Prev: Problem to join Win20900 ADS realm
Next: [Samba] Authentication from Vista?
From: Ryan Suarez on 8 Sep 2009 00:40
Thanks for the response.

Gerald Carter wrote:
> Ryan,
>
>> hmm, the best option for me is to ask the AD administrator to grant the
>> samba SePrintOperatorPrivilege directly to the user object in Active
>> Directory. Where is this added in AD and what is this privilege called?
>>
>
> The user rights database is maintained in Samba's passdb. If
> you are getting ACCESS_DENIED from smbd when you run 'net rpc
> rights grant', it is because the account you are connecting as
> does not have admin privileges as the Samba box.
>

The samba host is a domain member server (security=ADS) with winbind for
user accounts. Where is this user rights database stored and what is
the tool to assign admin privileges?

# /usr/local/samba/bin/wbinfo -i testpc1
testpc1:*:10726:10005:testpc1 papercut
test:/home/REALM/testpc1:/usr/bin/tcsh

# groups testpc1
testpc1 : root

# /usr/local/samba/bin/net rpc rights grant testpc1
SePrintOperatorPrivilege -U testpc1
Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)

smb.conf:
http://pastebin.ca/1554626

-Ryan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Adam Nielsen on 8 Sep 2009 01:10
> The samba host is a domain member server (security=ADS) with winbind for
> user accounts. Where is this user rights database stored and what is
> the tool to assign admin privileges?

I'm sure the privilege is stored in AD, which means you will need an AD
account with write access to the testpc1 object.

> # /usr/local/samba/bin/net rpc rights grant testpc1
> SePrintOperatorPrivilege -U testpc1
> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)

This means you're connecting as the user "testpc1" which doesn't have
access. Machine accounts normally don't have much access at all.
You'll need to use an account that has been delegated admin access to
testpc1 instead.

Cheers,
Adam.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Gerald Carter on 8 Sep 2009 08:40
Hey Ryan,

> The samba host is a domain member server (security=ADS)
> with winbind for user accounts. Where is this user rights
> database stored and what is the tool to assign admin privileges?

Use 'net sam' to add the user in question to the BUILTIN\Administrators
group on your Samba host. The user rights assignments are stored
in account_pol.tdb IIRC (but that may have changed). It's been
several years since I look at that code and I remember Michael Adam
making some interface changes. But I think the storage location on
smbpasswd and tdbsam installations is the same.

> # /usr/local/samba/bin/wbinfo -i testpc1
> testpc1:*:10726:10005:testpc1 papercut
> test:/home/REALM/testpc1:/usr/bin/tcsh
>
> # groups testpc1
> testpc1 : root
>
> # /usr/local/samba/bin/net rpc rights grant testpc1
> SePrintOperatorPrivilege -U testpc1
> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)





cheers, jerry
--
=====================================================================
http://www.plainjoe.org/
"What man is a man who does not make the world better?" --Balian

From: Ryan Suarez on 8 Sep 2009 11:00
Gerald Carter wrote:
> Hey Ryan,
>
>> The samba host is a domain member server (security=ADS)
>> with winbind for user accounts. Where is this user rights
>> database stored and what is the tool to assign admin privileges?
>>
>
> Use 'net sam' to add the user in question to the BUILTIN\Administrators
> group on your Samba host. The user rights assignments are stored
> in account_pol.tdb IIRC (but that may have changed). It's been
> several years since I look at that code and I remember Michael Adam
> making some interface changes. But I think the storage location on
> smbpasswd and tdbsam installations is the same.
>
Thanks, it worked for me! Looks like the local BUILTIN\Administrators
has all those rpc rights granted by default.

much appreciated,
Ryan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Gerald Carter on 8 Sep 2009 11:10
Ryan Suarez wrote:

> Thanks, it worked for me! Looks like the local BUILTIN\Administrators
> has all those rpc rights granted by default.

Correct. Glad things are working now.



cheers, jerry

First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: Problem to join Win20900 ADS realm
Next: [Samba] Authentication from Vista?