unable to grant print operator privileges + workaround
David Mansfield
samba at dm.cobite.com
Tue Dec 23 14:31:14 MST 2014
On 12/23/2014 02:24 PM, David Mansfield wrote:
> Hi All,
>
> I was trying to follow the wiki
> https://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges
> and the command there didn't (doesn't?) work. My system is set up with
> security = ads, but neither -Uadministrator nor -U'DOMAIN\administrator'
> worked. (NT_STATUS_LOGON_FAILURE).
>
> The workaround which I eventually found, and which I suggest be
> documented in said wiki page, was to set a local password for "root"
> user with smbpasswd -a root, then temporarily switch to "security =
> user", restart samba, grant the privs., then switch back to "security =
> ads".
>
> I'm not sure why the password is not accepted. When I use my own creds.
> (instead of -Uadministrator, I use -Ume) it accepts the credentials but
> the error message changes to NT_STATUS_ACCESS_DENIED.
>
> At least the archives will have this solution and hopefully it'll be
> easier to find for the next guy/gal.
>
> Additional information:
>
> System is centos 7, samba installed from distro packages (4.1.1-37).
> Kerberos is set up and working (smbclient -k works). UNIX authentication
> and nss is via sssd which is set up and working.
>
> My DC are all samba 4.1.12 compiled from source.
>
>
>
I agree something is wrong, but not selinux! I already disabled it.
Another odd thing. If I put the WRONG password in, I see:
auth_check_password_recv: sam_ignoredomain authentication for user
[COBITE\administrator] FAILED with error NT_STATUS_WRONG_PASSWORD
In the server log, but if I put the right password in, that doesn't
appear, but in both cases NT_STATUS_LOGON_FAILURE on the client.
On a different member server (centos 6, samba-3.5.10-125.el6.x86_64) , I
also cannot use 'administrator' (or DOMAIN\administrator) with the exact
same symptoms, but when I use myself it says 'Successfully granted
rights'. (I should be an administrator, I can join machines to domain
etc. using my own account).
Here's the server log for the failed auth (with the right password):
2014/12/23 15:53:17.749887, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2014/12/23 15:53:17.750137, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2014/12/23 15:53:18.316385, 3]
../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.324654, 3]
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2014/12/23 15:53:18.325216, 3]
../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.329397, 3]
../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.329813, 3]
../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.333683, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2014/12/23 15:53:18.333971, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2014/12/23 15:53:18.337922, 3]
../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.338340, 3]
../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/PRINTSERVER
[2014/12/23 15:53:18.338496, 3]
../source4/auth/ntlm/auth.c:270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[COBITE]\[administrator]@[\\PRINTSERVER]
auth_check_password_send: mapped user is:
[COBITE]\[administrator]@[\\PRINTSERVER]
[2014/12/23 15:53:18.360187, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2014/12/23 15:53:18.360414, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
--
Thanks,
David Mansfield
Cobite, INC.
More information about the samba-technical
mailing list