[SOLVED-ish] unable to grant print operator privileges + workaround
David Mansfield
samba at dm.cobite.com
Wed Dec 24 07:41:09 MST 2014
On 12/23/2014 04:31 PM, David Mansfield wrote:
>
>
> On 12/23/2014 02:24 PM, David Mansfield wrote:
>> Hi All,
>>
>> I was trying to follow the wiki
>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>>
>> and the command there didn't (doesn't?) work. My system is set up with
>> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
>> worked. (NT_STATUS_LOGON_FAILURE).
>>
>> The workaround which I eventually found, and which I suggest be
>> documented in said wiki page, was to set a local password for "root"
>> user with smbpasswd -a root, then temporarily switch to "security =
>> user", restart samba, grant the privs., then switch back to "security =
>> ads".
>>
>> I'm not sure why the password is not accepted. When I use my own creds.
>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>> the error message changes to NT_STATUS_ACCESS_DENIED.
>>
>> At least the archives will have this solution and hopefully it'll be
>> easier to find for the next guy/gal.
>>
>> Additional information:
>>
>> System is centos 7, samba installed from distro packages (4.1.1-37).
>> Kerberos is set up and working (smbclient -k works). UNIX authentication
>> and nss is via sssd which is set up and working.
>>
>> My DC are all samba 4.1.12 compiled from source.
>>
>>
>>
>
> I agree something is wrong, but not selinux! I already disabled it.
>
Well, I have it "working"... still something wrong but maybe you can
help me now. The command in the wiki is:
net rpc rights grant 'SAMDOM\Domain Admins' SePrintOperatorPrivilege
-Uadministrator
But what ended up working for me was with "-Uroot". It lets me set
password for 'Administrator' and 'root' as separate entities (samba-tool
user setpassword) and authenticate ON THE DC with that user, but none of
the member servers see the 'Administrator' user, and instead they only
see 'root'.
My domain was a classicupgrade from a domain running from the samba 1
days that had been upgraded half a dozen times before going to samba 4 AD.
Possibly something was strange in the migration that caused the
'Administrator' user to be 'root' instead.
Now that I think back to the foggy days of the past, I remember that
when adding windows machines to the domain we had to use 'root' and root
password even back then. So this goes way back.
--
Thanks,
David Mansfield
Cobite, INC.
More information about the samba-technical
mailing list