[Samba] samba, ADS and privileges management

Guillaume Rousse Guillaume.Rousse at inria.fr
Tue Jan 27 16:35:17 GMT 2009 

Hello list.

I once had a samba server acting as a PDC, a mapping between my NT 
'Domain admins' and Unix 'admins' groups, and everything worked perfectly.

Now I got a new shiny samba server acting as a print server only, member 
of an AD domain, and I can't have the members of 'Domain admins' group 
manage printing drivers on the server, whereas the Administrator account 
can.

Here is my smb.conf:
[global]
    workgroup = MSR-INRIA
    realm = MSR-INRIA.IDF
    security = ads
    printcap name = cups
    load printers = yes
    printing = cups
...

[printers]
     comment = All Printers
     path = /var/spool/samba
     browseable = no
     guest ok = yes
     writable = no
     printable = yes
     create mode = 0700
     print command = lpr-cups -P %p -o raw %s -r
     use client driver = yes

[print$]
    comment = Windows print drivers
    path = /var/lib/samba/printers
    browseable = yes
    write list = root, @admins
    guest ok = yes
    inherit permissions = yes


AD membership is fine:
- 'net ads testjoin' is OK
[root at etoile samba]# net ads testjoin
Join is OK

- I can get a tgt for the administrator account:
[root at etoile samba]# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: Administrateur at MSR-INRIA.IDF

   Issued           Expires          Principal
Jan 27 16:07:12  Jan 28 02:07:12  krbtgt/MSR-INRIA.IDF at MSR-INRIA.IDF
Jan 27 16:15:11  Jan 28 02:07:12  concorde$@MSR-INRIA.IDF

- I can get ADS groups and users list
[root at etoile samba]# net ads group
HelpServicesGroup
TelnetClients
IIS_WPG
Administrateurs
Utilisateurs
...

So basically, AD membership seems to be OK.

I'm using this file for mapping Unix and Windows user[2]:
!root = MSR-INRIA.IDF\Administrateur MSR-INRIA\Administrateur
!rousse = MSR-INRIA.INRIA.FR\rousse MSR-INRIA.IDF\rousse MSR-INRIA\rousse

By construction, every 'MSR-INRIA.IDF\foo' windows user exists as 'foo' 
unix user, as we sync the AD ldap tree from our Unix tree, so I may as 
well use a script, but I guess that's just another way to achieve the 
same result.

When connecting to my printing share, samba seems to recognize I'm 
member of the special domain admins group (rid 512), from my kerberos 
ticket:
009/01/27 16:53:11, 3] smbd/process.c:switch_message(927)
   switch message SMBtconX (pid 15236) conn 0x0
[2009/01/27 16:53:11, 3] smbd/sec_ctx.c:set_sec_ctx(241)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/01/27 16:53:11, 5] auth/auth_util.c:debug_nt_user_token(448)
   NT user token: (NULL)
[2009/01/27 16:53:11, 5] auth/auth_util.c:debug_unix_user_token(474)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2009/01/27 16:53:11, 5] smbd/uid.c:change_to_root_user(288)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2009/01/27 16:53:11, 4] smbd/reply.c:reply_tcon_and_X(506)
   Client requested device type [?????] for share [IPC$]
[2009/01/27 16:53:11, 5] smbd/service.c:make_connection(1205)
   making a connection to 'normal' service ipc$
[2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_alloc(131)
   Finding user rousse
[2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_internals(75)
   Trying _Get_Pwnam(), username as lowercase is rousse
[2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_internals(108)
   Get_Pwnam_internals did find user [rousse]!
[2009/01/27 16:53:11, 3] smbd/service.c:make_connection_snum(806)
   Connect path is '/var/tmp' for service [IPC$]
[2009/01/27 16:53:11, 4] lib/sharesec.c:get_share_security(132)
   get_share_security: using default secdesc for IPC$
[2009/01/27 16:53:11, 3] lib/util_seaccess.c:se_access_check(250)
[2009/01/27 16:53:11, 3] lib/util_seaccess.c:se_access_check(251)
   se_access_check: user sid is S-1-22-1-5012
   se_access_check: also S-1-5-21-911279556-1797085143-1335962226-512
   se_access_check: also S-1-1-0
   se_access_check: also S-1-5-2
   se_access_check: also S-1-5-11
   se_access_check: also S-1-22-2-5005
   se_access_check: also S-1-22-2-5000

However, the buttons allowing to change drivers are greyed out, either 
from global printing server properties windows, or from individual 
printer 'advanced' setting.

I tried to add explicit group mappings, as explained at 
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id2572028:
[root at etoile ~]# net groupmap list
Domain Admins (S-1-5-21-911279556-1797085143-1335962226-512) -> admins
Domain Guests (S-1-5-21-911279556-1797085143-1335962226-514) -> guests
Domain Users (S-1-5-21-911279556-1797085143-1335962226-513) -> users

However, the same documentation says 'Group mappings are essentail only 
if the Samba servers is running as a PDC/BDC', which is not my case, so 
i assume it's useless. Also, I wonder if I'm supposed to use localized 
group names 'Admins du domaine' rather than english ones 'Domain admins' 
for the mapping, or if the use of rid is enough.

I also tried to set explicit privileges, without success:
[root at etoile samba]# net -w MSR-INRIA.IDF -U Administrateur rpc rights 
grant 'MSR-INRIA.IDF\rousse' SePrintOperatorPrivilege
Password:
Failed to grant privileges for MSR-INRIA.IDF\rousse 
(NT_STATUS_ACCESS_DENIED)

Enumerating existing privileges seems to imply my domain admins group 
only has SeMachineAccountPrivilege currently:
[root at etoile samba]# net -w MSR-INRIA.IDF -U Administrateur rpc rights 
list accounts
Password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

S-1-5-21-2709371413-4020681702-788637496-5012
SeMachineAccountPrivilege

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

Everyone
No privileges assigned

Any help appreciated here to understand what I'm going wrong. BTW, I'm 
using samba-3.0.28a on linux platform. I may eventually consider 
upgrading if needed.

[1] I'm using a localized Win 2003 AD server, hence the french names
[2] I'm autenticating Windows users using an heimdal server, hence the 
presence of both MSR-INRIA.INRIA.FR\rousse and MSR-INRIA.IDF\rousse entries.
-- 
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Ile de France
Tel: 01 69 35 69 62

More information about the samba mailing list