unable to grant print operator privileges + workaround
Richard Sharpe
realrichardsharpe at gmail.com
Tue Dec 23 14:44:35 MST 2014
On Tue, Dec 23, 2014 at 1:31 PM, David Mansfield <samba at dm.cobite.com> wrote:
>
>
> On 12/23/2014 02:24 PM, David Mansfield wrote:
>>
>> Hi All,
>>
>> I was trying to follow the wiki
>>
>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>> and the command there didn't (doesn't?) work. My system is set up with
>> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
>> worked. (NT_STATUS_LOGON_FAILURE).
>>
>> The workaround which I eventually found, and which I suggest be
>> documented in said wiki page, was to set a local password for "root"
>> user with smbpasswd -a root, then temporarily switch to "security =
>> user", restart samba, grant the privs., then switch back to "security =
>> ads".
>>
>> I'm not sure why the password is not accepted. When I use my own creds.
>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>> the error message changes to NT_STATUS_ACCESS_DENIED.
>>
>> At least the archives will have this solution and hopefully it'll be
>> easier to find for the next guy/gal.
>>
>> Additional information:
>>
>> System is centos 7, samba installed from distro packages (4.1.1-37).
>> Kerberos is set up and working (smbclient -k works). UNIX authentication
>> and nss is via sssd which is set up and working.
>>
>> My DC are all samba 4.1.12 compiled from source.
>>
>>
>>
>
> I agree something is wrong, but not selinux! I already disabled it.
>
> Another odd thing. If I put the WRONG password in, I see:
>
> auth_check_password_recv: sam_ignoredomain authentication for user
> [COBITE\administrator] FAILED with error NT_STATUS_WRONG_PASSWORD
>
> In the server log, but if I put the right password in, that doesn't appear,
> but in both cases NT_STATUS_LOGON_FAILURE on the client.
>
> On a different member server (centos 6, samba-3.5.10-125.el6.x86_64) , I
> also cannot use 'administrator' (or DOMAIN\administrator) with the exact
> same symptoms, but when I use myself it says 'Successfully granted rights'.
> (I should be an administrator, I can join machines to domain etc. using my
> own account).
>
> Here's the server log for the failed auth (with the right password):
>
> 2014/12/23 15:53:17.749887, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2014/12/23 15:53:17.750137, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> [2014/12/23 15:53:18.316385, 3]
> ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
> schannel_store_session_key_tdb: stored schannel info with key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.324654, 3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2014/12/23 15:53:18.325216, 3]
> ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
> schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.329397, 3]
> ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
> schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.329813, 3]
> ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
> schannel_store_session_key_tdb: stored schannel info with key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.333683, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2014/12/23 15:53:18.333971, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> [2014/12/23 15:53:18.337922, 3]
> ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
> schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.338340, 3]
> ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
> schannel_store_session_key_tdb: stored schannel info with key
> SECRETS/SCHANNEL/PRINTSERVER
> [2014/12/23 15:53:18.338496, 3]
> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
> auth_check_password_send: Checking password for unmapped user
> [COBITE]\[administrator]@[\\PRINTSERVER]
> auth_check_password_send: mapped user is:
> [COBITE]\[administrator]@[\\PRINTSERVER]
> [2014/12/23 15:53:18.360187, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2014/12/23 15:53:18.360414, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
Somewhere in the log you should see NT_STATUS_LOGON_FAILURE.
The logs around there might tell you what is going wrong.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list