[Samba] Samba4 as AD member & local rights problem...

Thomas Besser thomas.besser at kit.edu
Fri Sep 20 01:11:15 MDT 2013

Hi Marc,

Am 19.09.2013 21:07, schrieb Marc Muehlfeld:
> Am 19.09.2013 16:27, schrieb Thomas Besser:
>> have a samba4 server as AD member (security =ADS). I have no account
>> with "Domain Admin" rights, only a normal account with delegated
>> privilege to managing GPO and for domain join.
>> I can not manage the printserver resp. upload the win drivers. The
>> smb.conf option 'printer admin' is gone with v4.
> Have a look at the print server HowTo, I wrote:
> http://wiki.samba.org/index.php/Samba_as_a_print_server

I know that.

But "net rpc rights list accounts -Uadministrator" let me estimate, that 
there samba4 is running as AD PDC!?

So in my environment samba4 is running as "AD member", a so called user 
'Administrator' is not there.

I have a 'root' accont on linux, but this user is not known in AD 
(Windows 2008 R2).

>> Also I tried to grant the SePrintOperatorPrivilege to a normal domain
>> user. Got also stuck.
> What went wrong?
> http://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges

net rpc rights grant "DOM\admin" SePrintOperatorPrivilege -U myaccount
Enter myaccount's password:
Failed to grant privileges for DOM\admin (NT_STATUS_ACCESS_DENIED)

'myaccount' has no "Domain Admin" privileges, so the error is logically.

I also tried that command with the help of a "Domain Admin", but same 
error message.

>> Every time the net command wants the 'root' password, but root is
>> unknown in the AD environment:
>> net rpc group addmem "SAMBASERVER\Administrators"
>> Enter root's password:
>> Could not connect to server
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
> .... -Uadministrator ?

That account does IMO not exist, because of AD member! The same with 'root'.


More information about the samba mailing list