[Samba] Samba4 as AD member & local rights problem...

Thomas Besser thomas.besser at kit.edu
Wed Sep 25 01:37:19 MDT 2013 

Hi Marc,

Am 24.09.2013 23:46, schrieb Marc Muehlfeld:
> Am 24.09.2013 09:13, schrieb Thomas Besser:
>   > Like described here
>   > (http://geekyprojects.com/ubuntu/getting-windows-printer-drivers-
>   > from-cups/)
>   > I enabled 'root' for short and granted the 'SePrintOperator' right
>   > to a normal account and switched back to security = ads
>
> I'm not sure if I understand this. Did you took the server out of the
> domain and temporary downgrade it to a standalone server for granting
> the privilege?

Yes.

> Can you make sure, that the privilege was granted to a _domain account_?
> # net rpc rights list accounts -Uadministrator

Okay, yes and no ;-)

It's a little bit difficult to describe...

We have a special setup in our large institution: we have an ldap and AD 
filled from an identity management with all employees separated by OU's. 
Thats the reason why I don't have an 'Domain Admin' account, because I 
administrate only a small part of it. For our OU my personal account is 
getting delegated rights (domain join, GPO, creating AD accounts).

Our samba4 server uses AD for authentication (User & Password exists), 
the underlaying linux (NSS & PAM) uses LDAP. Found this here: 
https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP

The privileged account 'Admin' is only known in AD (created manually), 
not in LDAP. Therefore I created it locally in /etc/passwd on the samba4 
server.

That should be the reason, why the process of privileging in standalone 
mode worked!?

>   > Now the next problem arises:
>   >
>   > I can now upload the win drivers as described in your howto section
>   > "Uploading printer drivers for Point'n'Print driver installation"
>   > successfully. I can also see the files in the samba drivers share.
>   >
>   > But I can not associate it with a printer! The dropdown on
>   > https://wiki.samba.org/index.php/File:Choose_driver.png is empty!
>
> I haven't had this case yet. Just some questions that may help us to
> find the cause of your problem:
>
> - Do you connect to to the server as the user you granted the
> SePrintOperator permissions to?

Yes

> - Is the user you granted the permission to is a domain account?

Yes (and locally created too on linux server). In samba it is shown like 
this:

net rpc rights list accounts -U Admin

[...]
Unix User\Admin
SePrintOperatorPrivilege
[...]

> - The account you use to associate the driver with a printer is the same
> than the one you used for uploading the drivers?

Yes

> - Did the driver upload wizzard runs fine? Or any errors or untypical
> messages?

Yes, no errors. After that I can see it over 'server properties'. I can 
also delete it. Only if I switch to the 'printer properties' the 
dropdown is empty. So I can not associate over windows.

> - Can you associate the driver on *nix side by using 'rpcclient'? (see
> https://wiki.samba.org/index.php/Samba_as_a_print_server#Associating_a_shared_printer_with_a_driver_and_preconfiguring)

Yes.

rpcclient localhost -U Admin -c 'setdriver "printername" "name of
printer driver"'

After that I can see also in windows that the dropdown is not empty any 
more.

I uploaded a second driver to test, if I can then switch to the second 
one. Result: no, I only see the orginally associated driver.

With 'rpcclient localhost -U Admin -c "enumdrivers" I see both drivers.

> - Is the combobox still empty, if you use a domain admin account (grant
> the privilege to first)?

I don't have a domain admin account (see our special environment above)

Regards
Thomas

More information about the samba mailing list