Peter Koch
2024-Oct-07 20:46 UTC
[Samba] rpcclient setdriver fails with WERR_ACCESS_DENIED
Dear Samba-experts,
I'm trying to setup automatic printer download with our
samba 4.19.4 fileserver which is a domain member of
our samba 4.18.2 AD.
printer drivers have been installed on the fileserver:
root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c enumdrivers
[Windows x64]
Printer Driver Info 1:
Driver Name: [Kyocera TASKalfa 5052ci NAEV]
CUPS-printers have been installed and are working when used
from our windows workstations with locally installed drivers.
root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c enumprinters
flags:[0x800000]
name:[\\SERV00\]
description:[\\SERV00\,,Edv04K]
comment:[Edv04K]
But setting the driver fails:
root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c 'setdriver Edv04K
"Kyocera TASKalfa 5052ci NAEV"'
result was WERR_ACCESS_DENIED
I assume this happens due to missing SePrintOperatorPrivilege for
user prtadmin.
But how do I properly grant SePrintOperatorPrivilege.
The following command is sucessfull on the AD-machine:
root at ns1:# net -U 'administrator%pass2' rpc rights grant prtadmin
SePrintOperatorPrivilege
Successfully granted rights.
root at ns1:# net -U 'administrator%pass2' rpc rights list accounts
NAV\prtadmin
SePrintOperatorPrivilege
BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight
BUILTIN\Account Operators
SeInteractiveLogonRight
BUILTIN\Backup Operators
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight
BUILTIN\Administrators
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeRemoteInteractiveLogonRight
BUILTIN\Server Operators
SeBackupPrivilege
SeSystemtimePrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight
BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight
SeChangeNotifyPrivilege
The same commands fail on the fileserver:
root at serv00:# net -U 'administrator%pass2' rpc rights grant prtadmin
SePrintOperatorPrivilege
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
root at serv00:# net -U 'administrator%pass2' rpc rights list accounts
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
This is very strange since I used -U 'administrator%pass2' to join
serv00
into the NAV-domain, namely:
root at serv00:# net -U 'administrator%pass2' ads join
Using short domain name -- NAV
Joined 'SERV00' to dns domain 'nav.naev.de'
So pass2 must be the correct password of NAV\administrator
The following command works:
root at serv00:# net -U 'prtadmin%pass1' rpc rights list accounts
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
Since I granted SePrintOperatorPrivilege to the domain-user
NAV\prtadmin on the AD-machine I expected this grant
to be visible on the fileserver.
And I do not understand, why pass2 is the correct
password of the administrator account when used
to join the domain and why the same password
is incorrect with other commands.
Kind regards
Peter Koch
Rowland Penny
2024-Oct-08 09:11 UTC
[Samba] rpcclient setdriver fails with WERR_ACCESS_DENIED
On Mon, 7 Oct 2024 22:46:36 +0200 Peter Koch via samba <samba at lists.samba.org> wrote:> Dear Samba-experts, > > I'm trying to setup automatic printer download with our > samba 4.19.4 fileserver which is a domain member of > our samba 4.18.2 AD. > > printer drivers have been installed on the fileserver: > > root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c enumdrivers > [Windows x64] > Printer Driver Info 1: > Driver Name: [Kyocera TASKalfa 5052ci NAEV] > > CUPS-printers have been installed and are working when used > from our windows workstations with locally installed drivers. > > root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c enumprinters > flags:[0x800000] > name:[\\SERV00\] > description:[\\SERV00\,,Edv04K] > comment:[Edv04K] > > But setting the driver fails: > > root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c 'setdriver Edv04K > "Kyocera TASKalfa 5052ci NAEV"' > result was WERR_ACCESS_DENIED > > I assume this happens due to missing SePrintOperatorPrivilege for > user prtadmin. > > But how do I properly grant SePrintOperatorPrivilege. > > The following command is sucessfull on the AD-machine: > > root at ns1:# net -U 'administrator%pass2' rpc rights grant prtadmin > SePrintOperatorPrivilege > Successfully granted rights. > > root at ns1:# net -U 'administrator%pass2' rpc rights list accounts > NAV\prtadmin > SePrintOperatorPrivilege > > BUILTIN\Print Operators > SeLoadDriverPrivilege > SeShutdownPrivilege > SeInteractiveLogonRight > > BUILTIN\Account Operators > SeInteractiveLogonRight > > BUILTIN\Backup Operators > SeBackupPrivilege > SeRestorePrivilege > SeShutdownPrivilege > SeInteractiveLogonRight > > BUILTIN\Administrators > SeSecurityPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeSystemtimePrivilege > SeShutdownPrivilege > SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege > SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege > SeLoadDriverPrivilege > SeCreatePagefilePrivilege > SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > SeUndockPrivilege > SeManageVolumePrivilege > SeImpersonatePrivilege > SeCreateGlobalPrivilege > SeEnableDelegationPrivilege > SeInteractiveLogonRight > SeNetworkLogonRight > SeRemoteInteractiveLogonRight > > BUILTIN\Server Operators > SeBackupPrivilege > SeSystemtimePrivilege > SeRemoteShutdownPrivilege > SeRestorePrivilege > SeShutdownPrivilege > SeInteractiveLogonRight > > BUILTIN\Pre-Windows 2000 Compatible Access > SeRemoteInteractiveLogonRight > SeChangeNotifyPrivilege > > The same commands fail on the fileserver: > > root at serv00:# net -U 'administrator%pass2' rpc rights grant prtadmin > SePrintOperatorPrivilege > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE >I think I know what is going on here, but I would need to see the 'global' part of your smb.conf to confirm it. Have you tried the command with a member of Domain Admins instead of Administrator ? Rowland