[Samba] Samba4 as AD member & local rights problem...
thomas.besser at kit.edu
Wed Sep 25 01:37:19 MDT 2013
Am 24.09.2013 23:46, schrieb Marc Muehlfeld:
> Am 24.09.2013 09:13, schrieb Thomas Besser:
> > Like described here
> > (http://geekyprojects.com/ubuntu/getting-windows-printer-drivers-
> > from-cups/)
> > I enabled 'root' for short and granted the 'SePrintOperator' right
> > to a normal account and switched back to security = ads
> I'm not sure if I understand this. Did you took the server out of the
> domain and temporary downgrade it to a standalone server for granting
> the privilege?
> Can you make sure, that the privilege was granted to a _domain account_?
> # net rpc rights list accounts -Uadministrator
Okay, yes and no ;-)
It's a little bit difficult to describe...
We have a special setup in our large institution: we have an ldap and AD
filled from an identity management with all employees separated by OU's.
Thats the reason why I don't have an 'Domain Admin' account, because I
administrate only a small part of it. For our OU my personal account is
getting delegated rights (domain join, GPO, creating AD accounts).
Our samba4 server uses AD for authentication (User & Password exists),
the underlaying linux (NSS & PAM) uses LDAP. Found this here:
The privileged account 'Admin' is only known in AD (created manually),
not in LDAP. Therefore I created it locally in /etc/passwd on the samba4
That should be the reason, why the process of privileging in standalone
> > Now the next problem arises:
> > I can now upload the win drivers as described in your howto section
> > "Uploading printer drivers for Point'n'Print driver installation"
> > successfully. I can also see the files in the samba drivers share.
> > But I can not associate it with a printer! The dropdown on
> > https://wiki.samba.org/index.php/File:Choose_driver.png is empty!
> I haven't had this case yet. Just some questions that may help us to
> find the cause of your problem:
> - Do you connect to to the server as the user you granted the
> SePrintOperator permissions to?
> - Is the user you granted the permission to is a domain account?
Yes (and locally created too on linux server). In samba it is shown like
net rpc rights list accounts -U Admin
> - The account you use to associate the driver with a printer is the same
> than the one you used for uploading the drivers?
> - Did the driver upload wizzard runs fine? Or any errors or untypical
Yes, no errors. After that I can see it over 'server properties'. I can
also delete it. Only if I switch to the 'printer properties' the
dropdown is empty. So I can not associate over windows.
> - Can you associate the driver on *nix side by using 'rpcclient'? (see
rpcclient localhost -U Admin -c 'setdriver "printername" "name of
After that I can see also in windows that the dropdown is not empty any
I uploaded a second driver to test, if I can then switch to the second
one. Result: no, I only see the orginally associated driver.
With 'rpcclient localhost -U Admin -c "enumdrivers" I see both drivers.
> - Is the combobox still empty, if you use a domain admin account (grant
> the privilege to first)?
I don't have a domain admin account (see our special environment above)
More information about the samba