[Samba] SePrintOperatorPrivilege NT_STATUS_LOGON_FAILURE

calm.job89448 at fastmail.com calm.job89448 at fastmail.com
Wed Jun 5 15:25:52 UTC 2024 

Hi Rowland,

thanks again.

On Wed, Jun 5, 2024, at 17:10, Rowland Penny via samba wrote:

>> I tried both. First sudo, as I setup everything with sudo and out of
>> curiosity with root. No luck.
>> Was it wrong to setup as user with sudo privileges?
>
> No, it should work, perhaps you have a dns problem. Can you please post
> the contents of:
> /etc/resolv.conf
domain mydomain.work
search mydomain.work
nameserver 10.1.1.1
nameserver 10.1.1.3

> /etc/hostname
prnt01

> /etc/hosts
127.0.0.1       localhost
10.1.1.33       prnt01.mydomain.work    prnt01

> Can you also explain why there doesn't appear to be any 'idmap config'
> lines in your smb.conf ?

Sorry, thought I'd only post what I thought is relevant.

Here's the complete smb.conf

# Global parameters
[global]
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.WORK
server role = member server
log file = /var/log/samba/%m.log
bind interfaces only = yes
# Please substitute your own physical cards here:
interfaces = lo ens18

# Enable Group Policy application in winbind,
apply group policies = yes

# winbind config:
winbind use default domain = yes

# The following options are only useful for testing. Comment out in production.    
# winbind enum users = yes  
# winbind enum groups = yes

# Map Administrator to root
username map = /etc/samba/user.map
min domain uid = 0

# Kerberos
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

# Configure shares using extended access control lists (ACL)
# Needed for Linux, as it does not support NFS4 ACLs
vfs objects = acl_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes

# Veto Files (do not allow these files in the server)
veto files = /Thumbs.db/.DS_Store/._.DS_Store/.com.apple*/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc>
delete veto files = yes

# Default ID mapping configuration for local BUILTIN accounts
idmap config * : backend = tdb
idmap config * : range = 3000-7999

# idmap config for the MYDOMAIN domain using the rid backend
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999

# Printing options in [global] section of smb.conf
      printing = CUPS
      spoolss: architecture = Windows x64
      load printers = yes

[printers]
     path = /var/tmp/
     printable = yes

[print$]
     path = /var/lib/samba/printer_drivers/
     read only = no


Thanks!

More information about the samba mailing list