Hello list.
I once had a samba server acting as a PDC, a mapping between my NT
'Domain admins' and Unix 'admins' groups, and everything worked
perfectly.
Now I got a new shiny samba server acting as a print server only, member
of an AD domain, and I can't have the members of 'Domain admins'
group
manage printing drivers on the server, whereas the Administrator account
can.
Here is my smb.conf:
[global]
workgroup = MSR-INRIA
realm = MSR-INRIA.IDF
security = ads
printcap name = cups
load printers = yes
printing = cups
...
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
create mode = 0700
print command = lpr-cups -P %p -o raw %s -r
use client driver = yes
[print$]
comment = Windows print drivers
path = /var/lib/samba/printers
browseable = yes
write list = root, @admins
guest ok = yes
inherit permissions = yes
AD membership is fine:
- 'net ads testjoin' is OK
[root@etoile samba]# net ads testjoin
Join is OK
- I can get a tgt for the administrator account:
[root@etoile samba]# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrateur@MSR-INRIA.IDF
Issued Expires Principal
Jan 27 16:07:12 Jan 28 02:07:12 krbtgt/MSR-INRIA.IDF@MSR-INRIA.IDF
Jan 27 16:15:11 Jan 28 02:07:12 concorde$@MSR-INRIA.IDF
- I can get ADS groups and users list
[root@etoile samba]# net ads group
HelpServicesGroup
TelnetClients
IIS_WPG
Administrateurs
Utilisateurs
...
So basically, AD membership seems to be OK.
I'm using this file for mapping Unix and Windows user[2]:
!root = MSR-INRIA.IDF\Administrateur MSR-INRIA\Administrateur
!rousse = MSR-INRIA.INRIA.FR\rousse MSR-INRIA.IDF\rousse MSR-INRIA\rousse
By construction, every 'MSR-INRIA.IDF\foo' windows user exists as
'foo'
unix user, as we sync the AD ldap tree from our Unix tree, so I may as
well use a script, but I guess that's just another way to achieve the
same result.
When connecting to my printing share, samba seems to recognize I'm
member of the special domain admins group (rid 512), from my kerberos
ticket:
009/01/27 16:53:11, 3] smbd/process.c:switch_message(927)
switch message SMBtconX (pid 15236) conn 0x0
[2009/01/27 16:53:11, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/01/27 16:53:11, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/01/27 16:53:11, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/01/27 16:53:11, 5] smbd/uid.c:change_to_root_user(288)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2009/01/27 16:53:11, 4] smbd/reply.c:reply_tcon_and_X(506)
Client requested device type [?????] for share [IPC$]
[2009/01/27 16:53:11, 5] smbd/service.c:make_connection(1205)
making a connection to 'normal' service ipc$
[2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_alloc(131)
Finding user rousse
[2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_internals(75)
Trying _Get_Pwnam(), username as lowercase is rousse
[2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals did find user [rousse]!
[2009/01/27 16:53:11, 3] smbd/service.c:make_connection_snum(806)
Connect path is '/var/tmp' for service [IPC$]
[2009/01/27 16:53:11, 4] lib/sharesec.c:get_share_security(132)
get_share_security: using default secdesc for IPC$
[2009/01/27 16:53:11, 3] lib/util_seaccess.c:se_access_check(250)
[2009/01/27 16:53:11, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-5012
se_access_check: also S-1-5-21-911279556-1797085143-1335962226-512
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-22-2-5005
se_access_check: also S-1-22-2-5000
However, the buttons allowing to change drivers are greyed out, either
from global printing server properties windows, or from individual
printer 'advanced' setting.
I tried to add explicit group mappings, as explained at
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id2572028:
[root@etoile ~]# net groupmap list
Domain Admins (S-1-5-21-911279556-1797085143-1335962226-512) -> admins
Domain Guests (S-1-5-21-911279556-1797085143-1335962226-514) -> guests
Domain Users (S-1-5-21-911279556-1797085143-1335962226-513) -> users
However, the same documentation says 'Group mappings are essentail only
if the Samba servers is running as a PDC/BDC', which is not my case, so
i assume it's useless. Also, I wonder if I'm supposed to use localized
group names 'Admins du domaine' rather than english ones 'Domain
admins'
for the mapping, or if the use of rid is enough.
I also tried to set explicit privileges, without success:
[root@etoile samba]# net -w MSR-INRIA.IDF -U Administrateur rpc rights
grant 'MSR-INRIA.IDF\rousse' SePrintOperatorPrivilege
Password:
Failed to grant privileges for MSR-INRIA.IDF\rousse
(NT_STATUS_ACCESS_DENIED)
Enumerating existing privileges seems to imply my domain admins group
only has SeMachineAccountPrivilege currently:
[root@etoile samba]# net -w MSR-INRIA.IDF -U Administrateur rpc rights
list accounts
Password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
S-1-5-21-2709371413-4020681702-788637496-5012
SeMachineAccountPrivilege
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
Everyone
No privileges assigned
Any help appreciated here to understand what I'm going wrong. BTW, I'm
using samba-3.0.28a on linux platform. I may eventually consider
upgrading if needed.
[1] I'm using a localized Win 2003 AD server, hence the french names
[2] I'm autenticating Windows users using an heimdal server, hence the
presence of both MSR-INRIA.INRIA.FR\rousse and MSR-INRIA.IDF\rousse entries.
--
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Ile de France
Tel: 01 69 35 69 62
