[SOLVED-ish] unable to grant print operator privileges + workaround

Richard Sharpe realrichardsharpe at gmail.com
Wed Dec 24 08:45:41 MST 2014


On Wed, Dec 24, 2014 at 6:41 AM, David Mansfield <samba at dm.cobite.com> wrote:
>
>
> On 12/23/2014 04:31 PM, David Mansfield wrote:
>>
>>
>>
>> On 12/23/2014 02:24 PM, David Mansfield wrote:
>>>
>>> Hi All,
>>>
>>> I was trying to follow the wiki
>>>
>>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>>>
>>> and the command there didn't (doesn't?) work.  My system is set up with
>>> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
>>> worked. (NT_STATUS_LOGON_FAILURE).
>>>
>>> The workaround which I eventually found, and which I suggest be
>>> documented in said wiki page, was to set a local password for "root"
>>> user with smbpasswd -a root, then temporarily switch to "security =
>>> user", restart samba,  grant the privs., then switch back to "security =
>>> ads".
>>>
>>> I'm not sure why the password is not accepted.  When I use my own creds.
>>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>>> the error message changes to NT_STATUS_ACCESS_DENIED.
>>>
>>> At least the archives will have this solution and hopefully it'll be
>>> easier to find for the next guy/gal.
>>>
>>> Additional information:
>>>
>>> System is centos 7, samba installed from distro packages (4.1.1-37).
>>> Kerberos is set up and working (smbclient -k works). UNIX authentication
>>> and nss is via sssd which is set up and working.
>>>
>>> My DC are all samba 4.1.12 compiled from source.
>>>
>>>
>>>
>>
>> I agree something is wrong, but not selinux! I already disabled it.
>>
>
> Well, I have it "working"... still something wrong but maybe you can help me
> now.  The command in the wiki is:
>
> net rpc rights grant 'SAMDOM\Domain Admins' SePrintOperatorPrivilege
> -Uadministrator
>
> But what ended up working for me was with "-Uroot".  It lets me set password
> for 'Administrator' and 'root' as separate entities (samba-tool user
> setpassword) and authenticate ON THE DC with that user, but none of the
> member servers see the 'Administrator' user, and instead they only see
> 'root'.

This sounds like you do not have an Administrator account on that
machine or you do not know the password or there are logon
restrictions of some sort.

The log should show why the logon as Administrator failed. Sometimes
it is because of a lack of a mapping from SIDs to UIDs/GIDs, etc.

> My domain was a classicupgrade from a domain running from the samba 1 days
> that had been upgraded half a dozen times before going to samba 4 AD.
>
> Possibly something was strange in the migration that caused the
> 'Administrator' user to be 'root' instead.
>
> Now that I think back to the foggy days of the past, I remember that when
> adding windows machines to the domain we had to use 'root' and root password
> even back then.  So this goes way back.
>
>
> --
> Thanks,
> David Mansfield
> Cobite, INC.



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list