[SOLVED-ish] unable to grant print operator privileges + workaround
David Mansfield
samba at dm.cobite.com
Wed Dec 24 09:44:44 MST 2014
On 12/24/2014 10:45 AM, Richard Sharpe wrote:
> On Wed, Dec 24, 2014 at 6:41 AM, David Mansfield <samba at dm.cobite.com> wrote:
>>
>>
>> On 12/23/2014 04:31 PM, David Mansfield wrote:
>>>
>>>
>>>
>>> On 12/23/2014 02:24 PM, David Mansfield wrote:
>>>>
>>>> Hi All,
>>>>
>>>> I was trying to follow the wiki
>>>>
>>>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>>>>
>>>> and the command there didn't (doesn't?) work. My system is set up with
>>>> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
>>>> worked. (NT_STATUS_LOGON_FAILURE).
>>>>
>>>> The workaround which I eventually found, and which I suggest be
>>>> documented in said wiki page, was to set a local password for "root"
>>>> user with smbpasswd -a root, then temporarily switch to "security =
>>>> user", restart samba, grant the privs., then switch back to "security =
>>>> ads".
>>>>
>>>> I'm not sure why the password is not accepted. When I use my own creds.
>>>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>>>> the error message changes to NT_STATUS_ACCESS_DENIED.
>>>>
>>>> At least the archives will have this solution and hopefully it'll be
>>>> easier to find for the next guy/gal.
>>>>
>>>> Additional information:
>>>>
>>>> System is centos 7, samba installed from distro packages (4.1.1-37).
>>>> Kerberos is set up and working (smbclient -k works). UNIX authentication
>>>> and nss is via sssd which is set up and working.
>>>>
>>>> My DC are all samba 4.1.12 compiled from source.
>>>>
>>>>
>>>>
>>>
>>> I agree something is wrong, but not selinux! I already disabled it.
>>>
>>
>> Well, I have it "working"... still something wrong but maybe you can help me
>> now. The command in the wiki is:
>>
>> net rpc rights grant 'SAMDOM\Domain Admins' SePrintOperatorPrivilege
>> -Uadministrator
>>
>> But what ended up working for me was with "-Uroot". It lets me set password
>> for 'Administrator' and 'root' as separate entities (samba-tool user
>> setpassword) and authenticate ON THE DC with that user, but none of the
>> member servers see the 'Administrator' user, and instead they only see
>> 'root'.
>
> This sounds like you do not have an Administrator account on that
> machine or you do not know the password or there are logon
> restrictions of some sort.
>
> The log should show why the logon as Administrator failed. Sometimes
> it is because of a lack of a mapping from SIDs to UIDs/GIDs, etc.
>
How does a machine level Administrator account (MACHINE\Administrator)
get created for a member server? There's a domain level administrator
(DOMAIN\Administrator), but it sounds like that's not the same thing.
Also, for "net rpc rights", how can UID/GID mapping come into play?
There are no UNIX creds here, it's pure "windows" level stuff, right?
I'm using security = ads, and there's no winbind because 'sssd' is being
used.
Thanks,
David
More information about the samba-technical
mailing list