samba - Jun 2015 - access denied on printer driver upload

Hi,

I'm trying to upload printer drivers to my jessie samba 4.1.17 print 
server, but I'm getting: "Failed to add driver. Access denied",
and I
don't understand why.

The domain join is OK (verified with net ads testjoin) and on the DC I 
have given the SePrintOperatorPrivilege to the Domain Admins group, of 
which I am a member:

root at DC2:~#  net rpc rights list accounts -Umy-username
Enter my-username's password:
BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Account Operators
SeInteractiveLogonRight

OUR-WKGR\Domain Admins
SePrintOperatorPrivilege
SeDiskOperatorPrivilege
...

However, on my print server only the BUILTIN groups are shown, no 
OUR-WKGR. Perhaps this is expected, but trying to grand 
SePrintOperatorPrivilege to the Domain Admins on the printserver does 
also not work:
> root at printserver:/etc/cups# net rpc rights grant 'OUR-WKGR\domain
admins' SePrintOperatorPrivilege -Umy-username
> Enter my-username's password:
> Failed to grant privileges for OUR-WKGR\domain admins
(NT_STATUS_ACCESS_DENIED)
> root at printserver:/etc/cups#
The logs on printserver show:
> [2015/06/10 14:30:12.840280,  5]
../source3/auth/token_util.c:629(debug_unix_user_token)
>   UNIX token of user 1014
>   Primary group is 513 and contains 34 supplementary groups
>   Group[  0]: 513
>   Group[  1]: 1034
>   Group[  2]: 43989
>   Group[  3]: 26597
>   Group[  4]: 62494
>   Group[  5]: 23821
>   Group[  6]: 17363
>   Group[  7]: 512
>   Group[  8]: 17373
>   Group[  9]: 1074
>   Group[ 10]: 17369
>   Group[ 11]: 1047
>   Group[ 12]: 1081
> [2015/06/10 14:30:12.841903,  5]
../source3/rpc_server/srv_pipe.c:1324(api_pipe_request)
>   Requested \lsarpc rpc service
> [2015/06/10 14:30:12.842008,  4]
../source3/rpc_server/srv_pipe.c:1356(api_rpcTNP)
>   api_rpcTNP: \lsarpc op 0x25 - api_rpcTNP: rpc command:
LSA_ADDACCOUNTRIGHTS
> [2015/06/10 14:30:12.842121,  4]
../source3/rpc_server/srv_access_check.c:105(access_check_object)
>   _lsa_AddAccountRights: access DENIED (requested: 0x0000000b, granted:
0x0000000a)
> [2015/06/10 14:30:12.842219,  5]
../source3/rpc_server/srv_pipe.c:1417(api_rpcTNP)
>   api_rpcTNP: called \lsarpc successfully
What am I missing? Am I doing something wrong?

MJ

And right after sending this message, I found the following link:

https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

where configuring a user.map is advised. I have done that, and was able 
to grant the SePrintOperatorPrivilege right.

I don't understand the solution, but it worked. :-)

On 6/10/2015 14:38, mourik jan heupink wrote:
> Hi,
>
> I'm trying to upload printer drivers to my jessie samba 4.1.17 print
> server, but I'm getting: "Failed to add driver. Access
denied", and I
> don't understand why.
>
> The domain join is OK (verified with net ads testjoin) and on the DC I
> have given the SePrintOperatorPrivilege to the Domain Admins group, of
> which I am a member:
>
> root at DC2:~#  net rpc rights list accounts -Umy-username
> Enter my-username's password:
> BUILTIN\Print Operators
> SeLoadDriverPrivilege
> SeShutdownPrivilege
> SeInteractiveLogonRight
>
> BUILTIN\Account Operators
> SeInteractiveLogonRight
>
> OUR-WKGR\Domain Admins
> SePrintOperatorPrivilege
> SeDiskOperatorPrivilege
> ...
>
> However, on my print server only the BUILTIN groups are shown, no
> OUR-WKGR. Perhaps this is expected, but trying to grand
> SePrintOperatorPrivilege to the Domain Admins on the printserver does
> also not work:
>
>> root at printserver:/etc/cups# net rpc rights grant
'OUR-WKGR\domain
>> admins' SePrintOperatorPrivilege -Umy-username
>> Enter my-username's password:
>> Failed to grant privileges for OUR-WKGR\domain admins
>> (NT_STATUS_ACCESS_DENIED)
>> root at printserver:/etc/cups#
>
> The logs on printserver show:
>
>> [2015/06/10 14:30:12.840280,  5]
>> ../source3/auth/token_util.c:629(debug_unix_user_token)
>>   UNIX token of user 1014
>>   Primary group is 513 and contains 34 supplementary groups
>>   Group[  0]: 513
>>   Group[  1]: 1034
>>   Group[  2]: 43989
>>   Group[  3]: 26597
>>   Group[  4]: 62494
>>   Group[  5]: 23821
>>   Group[  6]: 17363
>>   Group[  7]: 512
>>   Group[  8]: 17373
>>   Group[  9]: 1074
>>   Group[ 10]: 17369
>>   Group[ 11]: 1047
>>   Group[ 12]: 1081
>> [2015/06/10 14:30:12.841903,  5]
>> ../source3/rpc_server/srv_pipe.c:1324(api_pipe_request)
>>   Requested \lsarpc rpc service
>> [2015/06/10 14:30:12.842008,  4]
>> ../source3/rpc_server/srv_pipe.c:1356(api_rpcTNP)
>>   api_rpcTNP: \lsarpc op 0x25 - api_rpcTNP: rpc command:
>> LSA_ADDACCOUNTRIGHTS
>> [2015/06/10 14:30:12.842121,  4]
>> ../source3/rpc_server/srv_access_check.c:105(access_check_object)
>>   _lsa_AddAccountRights: access DENIED (requested: 0x0000000b,
>> granted: 0x0000000a)
>> [2015/06/10 14:30:12.842219,  5]
>> ../source3/rpc_server/srv_pipe.c:1417(api_rpcTNP)
>>   api_rpcTNP: called \lsarpc successfully
>
> What am I missing? Am I doing something wrong?
>
> MJ