via sssd which is set up and working.
>>
>> My DC are all samba 4.1.12 compiled from source.
>>
>>
>>
>
> I agree something is wrong, but not selinux! I already disabled it.
>
> Another odd thing.  If I put the WRONG password in, I see:
>
> auth_check_password_recv: sam_ignoredomain authentication for user
> [COBITE\administrator] FAILED with error NT_STATUS_WRONG_PASSWORD
>
> In the server log, but if I put the right password in, that doesn't appear,
> but in both cases NT_STATUS_LOGON_FAILURE on the client.
>
> On a different member server (centos 6, samba-3.5.10-125.el6.x86_64) , I
> also cannot use 'administrator' (or DOMAIN\administrator) with the exact
> same symptoms, but when I use myself it says 'Successfully granted rights'.
> (I should be an administrator, I can join machines to domain etc. using my
> own account).
>
> Here's the server log for the failed auth (with the right password):
>
> 2014/12/23 15:53:17.749887,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2014/12/23 15:53:17.750137,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> [2014/12/23 15:53:18.316385,  3]
> ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
>   schannel_store_session_key_tdb: stored schannel info with key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.324654,  3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2014/12/23 15:53:18.325216,  3]
> ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
>   schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.329397,  3]
> ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
>   schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.329813,  3]
> ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
>   schannel_store_session_key_tdb: stored schannel info with key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.333683,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2014/12/23 15:53:18.333971,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> [2014/12/23 15:53:18.337922,  3]
> ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
>   schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.338340,  3]
> ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
>   schannel_store_session_key_tdb: stored schannel info with key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.338496,  3]
> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user
> [COBITE]\[administrator]@[\\PRINTSERVER]
>   auth_check_password_send: mapped user is:
> [COBITE]\[administrator]@[\\PRINTSERVER]
> [2014/12/23 15:53:18.360187,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2014/12/23 15:53:18.360414,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]

Somewhere in the log you should see NT_STATUS_LOGON_FAILURE.

The logs around there might tell you what is going wrong.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)