[SOLVED-ish] unable to grant print operator privileges + workaround

David Mansfield samba at dm.cobite.com
Wed Dec 24 07:41:09 MST 2014

On 12/23/2014 04:31 PM, David Mansfield wrote:
> On 12/23/2014 02:24 PM, David Mansfield wrote:
>> Hi All,
>> I was trying to follow the wiki
>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>> and the command there didn't (doesn't?) work.  My system is set up with
>> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
>> The workaround which I eventually found, and which I suggest be
>> documented in said wiki page, was to set a local password for "root"
>> user with smbpasswd -a root, then temporarily switch to "security =
>> user", restart samba,  grant the privs., then switch back to "security =
>> ads".
>> I'm not sure why the password is not accepted.  When I use my own creds.
>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>> the error message changes to NT_STATUS_ACCESS_DENIED.
>> At least the archives will have this solution and hopefully it'll be
>> easier to find for the next guy/gal.
>> Additional information:
>> System is centos 7, samba installed from distro packages (4.1.1-37).
>> Kerberos is set up and working (smbclient -k works). UNIX authentication
>> and nss is via sssd which is set up and working.
>> My DC are all samba 4.1.12 compiled from source.
> I agree something is wrong, but not selinux! I already disabled it.

Well, I have it "working"... still something wrong but maybe you can 
help me now.  The command in the wiki is:

net rpc rights grant 'SAMDOM\Domain Admins' SePrintOperatorPrivilege 

But what ended up working for me was with "-Uroot".  It lets me set 
password for 'Administrator' and 'root' as separate entities (samba-tool 
user setpassword) and authenticate ON THE DC with that user, but none of 
the member servers see the 'Administrator' user, and instead they only 
see 'root'.

My domain was a classicupgrade from a domain running from the samba 1 
days that had been upgraded half a dozen times before going to samba 4 AD.

Possibly something was strange in the migration that caused the 
'Administrator' user to be 'root' instead.

Now that I think back to the foggy days of the past, I remember that 
when adding windows machines to the domain we had to use 'root' and root 
password even back then.  So this goes way back.

David Mansfield
Cobite, INC.

More information about the samba-technical mailing list