thr3ads.net - samba - [Samba] rpcclient setdriver fails with WERR_ACCESS

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2024-Oct-08 09:11 UTC

[Samba] rpcclient setdriver fails with WERR_ACCESS_DENIED

On Mon, 7 Oct 2024 22:46:36 +0200
Peter Koch via samba <samba at lists.samba.org> wrote:
> Dear Samba-experts,
> 
> I'm trying to setup automatic printer download with our
> samba 4.19.4 fileserver which is a domain member of
> our samba 4.18.2 AD.
> 
> printer drivers have been installed on the fileserver:
> 
> root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c enumdrivers
> [Windows x64]
> Printer Driver Info 1:
>         Driver Name: [Kyocera TASKalfa 5052ci NAEV]
> 
> CUPS-printers have been installed and are working when used
> from our windows workstations with locally installed drivers.
> 
> root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c enumprinters
>         flags:[0x800000]
>         name:[\\SERV00\]
>         description:[\\SERV00\,,Edv04K]
>         comment:[Edv04K]
> 
> But setting the driver fails:
> 
> root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c 'setdriver Edv04K
> "Kyocera TASKalfa 5052ci NAEV"'
> result was WERR_ACCESS_DENIED
> 
> I assume this happens due to missing SePrintOperatorPrivilege for
> user prtadmin.
> 
> But how do I properly grant SePrintOperatorPrivilege.
> 
> The following command is sucessfull on the AD-machine:
> 
> root at ns1:# net -U 'administrator%pass2' rpc rights grant
prtadmin
> SePrintOperatorPrivilege
> Successfully granted rights.
> 
> root at ns1:# net -U 'administrator%pass2' rpc rights list accounts
> NAV\prtadmin
> SePrintOperatorPrivilege
> 
> BUILTIN\Print Operators
> SeLoadDriverPrivilege
> SeShutdownPrivilege
> SeInteractiveLogonRight
> 
> BUILTIN\Account Operators
> SeInteractiveLogonRight
> 
> BUILTIN\Backup Operators
> SeBackupPrivilege
> SeRestorePrivilege
> SeShutdownPrivilege
> SeInteractiveLogonRight
> 
> BUILTIN\Administrators
> SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeSystemtimePrivilege
> SeShutdownPrivilege
> SeRemoteShutdownPrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege
> SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege
> SeLoadDriverPrivilege
> SeCreatePagefilePrivilege
> SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> SeUndockPrivilege
> SeManageVolumePrivilege
> SeImpersonatePrivilege
> SeCreateGlobalPrivilege
> SeEnableDelegationPrivilege
> SeInteractiveLogonRight
> SeNetworkLogonRight
> SeRemoteInteractiveLogonRight
> 
> BUILTIN\Server Operators
> SeBackupPrivilege
> SeSystemtimePrivilege
> SeRemoteShutdownPrivilege
> SeRestorePrivilege
> SeShutdownPrivilege
> SeInteractiveLogonRight
> 
> BUILTIN\Pre-Windows 2000 Compatible Access
> SeRemoteInteractiveLogonRight
> SeChangeNotifyPrivilege
> 
> The same commands fail on the fileserver:
> 
> root at serv00:# net -U 'administrator%pass2' rpc rights grant
prtadmin
> SePrintOperatorPrivilege
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> 
I think I know what is going on here, but I would need to see the
'global' part of your smb.conf to confirm it.

Have you tried the command with a member of Domain Admins instead of
Administrator ?

Rowland

Peter Koch

2024-Oct-08 12:58 UTC

head link

[Samba] rpcclient setdriver fails with WERR_ACCESS_DENIED

Hi Rowland,

Thanks very much for your quick response.
> Have you tried the command with a member of Domain Admins instead of
> Administrator ?
I just did and I now feel that something is wrong with
our Administrator-account.

Granting the SePrintOperatorPrivilege to user NAV\prtadmin with user
NAV\Administator failes on our fileserver (INVALID PASSWORD).

Granting the SePrintOperatorPrivilege to user NAV\prtadmin with user
NAV\Administator succeeds on our AD, but has no effect on the
fileserver.

Setting the printer driver on pour fileserver with user NAV\Administrator
does not work either (INVALID PASSWORD).

But your idea to use a member of Domain Admins let me try the following:

Adding NAV\prtadmin to the Domain Admins group on our AD with
user NAV\administrator. This worked and NAV\prtadmin became a
member if Domain Admins on both our AD and fileserver.

I then granted the SePrintOperatorPrivilege to user NAV\prtadmin
on our fileserver. with user NAV\prtadmin.

And finally I was able to set the driver of our printers with user NAV\prtadmin.

I'm pretty sure you can explain to me what's wrong with our
Administrator account.

Kind regards

Peter

Here's the [global]-part of our fileservers smb.conf file:

[global]
        netbios name = SERV00
        workgroup = NAV
        realm = NAV.NAEV.DE
        security = ADS
        server role = member server
        interfaces = lo net0
        bind interfaces only = Yes
        dos charset = cp1252
        idmap cache time = 86400
        idmap negative cache time = 30
        printcap name = cups
        unix charset = ISO8859-1
        winbind cache time = 60
        winbind use default domain = Yes
        spoolss:architecture = Windows x64
        rpcd_spoolss:num_workers = 10
        rpcd_spoolss:idle_seconds = 300
        idmap config nav : unix_primary_group = Yes
        idmap config nav : unix_nss_info = Yes
        idmap config nav : schema_mode = rfc2307
        idmap config nav : range = 10000 - 19999
        idmap config nav : backend = ad
        idmap config * : range = 2000 - 9999
        idmap config * : backend = tdb
        acl allow execute always = Yes
        username map = /var/samba/user.map
        min domain uid = 0
        printing = cups
        # log level = 3

Therefore I was not able to provide failes on our fileserver (INVALID PASSWORD).








Am Di., 8. Okt. 2024 um 11:12 Uhr schrieb Rowland Penny via samba
<samba at lists.samba.org>:>
> On Mon, 7 Oct 2024 22:46:36 +0200
> Peter Koch via samba <samba at lists.samba.org> wrote:
>
> > Dear Samba-experts,
> >
> > I'm trying to setup automatic printer download with our
> > samba 4.19.4 fileserver which is a domain member of
> > our samba 4.18.2 AD.
> >
> > printer drivers have been installed on the fileserver:
> >
> > root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c enumdrivers
> > [Windows x64]
> > Printer Driver Info 1:
> >         Driver Name: [Kyocera TASKalfa 5052ci NAEV]
> >
> > CUPS-printers have been installed and are working when used
> > from our windows workstations with locally installed drivers.
> >
> > root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c enumprinters
> >         flags:[0x800000]
> >         name:[\\SERV00\]
> >         description:[\\SERV00\,,Edv04K]
> >         comment:[Edv04K]
> >
> > But setting the driver fails:
> >
> > root at serv00:# rpcclient -Uprtadmin%pass1 SERV00 -c 'setdriver
Edv04K
> > "Kyocera TASKalfa 5052ci NAEV"'
> > result was WERR_ACCESS_DENIED
> >
> > I assume this happens due to missing SePrintOperatorPrivilege for
> > user prtadmin.
> >
> > But how do I properly grant SePrintOperatorPrivilege.
> >
> > The following command is sucessfull on the AD-machine:
> >
> > root at ns1:# net -U 'administrator%pass2' rpc rights grant
prtadmin
> > SePrintOperatorPrivilege
> > Successfully granted rights.
> >
> > root at ns1:# net -U 'administrator%pass2' rpc rights list
accounts
> > NAV\prtadmin
> > SePrintOperatorPrivilege
> >
> > BUILTIN\Print Operators
> > SeLoadDriverPrivilege
> > SeShutdownPrivilege
> > SeInteractiveLogonRight
> >
> > BUILTIN\Account Operators
> > SeInteractiveLogonRight
> >
> > BUILTIN\Backup Operators
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeShutdownPrivilege
> > SeInteractiveLogonRight
> >
> > BUILTIN\Administrators
> > SeSecurityPrivilege
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeSystemtimePrivilege
> > SeShutdownPrivilege
> > SeRemoteShutdownPrivilege
> > SeTakeOwnershipPrivilege
> > SeDebugPrivilege
> > SeSystemEnvironmentPrivilege
> > SeSystemProfilePrivilege
> > SeProfileSingleProcessPrivilege
> > SeIncreaseBasePriorityPrivilege
> > SeLoadDriverPrivilege
> > SeCreatePagefilePrivilege
> > SeIncreaseQuotaPrivilege
> > SeChangeNotifyPrivilege
> > SeUndockPrivilege
> > SeManageVolumePrivilege
> > SeImpersonatePrivilege
> > SeCreateGlobalPrivilege
> > SeEnableDelegationPrivilege
> > SeInteractiveLogonRight
> > SeNetworkLogonRight
> > SeRemoteInteractiveLogonRight
> >
> > BUILTIN\Server Operators
> > SeBackupPrivilege
> > SeSystemtimePrivilege
> > SeRemoteShutdownPrivilege
> > SeRestorePrivilege
> > SeShutdownPrivilege
> > SeInteractiveLogonRight
> >
> > BUILTIN\Pre-Windows 2000 Compatible Access
> > SeRemoteInteractiveLogonRight
> > SeChangeNotifyPrivilege
> >
> > The same commands fail on the fileserver:
> >
> > root at serv00:# net -U 'administrator%pass2' rpc rights grant
prtadmin
> > SePrintOperatorPrivilege
> > Could not connect to server 127.0.0.1
> > The username or password was not correct.
> > Connection failed: NT_STATUS_LOGON_FAILURE
> >
>
> I think I know what is going on here, but I would need to see the
> 'global' part of your smb.conf to confirm it.
>
> Have you tried the command with a member of Domain Admins instead of
> Administrator ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Oct 2024 - rpcclient setdriver fails with WERR_ACCESS_DENIED

[Samba] rpcclient setdriver fails with WERR_ACCESS_DENIED

[Samba] rpcclient setdriver fails with WERR_ACCESS_DENIED

Possibly Parallel Threads