[Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Ryan Suarez
Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
samba_source_3.3.7 on redhat 5 64bit. I have root on the samba server
but I don't have admin access to active directory (hence the auth using
testpc1).
Does the user granting access need some sort of admin privilege in
Active Directory? How do I grant this privilege on this samba host (for
which I have root) since I don't have admin access in Active Directory?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Suarez
Ryan Suarez
Adam Nielsen
>>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
>>>
>>> samba_source_3.3.7 on redhat 5 64bit. I have root on the samba
>>> server but I don't have admin access to active directory (hence the
>>> auth using testpc1).
So you have full access to Samba, but - I'm guessing - read only access
to AD?
>>> Does the user granting access need some sort of admin privilege in
>>> Active Directory? How do I grant this privilege on this samba host
>>> (for which I have root) since I don't have admin access in Active
>>> Directory?
Yes, if you want to change an object in Active Directory you will need
access to do so. Unless your Samba host *is* the AD server, nothing
gets granted on the PC itself, all the permissions are maintained within AD.
You could either get the testpc1 account more access, or ask whoever
maintains your AD installation for delegated access so you can grant and
revoke permissions from objects you maintain (using -U your_username
instead.)
Cheers,
Adam.
Ryan Suarez
Adam Nielsen wrote:
>>>> RE: "net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1"
>>>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
>>>>
>>>> samba_source_3.3.7 on redhat 5 64bit. I have root on the samba
>>>> server but I don't have admin access to active directory (hence the
>>>> auth using testpc1).
>>>>
>
> So you have full access to Samba, but - I'm guessing - read only access
> to AD?
>
Where in the Active Directory user object are these permissions?
Specifically, I'm looking for SePrintOperatorPrivilege.
thanks,
Ryan
Ryan Suarez
>>>> Does the user granting access need some sort of admin privilege in
>>>> Active Directory? How do I grant this privilege on this samba host
>>>> (for which I have root) since I don't have admin access in Active
>>>> Directory?
>>>>
>
> Yes, if you want to change an object in Active Directory you will need
> access to do so. Unless your Samba host *is* the AD server, nothing
> gets granted on the PC itself, all the permissions are maintained within AD.
>
hmm, the best option for me is to ask the AD administrator to grant the
samba SePrintOperatorPrivilege directly to the user object in Active
Directory. Where is this added in AD and what is this privilege called?
thanks,
Ryan
Gerald Carter
> hmm, the best option for me is to ask the AD administrator to grant the
> samba SePrintOperatorPrivilege directly to the user object in Active
> Directory. Where is this added in AD and what is this privilege called?
The user rights database is maintained in Samba's passdb. If
you are getting ACCESS_DENIED from smbd when you run 'net rpc
rights grant', it is because the account you are connecting as
does not have admin privileges as the Samba box.
cheers, jerry
Ryan Suarez
The samba host is a domain member server (security=ADS) with winbind for
user accounts. Where is this user rights database stored and what is
the tool to assign admin privileges?
# /usr/local/samba/bin/wbinfo -i testpc1
testpc1:*:10726:10005:testpc1 papercut
test:/home/REALM/testpc1:/usr/bin/tcsh
# groups testpc1
testpc1 : root
# /usr/local/samba/bin/net rpc rights grant testpc1
SePrintOperatorPrivilege -U testpc1
Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
smb.conf:
http://pastebin.ca/1554626
-Ryan
Adam Nielsen
> user accounts. Where is this user rights database stored and what is
> the tool to assign admin privileges?
I'm sure the privilege is stored in AD, which means you will need an AD
account with write access to the testpc1 object.
> # /usr/local/samba/bin/net rpc rights grant testpc1
> SePrintOperatorPrivilege -U testpc1
> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
This means you're connecting as the user "testpc1" which doesn't have
access. Machine accounts normally don't have much access at all.
You'll need to use an account that has been delegated admin access to
testpc1 instead.
Cheers,
Adam.
Gerald Carter
> The samba host is a domain member server (security=ADS)
> with winbind for user accounts. Where is this user rights
> database stored and what is the tool to assign admin privileges?
Use 'net sam' to add the user in question to the BUILTIN\Administrators
group on your Samba host. The user rights assignments are stored
in account_pol.tdb IIRC (but that may have changed). It's been
several years since I look at that code and I remember Michael Adam
making some interface changes. But I think the storage location on
smbpasswd and tdbsam installations is the same.
> # /usr/local/samba/bin/wbinfo -i testpc1
> testpc1:*:10726:10005:testpc1 papercut
> test:/home/REALM/testpc1:/usr/bin/tcsh
>
> # groups testpc1
> testpc1 : root
>
> # /usr/local/samba/bin/net rpc rights grant testpc1
> SePrintOperatorPrivilege -U testpc1
> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
cheers, jerry
--
=====================================================================
http://www.plainjoe.org/
"What man is a man who does not make the world better?" --Balian
Ryan Suarez
> Hey Ryan,
>
>> The samba host is a domain member server (security=ADS)
>> with winbind for user accounts. Where is this user rights
>> database stored and what is the tool to assign admin privileges?
>>
>
> Use 'net sam' to add the user in question to the BUILTIN\Administrators
> group on your Samba host. The user rights assignments are stored
> in account_pol.tdb IIRC (but that may have changed). It's been
> several years since I look at that code and I remember Michael Adam
> making some interface changes. But I think the storage location on
> smbpasswd and tdbsam installations is the same.
>
has all those rpc rights granted by default.
much appreciated,
Adam Nielsen
> group on your Samba host.
>>
>> SePrintOperatorPrivilege -U testpc1
>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
Oh, so does 'net rpc' in this case connect to the local machine? i.e.
it has nothing to do with Active Directory?
I was under the impression that it modified the permissions on the
Active Directory object, not what the local Samba instance would allow
or deny - my apologies!
Cheers,
Adam.
Gerald Carter
>> Use 'net sam' to add the user in question to the BUILTIN\Administrators
>> group on your Samba host.
>>> # /usr/local/samba/bin/net rpc rights grant testpc1
>>> SePrintOperatorPrivilege -U testpc1
>>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
>
> Oh, so does 'net rpc' in this case connect to the local machine? i.e.
> it has nothing to do with Active Directory?
Correct. It connect over RPC to the Samba host. I think there
is a 'net sam rights' which will do the same operation without
using RPC. I.e. just operate on the account policy db.
Ryan Suarez
>> Use 'net sam' to add the user in question to the BUILTIN\Administrators
>> group on your Samba host.
>>
>>> # /usr/local/samba/bin/net rpc rights grant testpc1
>>> SePrintOperatorPrivilege -U testpc1
>>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
>>>
>
> Oh, so does 'net rpc' in this case connect to the local machine? i.e.
> it has nothing to do with Active Directory?
>
> I was under the impression that it modified the permissions on the
> Active Directory object, not what the local Samba instance would allow
> or deny - my apologies!
>
Well, I wasn't actually able to run the net rpc rights grant. I was
still getting the access denied errors. Instead, I just added testpc1
as a member of the local Builtin/Administrators group which has all the
rpc rights by default.
So it's still a valid question. Does net rpc rights grant for the user
edit the Active Directory object?
Adam Nielsen
> still getting the access denied errors. Instead, I just added testpc1
> as a member of the local Builtin/Administrators group which has all the
> rpc rights by default.
Well now testpc1 is an admin you should be able to run the command again
and it should work. Since you're not actually using Active Directory
you could presumably also use "-U machine_name/root" or whatever the
name is of the local Samba root/admin account, instead of the testpc1 user.
> So it's still a valid question. Does net rpc rights grant for the user
> edit the Active Directory object?
I think the permission you're trying to access is set at the local
machine level - think of it like a firewall. When the request comes
through Samba decides whether to allow or deny it based on the privilege
you're trying to set. So it will apply whether or not you're using
Active Directory. That's my understanding of it anyway!
Cheers,
Adam.