Prev: Problem to join Win20900 ADS realm
Next: [Samba] Authentication from Vista?
From: Ryan Suarez on 5 Sep 2009 02:30
my smb.conf:
http://pastebin.ca/1554626

Ryan Suarez wrote:
> RE: "net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1"
> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
>
> samba_source_3.3.7 on redhat 5 64bit. I have root on the samba server
> but I don't have admin access to active directory (hence the auth
> using testpc1).
>
> Does the user granting access need some sort of admin privilege in
> Active Directory? How do I grant this privilege on this samba host
> (for which I have root) since I don't have admin access in Active
> Directory?

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Adam Nielsen on 6 Sep 2009 23:40
>>> RE: "net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1"
>>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
>>>
>>> samba_source_3.3.7 on redhat 5 64bit. I have root on the samba
>>> server but I don't have admin access to active directory (hence the
>>> auth using testpc1).

So you have full access to Samba, but - I'm guessing - read only access
to AD?

>>> Does the user granting access need some sort of admin privilege in
>>> Active Directory? How do I grant this privilege on this samba host
>>> (for which I have root) since I don't have admin access in Active
>>> Directory?

Yes, if you want to change an object in Active Directory you will need
access to do so. Unless your Samba host *is* the AD server, nothing
gets granted on the PC itself, all the permissions are maintained within AD.

You could either get the testpc1 account more access, or ask whoever
maintains your AD installation for delegated access so you can grant and
revoke permissions from objects you maintain (using -U your_username
instead.)

Cheers,
Adam.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Ryan Suarez on 7 Sep 2009 23:00
Thanks for the response.

Adam Nielsen wrote:
>>>> RE: "net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1"
>>>> Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED)
>>>>
>>>> samba_source_3.3.7 on redhat 5 64bit. I have root on the samba
>>>> server but I don't have admin access to active directory (hence the
>>>> auth using testpc1).
>>>>
>
> So you have full access to Samba, but - I'm guessing - read only access
> to AD?
>

Where in the Active Directory user object are these permissions?
Specifically, I'm looking for SePrintOperatorPrivilege.

thanks,
Ryan

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Ryan Suarez on 7 Sep 2009 23:20

>>>> Does the user granting access need some sort of admin privilege in
>>>> Active Directory? How do I grant this privilege on this samba host
>>>> (for which I have root) since I don't have admin access in Active
>>>> Directory?
>>>>
>
> Yes, if you want to change an object in Active Directory you will need
> access to do so. Unless your Samba host *is* the AD server, nothing
> gets granted on the PC itself, all the permissions are maintained within AD.
>

hmm, the best option for me is to ask the AD administrator to grant the
samba SePrintOperatorPrivilege directly to the user object in Active
Directory. Where is this added in AD and what is this privilege called?

thanks,
Ryan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Gerald Carter on 7 Sep 2009 23:40
Ryan,

> hmm, the best option for me is to ask the AD administrator to grant the
> samba SePrintOperatorPrivilege directly to the user object in Active
> Directory. Where is this added in AD and what is this privilege called?

The user rights database is maintained in Samba's passdb. If
you are getting ACCESS_DENIED from smbd when you run 'net rpc
rights grant', it is because the account you are connecting as
does not have admin privileges as the Samba box.





cheers, jerry

 |  Next  |  Last
Pages: 1 2 3
Prev: Problem to join Win20900 ADS realm
Next: [Samba] Authentication from Vista?