samba - Jun 2024 - SePrintOperatorPrivilege NT_STATUS_LOGON_FAILURE

Hi Rowland,

thanks again.

On Wed, Jun 5, 2024, at 17:10, Rowland Penny via samba wrote:
>> I tried both. First sudo, as I setup everything with sudo and out of
>> curiosity with root. No luck.
>> Was it wrong to setup as user with sudo privileges?
>
> No, it should work, perhaps you have a dns problem. Can you please post
> the contents of:
> /etc/resolv.conf
domain mydomain.work
search mydomain.work
nameserver 10.1.1.1
nameserver 10.1.1.3
> /etc/hostname
prnt01
> /etc/hosts
127.0.0.1       localhost
10.1.1.33       prnt01.mydomain.work    prnt01
> Can you also explain why there doesn't appear to be any 'idmap
config'
> lines in your smb.conf ?
Sorry, thought I'd only post what I thought is relevant.

Here's the complete smb.conf

# Global parameters
[global]
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.WORK
server role = member server
log file = /var/log/samba/%m.log
bind interfaces only = yes
# Please substitute your own physical cards here:
interfaces = lo ens18

# Enable Group Policy application in winbind,
apply group policies = yes

# winbind config:
winbind use default domain = yes

# The following options are only useful for testing. Comment out in production.
# winbind enum users = yes  
# winbind enum groups = yes

# Map Administrator to root
username map = /etc/samba/user.map
min domain uid = 0

# Kerberos
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

# Configure shares using extended access control lists (ACL)
# Needed for Linux, as it does not support NFS4 ACLs
vfs objects = acl_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes

# Veto Files (do not allow these files in the server)
veto files =
/Thumbs.db/.DS_Store/._.DS_Store/.com.apple*/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at
__desc>
delete veto files = yes

# Default ID mapping configuration for local BUILTIN accounts
idmap config * : backend = tdb
idmap config * : range = 3000-7999

# idmap config for the MYDOMAIN domain using the rid backend
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999

# Printing options in [global] section of smb.conf
      printing = CUPS
      spoolss: architecture = Windows x64
      load printers = yes

[printers]
     path = /var/tmp/
     printable = yes

[print$]
     path = /var/lib/samba/printer_drivers/
     read only = no


Thanks!

What?s the content of user.map ?

LP
On Jun 5, 2024 at 16:27 +0100, calm.job89448 at fastmail.com,
wrote:
>
> username map = /etc/samba/user.map

On Wed, 05 Jun 2024 17:25:52 +0200
calm.job89448 at fastmail.com wrote:
> Hi Rowland,
> 
> thanks again.
> 
> On Wed, Jun 5, 2024, at 17:10, Rowland Penny via samba wrote:
> 
> >> I tried both. First sudo, as I setup everything with sudo and out
> >> of curiosity with root. No luck.
> >> Was it wrong to setup as user with sudo privileges?
> >
> > No, it should work, perhaps you have a dns problem. Can you please
> > post the contents of:
> > /etc/resolv.conf
> domain mydomain.work
> search mydomain.work
'domain, and 'search' in resolv.conf were mutually exclusive and the
last one wins, but in the last resolv.conf code, 'domain' has been
removed.
> nameserver 10.1.1.1
> nameserver 10.1.1.3
I take it the nameservers are DCs.
> 
> > /etc/hostname
> prnt01
> 
> > /etc/hosts
> 127.0.0.1       localhost
> 10.1.1.33       prnt01.mydomain.work    prnt01
I take it this machine has a fixed IP.
> 
> > Can you also explain why there doesn't appear to be any 'idmap
> > config' lines in your smb.conf ?
> 
> Sorry, thought I'd only post what I thought is relevant.
Better to post the full current smb.conf than fragments ;-)
But there doesn't seem to be anything wrong with the smb.conf

Is there a firewall in use ?

Rowland