[Samba] access denied on printer driver upload

mourik jan heupink heupink at merit.unu.edu
Wed Jun 10 07:43:15 MDT 2015


And right after sending this message, I found the following link:

https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

where configuring a user.map is advised. I have done that, and was able 
to grant the SePrintOperatorPrivilege right.

I don't understand the solution, but it worked. :-)

On 6/10/2015 14:38, mourik jan heupink wrote:
> Hi,
>
> I'm trying to upload printer drivers to my jessie samba 4.1.17 print
> server, but I'm getting: "Failed to add driver. Access denied", and I
> don't understand why.
>
> The domain join is OK (verified with net ads testjoin) and on the DC I
> have given the SePrintOperatorPrivilege to the Domain Admins group, of
> which I am a member:
>
> root at DC2:~#  net rpc rights list accounts -Umy-username
> Enter my-username's password:
> BUILTIN\Print Operators
> SeLoadDriverPrivilege
> SeShutdownPrivilege
> SeInteractiveLogonRight
>
> BUILTIN\Account Operators
> SeInteractiveLogonRight
>
> OUR-WKGR\Domain Admins
> SePrintOperatorPrivilege
> SeDiskOperatorPrivilege
> ...
>
> However, on my print server only the BUILTIN groups are shown, no
> OUR-WKGR. Perhaps this is expected, but trying to grand
> SePrintOperatorPrivilege to the Domain Admins on the printserver does
> also not work:
>
>> root at printserver:/etc/cups# net rpc rights grant 'OUR-WKGR\domain
>> admins' SePrintOperatorPrivilege -Umy-username
>> Enter my-username's password:
>> Failed to grant privileges for OUR-WKGR\domain admins
>> (NT_STATUS_ACCESS_DENIED)
>> root at printserver:/etc/cups#
>
> The logs on printserver show:
>
>> [2015/06/10 14:30:12.840280,  5]
>> ../source3/auth/token_util.c:629(debug_unix_user_token)
>>   UNIX token of user 1014
>>   Primary group is 513 and contains 34 supplementary groups
>>   Group[  0]: 513
>>   Group[  1]: 1034
>>   Group[  2]: 43989
>>   Group[  3]: 26597
>>   Group[  4]: 62494
>>   Group[  5]: 23821
>>   Group[  6]: 17363
>>   Group[  7]: 512
>>   Group[  8]: 17373
>>   Group[  9]: 1074
>>   Group[ 10]: 17369
>>   Group[ 11]: 1047
>>   Group[ 12]: 1081
>> [2015/06/10 14:30:12.841903,  5]
>> ../source3/rpc_server/srv_pipe.c:1324(api_pipe_request)
>>   Requested \lsarpc rpc service
>> [2015/06/10 14:30:12.842008,  4]
>> ../source3/rpc_server/srv_pipe.c:1356(api_rpcTNP)
>>   api_rpcTNP: \lsarpc op 0x25 - api_rpcTNP: rpc command:
>> LSA_ADDACCOUNTRIGHTS
>> [2015/06/10 14:30:12.842121,  4]
>> ../source3/rpc_server/srv_access_check.c:105(access_check_object)
>>   _lsa_AddAccountRights: access DENIED (requested: 0x0000000b,
>> granted: 0x0000000a)
>> [2015/06/10 14:30:12.842219,  5]
>> ../source3/rpc_server/srv_pipe.c:1417(api_rpcTNP)
>>   api_rpcTNP: called \lsarpc successfully
>
> What am I missing? Am I doing something wrong?
>
> MJ


More information about the samba mailing list