[SOLVED-ish] unable to grant print operator privileges + workaround

Wed Dec 24 11:13:02 MST 2014

On 24/12/14 16:58, Richard Sharpe wrote:
> On Wed, Dec 24, 2014 at 8:44 AM, David Mansfield <samba at dm.cobite.com> wrote:
>> On 12/24/2014 10:45 AM, Richard Sharpe wrote:
>>> On Wed, Dec 24, 2014 at 6:41 AM, David Mansfield <samba at dm.cobite.com>
>>> wrote:
>>>>
>>>>
>>>> On 12/23/2014 04:31 PM, David Mansfield wrote:
>>>>>
>>>>>
>>>>>
>>>>> On 12/23/2014 02:24 PM, David Mansfield wrote:
>>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I was trying to follow the wiki
>>>>>>
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
>>>>>>
>>>>>> and the command there didn't (doesn't?) work.  My system is set up with
>>>>>> security = ads, but neither -Uadministrator nor
>>>>>> -U'DOMAIN\administrator'
>>>>>> worked. (NT_STATUS_LOGON_FAILURE).
>>>>>>
>>>>>> The workaround which I eventually found, and which I suggest be
>>>>>> documented in said wiki page, was to set a local password for "root"
>>>>>> user with smbpasswd -a root, then temporarily switch to "security =
>>>>>> user", restart samba,  grant the privs., then switch back to "security
>>>>>> =
>>>>>> ads".
>>>>>>
>>>>>> I'm not sure why the password is not accepted.  When I use my own
>>>>>> creds.
>>>>>> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
>>>>>> the error message changes to NT_STATUS_ACCESS_DENIED.
>>>>>>
>>>>>> At least the archives will have this solution and hopefully it'll be
>>>>>> easier to find for the next guy/gal.
>>>>>>
>>>>>> Additional information:
>>>>>>
>>>>>> System is centos 7, samba installed from distro packages (4.1.1-37).
>>>>>> Kerberos is set up and working (smbclient -k works). UNIX
>>>>>> authentication
>>>>>> and nss is via sssd which is set up and working.
>>>>>>
>>>>>> My DC are all samba 4.1.12 compiled from source.
>>>>>>
>>>>>>
>>>>>>
>>>>> I agree something is wrong, but not selinux! I already disabled it.
>>>>>
>>>> Well, I have it "working"... still something wrong but maybe you can help
>>>> me
>>>> now.  The command in the wiki is:
>>>>
>>>> net rpc rights grant 'SAMDOM\Domain Admins' SePrintOperatorPrivilege
>>>> -Uadministrator
>>>>
>>>> But what ended up working for me was with "-Uroot".  It lets me set
>>>> password
>>>> for 'Administrator' and 'root' as separate entities (samba-tool user
>>>> setpassword) and authenticate ON THE DC with that user, but none of the
>>>> member servers see the 'Administrator' user, and instead they only see
>>>> 'root'.
>>>
>>> This sounds like you do not have an Administrator account on that
>>> machine or you do not know the password or there are logon
>>> restrictions of some sort.
>>>
>>> The log should show why the logon as Administrator failed. Sometimes
>>> it is because of a lack of a mapping from SIDs to UIDs/GIDs, etc.
>>>
>> How does a machine level Administrator account (MACHINE\Administrator) get
>> created for a member server?  There's a domain level administrator
>> (DOMAIN\Administrator), but it sounds like that's not the same thing. Also,
>> for "net rpc rights", how can UID/GID mapping come into play? There are no
>> UNIX creds here, it's pure "windows" level stuff, right?
>>
>> I'm using security = ads, and there's no winbind because 'sssd' is being
>> used.
> There are still local accounts, and Administrator would be one of
> those. root definitely is. You might have to manually create it if the
> standard stuff does not provision a local Administrator account.
>
> The mapping is needed because during the SessionSetup (logon) Samba
> needs UNIX account info, including a UID and GID to complete the
> session setup. If it cannot get them it will fail the logon.
>
> The log file will contain the details. Find the
> NT_STATUS_LOGON_FAILURE in the log file and work backwards (towards
> the top of the file.) You should be able to find out where things
> first went off the rails and that should give you a clue.
>
> It might not be the mapping issue, that is just one of the things I
> routinely run into in member servers, often because I forgot to update
> /etc/nsswitch.conf.
>
> smbpasswd is one way to add local users.
>

You could always do what everybody else does on the member server, map 
Administrator to root.

Add a line to smb.conf:

username map = /etc/samba/smbmap

then create the file that it refers to:

!root = EXAMPLE\Administrator Administrator administrator

Restart samba

and there you go, Administrator will be mapped to root without any fancy 
tricks.

Rowland