Rowland Penny
2024-Jun-05 15:10 UTC
[Samba] SePrintOperatorPrivilege NT_STATUS_LOGON_FAILURE
On Wed, 05 Jun 2024 16:31:01 +0200 calm.job89448 at fastmail.com wrote:> Hi Rowland, > thank you for your reply! > > On Wed, Jun 5, 2024, at 15:54, Rowland Penny via samba wrote: > > On Wed, 05 Jun 2024 12:46:11 +0200 > > Khalid via samba <samba at lists.samba.org> wrote: > > > >> Hi everyone, > >> > >> I seem to have come to a dead end, so here I am, turning to you, > >> asking for your expertise. :) > >> > >> Whenever I try > >> > >> net rpc rights grant 'MYDOMAIN\grp_it_members' > >> SePrintOperatorPrivilege -U'MYDOMAIN\admin' > >> > >> I get this error: > >> > >> Password for [MYDOMAIN\admin]: > >> Could not connect to server 127.0.0.1 > >> The username or password was not correct. > >> Connection failed: NT_STATUS_LOGON_FAILURE > > > > Are you doing this as 'root' or with sudo ? > > > > Rowland > > > > I tried both. First sudo, as I setup everything with sudo and out of > curiosity with root. No luck. > Was it wrong to setup as user with sudo privileges?No, it should work, perhaps you have a dns problem. Can you please post the contents of: /etc/resolv.conf /etc/hostname /etc/hosts Can you also explain why there doesn't appear to be any 'idmap config' lines in your smb.conf ? Rowland
calm.job89448 at fastmail.com
2024-Jun-05 15:25 UTC
[Samba] SePrintOperatorPrivilege NT_STATUS_LOGON_FAILURE
Hi Rowland, thanks again. On Wed, Jun 5, 2024, at 17:10, Rowland Penny via samba wrote:>> I tried both. First sudo, as I setup everything with sudo and out of >> curiosity with root. No luck. >> Was it wrong to setup as user with sudo privileges? > > No, it should work, perhaps you have a dns problem. Can you please post > the contents of: > /etc/resolv.confdomain mydomain.work search mydomain.work nameserver 10.1.1.1 nameserver 10.1.1.3> /etc/hostnameprnt01> /etc/hosts127.0.0.1 localhost 10.1.1.33 prnt01.mydomain.work prnt01> Can you also explain why there doesn't appear to be any 'idmap config' > lines in your smb.conf ?Sorry, thought I'd only post what I thought is relevant. Here's the complete smb.conf # Global parameters [global] security = ADS workgroup = MYDOMAIN realm = MYDOMAIN.WORK server role = member server log file = /var/log/samba/%m.log bind interfaces only = yes # Please substitute your own physical cards here: interfaces = lo ens18 # Enable Group Policy application in winbind, apply group policies = yes # winbind config: winbind use default domain = yes # The following options are only useful for testing. Comment out in production. # winbind enum users = yes # winbind enum groups = yes # Map Administrator to root username map = /etc/samba/user.map min domain uid = 0 # Kerberos winbind refresh tickets = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # Configure shares using extended access control lists (ACL) # Needed for Linux, as it does not support NFS4 ACLs vfs objects = acl_xattr map acl inherit = yes acl_xattr:ignore system acls = yes # Veto Files (do not allow these files in the server) veto files = /Thumbs.db/.DS_Store/._.DS_Store/.com.apple*/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc> delete veto files = yes # Default ID mapping configuration for local BUILTIN accounts idmap config * : backend = tdb idmap config * : range = 3000-7999 # idmap config for the MYDOMAIN domain using the rid backend idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-999999 # Printing options in [global] section of smb.conf printing = CUPS spoolss: architecture = Windows x64 load printers = yes [printers] path = /var/tmp/ printable = yes [print$] path = /var/lib/samba/printer_drivers/ read only = no Thanks!