[SOLVED-ish] unable to grant print operator privileges + workaround

Richard Sharpe realrichardsharpe at gmail.com
Wed Dec 24 09:58:11 MST 2014


On Wed, Dec 24, 2014 at 8:44 AM, David Mansfield <samba at dm.cobite.com> wrote:
> On 12/24/2014 10:45 AM, Richard Sharpe wrote:
>>
>> On Wed, Dec 24, 2014 at 6:41 AM, David Mansfield <samba at dm.cobite.com>
>> wrote:
>>>
>>>
>>>
>>> On 12/23/2014 04:31 PM, David Mansfield wrote:
>>>>
>>>>
>>>>
>>>>
>>>> On 12/23/2014 02:24 PM, David Mansfield wrote:
>>>>>
>>>>>
>>>>> Hi All,
>>>>>
>>>>> I was trying to follow the wiki
>>>>>
>>>>>
>>>>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>>>>>
>>>>> and the command there didn't (doesn't?) work.  My system is set up with
>>>>> security = ads, but neither -Uadministrator nor
>>>>> -U'DOMAIN\administrator'
>>>>> worked. (NT_STATUS_LOGON_FAILURE).
>>>>>
>>>>> The workaround which I eventually found, and which I suggest be
>>>>> documented in said wiki page, was to set a local password for "root"
>>>>> user with smbpasswd -a root, then temporarily switch to "security =
>>>>> user", restart samba,  grant the privs., then switch back to "security
>>>>> =
>>>>> ads".
>>>>>
>>>>> I'm not sure why the password is not accepted.  When I use my own
>>>>> creds.
>>>>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>>>>> the error message changes to NT_STATUS_ACCESS_DENIED.
>>>>>
>>>>> At least the archives will have this solution and hopefully it'll be
>>>>> easier to find for the next guy/gal.
>>>>>
>>>>> Additional information:
>>>>>
>>>>> System is centos 7, samba installed from distro packages (4.1.1-37).
>>>>> Kerberos is set up and working (smbclient -k works). UNIX
>>>>> authentication
>>>>> and nss is via sssd which is set up and working.
>>>>>
>>>>> My DC are all samba 4.1.12 compiled from source.
>>>>>
>>>>>
>>>>>
>>>>
>>>> I agree something is wrong, but not selinux! I already disabled it.
>>>>
>>>
>>> Well, I have it "working"... still something wrong but maybe you can help
>>> me
>>> now.  The command in the wiki is:
>>>
>>> net rpc rights grant 'SAMDOM\Domain Admins' SePrintOperatorPrivilege
>>> -Uadministrator
>>>
>>> But what ended up working for me was with "-Uroot".  It lets me set
>>> password
>>> for 'Administrator' and 'root' as separate entities (samba-tool user
>>> setpassword) and authenticate ON THE DC with that user, but none of the
>>> member servers see the 'Administrator' user, and instead they only see
>>> 'root'.
>>
>>
>> This sounds like you do not have an Administrator account on that
>> machine or you do not know the password or there are logon
>> restrictions of some sort.
>>
>> The log should show why the logon as Administrator failed. Sometimes
>> it is because of a lack of a mapping from SIDs to UIDs/GIDs, etc.
>>
>
> How does a machine level Administrator account (MACHINE\Administrator) get
> created for a member server?  There's a domain level administrator
> (DOMAIN\Administrator), but it sounds like that's not the same thing. Also,
> for "net rpc rights", how can UID/GID mapping come into play? There are no
> UNIX creds here, it's pure "windows" level stuff, right?
>
> I'm using security = ads, and there's no winbind because 'sssd' is being
> used.

There are still local accounts, and Administrator would be one of
those. root definitely is. You might have to manually create it if the
standard stuff does not provision a local Administrator account.

The mapping is needed because during the SessionSetup (logon) Samba
needs UNIX account info, including a UID and GID to complete the
session setup. If it cannot get them it will fail the logon.

The log file will contain the details. Find the
NT_STATUS_LOGON_FAILURE in the log file and work backwards (towards
the top of the file.) You should be able to find out where things
first went off the rails and that should give you a clue.

It might not be the mapping issue, that is just one of the things I
routinely run into in member servers, often because I forgot to update
/etc/nsswitch.conf.

smbpasswd is one way to add local users.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list