[SOLVED-ish] unable to grant print operator privileges + workaround
samba at dm.cobite.com
Wed Dec 24 07:41:09 MST 2014
On 12/23/2014 04:31 PM, David Mansfield wrote:
> On 12/23/2014 02:24 PM, David Mansfield wrote:
>> Hi All,
>> I was trying to follow the wiki
>> and the command there didn't (doesn't?) work. My system is set up with
>> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
>> worked. (NT_STATUS_LOGON_FAILURE).
>> The workaround which I eventually found, and which I suggest be
>> documented in said wiki page, was to set a local password for "root"
>> user with smbpasswd -a root, then temporarily switch to "security =
>> user", restart samba, grant the privs., then switch back to "security =
>> I'm not sure why the password is not accepted. When I use my own creds.
>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>> the error message changes to NT_STATUS_ACCESS_DENIED.
>> At least the archives will have this solution and hopefully it'll be
>> easier to find for the next guy/gal.
>> Additional information:
>> System is centos 7, samba installed from distro packages (4.1.1-37).
>> Kerberos is set up and working (smbclient -k works). UNIX authentication
>> and nss is via sssd which is set up and working.
>> My DC are all samba 4.1.12 compiled from source.
> I agree something is wrong, but not selinux! I already disabled it.
Well, I have it "working"... still something wrong but maybe you can
help me now. The command in the wiki is:
net rpc rights grant 'SAMDOM\Domain Admins' SePrintOperatorPrivilege
But what ended up working for me was with "-Uroot". It lets me set
password for 'Administrator' and 'root' as separate entities (samba-tool
user setpassword) and authenticate ON THE DC with that user, but none of
the member servers see the 'Administrator' user, and instead they only
My domain was a classicupgrade from a domain running from the samba 1
days that had been upgraded half a dozen times before going to samba 4 AD.
Possibly something was strange in the migration that caused the
'Administrator' user to be 'root' instead.
Now that I think back to the foggy days of the past, I remember that
when adding windows machines to the domain we had to use 'root' and root
password even back then. So this goes way back.
More information about the samba-technical