[SOLVED-ish] unable to grant print operator privileges + workaround

David Mansfield samba at dm.cobite.com
Wed Dec 24 07:41:09 MST 2014 


On 12/23/2014 04:31 PM, David Mansfield wrote:
>
>
> On 12/23/2014 02:24 PM, David Mansfield wrote:
>> Hi All,
>>
>> I was trying to follow the wiki
>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>>
>> and the command there didn't (doesn't?) work.  My system is set up with
>> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
>> worked. (NT_STATUS_LOGON_FAILURE).
>>
>> The workaround which I eventually found, and which I suggest be
>> documented in said wiki page, was to set a local password for "root"
>> user with smbpasswd -a root, then temporarily switch to "security =
>> user", restart samba,  grant the privs., then switch back to "security =
>> ads".
>>
>> I'm not sure why the password is not accepted.  When I use my own creds.
>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>> the error message changes to NT_STATUS_ACCESS_DENIED.
>>
>> At least the archives will have this solution and hopefully it'll be
>> easier to find for the next guy/gal.
>>
>> Additional information:
>>
>> System is centos 7, samba installed from distro packages (4.1.1-37).
>> Kerberos is set up and working (smbclient -k works). UNIX authentication
>> and nss is via sssd which is set up and working.
>>
>> My DC are all samba 4.1.12 compiled from source.
>>
>>
>>
>
> I agree something is wrong, but not selinux! I already disabled it.
>

Well, I have it "working"... still something wrong but maybe you can 
help me now.  The command in the wiki is:

net rpc rights grant 'SAMDOM\Domain Admins' SePrintOperatorPrivilege 
-Uadministrator

But what ended up working for me was with "-Uroot".  It lets me set 
password for 'Administrator' and 'root' as separate entities (samba-tool 
user setpassword) and authenticate ON THE DC with that user, but none of 
the member servers see the 'Administrator' user, and instead they only 
see 'root'.

My domain was a classicupgrade from a domain running from the samba 1 
days that had been upgraded half a dozen times before going to samba 4 AD.

Possibly something was strange in the migration that caused the 
'Administrator' user to be 'root' instead.

Now that I think back to the foggy days of the past, I remember that 
when adding windows machines to the domain we had to use 'root' and root 
password even back then.  So this goes way back.

-- 
Thanks,
David Mansfield
Cobite, INC.

More information about the samba-technical mailing list