[Samba] access denied on printer driver upload

mourik jan heupink heupink at merit.unu.edu
Wed Jun 10 06:38:02 MDT 2015 

Hi,

I'm trying to upload printer drivers to my jessie samba 4.1.17 print 
server, but I'm getting: "Failed to add driver. Access denied", and I 
don't understand why.

The domain join is OK (verified with net ads testjoin) and on the DC I 
have given the SePrintOperatorPrivilege to the Domain Admins group, of 
which I am a member:

root at DC2:~#  net rpc rights list accounts -Umy-username
Enter my-username's password:
BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Account Operators
SeInteractiveLogonRight

OUR-WKGR\Domain Admins
SePrintOperatorPrivilege
SeDiskOperatorPrivilege
...

However, on my print server only the BUILTIN groups are shown, no 
OUR-WKGR. Perhaps this is expected, but trying to grand 
SePrintOperatorPrivilege to the Domain Admins on the printserver does 
also not work:

> root at printserver:/etc/cups# net rpc rights grant 'OUR-WKGR\domain admins' SePrintOperatorPrivilege -Umy-username
> Enter my-username's password:
> Failed to grant privileges for OUR-WKGR\domain admins (NT_STATUS_ACCESS_DENIED)
> root at printserver:/etc/cups#

The logs on printserver show:

> [2015/06/10 14:30:12.840280,  5] ../source3/auth/token_util.c:629(debug_unix_user_token)
>   UNIX token of user 1014
>   Primary group is 513 and contains 34 supplementary groups
>   Group[  0]: 513
>   Group[  1]: 1034
>   Group[  2]: 43989
>   Group[  3]: 26597
>   Group[  4]: 62494
>   Group[  5]: 23821
>   Group[  6]: 17363
>   Group[  7]: 512
>   Group[  8]: 17373
>   Group[  9]: 1074
>   Group[ 10]: 17369
>   Group[ 11]: 1047
>   Group[ 12]: 1081
> [2015/06/10 14:30:12.841903,  5] ../source3/rpc_server/srv_pipe.c:1324(api_pipe_request)
>   Requested \lsarpc rpc service
> [2015/06/10 14:30:12.842008,  4] ../source3/rpc_server/srv_pipe.c:1356(api_rpcTNP)
>   api_rpcTNP: \lsarpc op 0x25 - api_rpcTNP: rpc command: LSA_ADDACCOUNTRIGHTS
> [2015/06/10 14:30:12.842121,  4] ../source3/rpc_server/srv_access_check.c:105(access_check_object)
>   _lsa_AddAccountRights: access DENIED (requested: 0x0000000b, granted: 0x0000000a)
> [2015/06/10 14:30:12.842219,  5] ../source3/rpc_server/srv_pipe.c:1417(api_rpcTNP)
>   api_rpcTNP: called \lsarpc successfully

What am I missing? Am I doing something wrong?

MJ

More information about the samba mailing list