[Samba] access denied on printer driver upload
mourik jan heupink
heupink at merit.unu.edu
Wed Jun 10 06:38:02 MDT 2015
Hi,
I'm trying to upload printer drivers to my jessie samba 4.1.17 print
server, but I'm getting: "Failed to add driver. Access denied", and I
don't understand why.
The domain join is OK (verified with net ads testjoin) and on the DC I
have given the SePrintOperatorPrivilege to the Domain Admins group, of
which I am a member:
root at DC2:~# net rpc rights list accounts -Umy-username
Enter my-username's password:
BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight
BUILTIN\Account Operators
SeInteractiveLogonRight
OUR-WKGR\Domain Admins
SePrintOperatorPrivilege
SeDiskOperatorPrivilege
...
However, on my print server only the BUILTIN groups are shown, no
OUR-WKGR. Perhaps this is expected, but trying to grand
SePrintOperatorPrivilege to the Domain Admins on the printserver does
also not work:
> root at printserver:/etc/cups# net rpc rights grant 'OUR-WKGR\domain admins' SePrintOperatorPrivilege -Umy-username
> Enter my-username's password:
> Failed to grant privileges for OUR-WKGR\domain admins (NT_STATUS_ACCESS_DENIED)
> root at printserver:/etc/cups#
The logs on printserver show:
> [2015/06/10 14:30:12.840280, 5] ../source3/auth/token_util.c:629(debug_unix_user_token)
> UNIX token of user 1014
> Primary group is 513 and contains 34 supplementary groups
> Group[ 0]: 513
> Group[ 1]: 1034
> Group[ 2]: 43989
> Group[ 3]: 26597
> Group[ 4]: 62494
> Group[ 5]: 23821
> Group[ 6]: 17363
> Group[ 7]: 512
> Group[ 8]: 17373
> Group[ 9]: 1074
> Group[ 10]: 17369
> Group[ 11]: 1047
> Group[ 12]: 1081
> [2015/06/10 14:30:12.841903, 5] ../source3/rpc_server/srv_pipe.c:1324(api_pipe_request)
> Requested \lsarpc rpc service
> [2015/06/10 14:30:12.842008, 4] ../source3/rpc_server/srv_pipe.c:1356(api_rpcTNP)
> api_rpcTNP: \lsarpc op 0x25 - api_rpcTNP: rpc command: LSA_ADDACCOUNTRIGHTS
> [2015/06/10 14:30:12.842121, 4] ../source3/rpc_server/srv_access_check.c:105(access_check_object)
> _lsa_AddAccountRights: access DENIED (requested: 0x0000000b, granted: 0x0000000a)
> [2015/06/10 14:30:12.842219, 5] ../source3/rpc_server/srv_pipe.c:1417(api_rpcTNP)
> api_rpcTNP: called \lsarpc successfully
What am I missing? Am I doing something wrong?
MJ
More information about the samba
mailing list