Samba 4.5 Debian. How to assign printoperator or root rights to a domain group?

D

Dmitry Dobryshin2018-02-10 19:20:00

Debian

Dmitry Dobryshin, 2018-02-10 19:20:00

Hello!
Introductory:
A Windows multi-machine domain running Windows 2012R2 is named DOMAIN.LOCAL
Debian 9 prn-02 print server, joined to domain, cups print service deployed
Printers are added and drivers assigned locally from the print server.
It is required using the Windows snap-in - "Print Manager" to add new printers, delete, manage the print queue from administrative domain accounts.
In Samba 3.0-3.5, such actions were assigned in the /etc/samba/smbusers file or /etc/samba/smbusers.conf
with the following line:
root = @DOMAIN\admins
Unfortunately, in 4.5 nothing is taken from this file.
The computer is added to the domain, domain users are successfully authorized on the server. It remains only to assign privileges for different domain groups.
I can provide configuration files for samba, cups, pam. But the information from them is of little help in my task.
Here is the startup log of trying to add a new printer from the windows print manager snap-in.

Add new printer log from windows snap

smbd -i --debuglevel=3
smbd version 4.5.12-Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2016
uid=0 gid=0 euid=0 egid=0
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[printers]"
Processing section "[print$]"
adding IPC service
added interface eth0 ip=10.0.94.51 bcast=10.0.95.255 netmask=255.255.254.0
loaded services
INFO: Profiling support unavailable in this build.
Initialise the svcctl registry keys if needed.
Initialise the eventlog registry keys if needed.
get_dc_list: preferred server list: "DC-01.domain.local, *"
Successfully contacted LDAP server 192.168.0.10
get_dc_list: preferred server list: "DC-01.domain.local, *"
get_dc_list: preferred server list: "DC-01.domain.local, *"
Successfully contacted LDAP server 192.168.0.10
Connected to LDAP server DC-01.domain.local
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
winreg_get_printer: Could not open key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\printers: WERR_BADFILE
reloading printcap cache
reload status: ok
reloading printcap cache
cups_pcap_load_async: already waiting for a refresh event
reload status: error
waiting for connections
adding printer service PRN-341
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x55c7c99c33d0] mpx_fde[(nil)] fd[27] - disabling
Could not find child 52209 -- ignoring
Allowed connection from 192.168.0.14 (192.168.0.14)
init_oplocks: initializing messages.
Transaction 0 of length 178 (0 toread)
Selected protocol SMB3_11
Found account name from PAC: admin [Domain admin]
Kerberos ticket principal name is 
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[printers]"
Processing section "[print$]"
adding IPC service
Adding homes service for user 'DOMAIN\admin' using home directory: '/home/DOMAIN/admin'
adding home's share [admin] for user 'DOMAIN\admin' at '/home/DOMAIN/admin'
Allowed connection from 192.168.0.14 (192.168.0.14)
Connect path is '/tmp' for service [IPC$]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
192.168.0.14 (ipv4:192.168.0.14:19131) connect to service IPC$ initially as user DOMAIN\admin (uid=10000, gid=10000) (pid 52203)
api_pipe_bind_req: spoolss -> spoolss rpc service
check_bind_req for spoolss context_id=0
check_bind_req: spoolss -> spoolss rpc service
api_rpcTNP: rpc command: SPOOLSS_OPENPRINTEREX
checking name: \\PRN-02
Setting printer type=\\PRN-02
access DENIED as user is not root, has no printoperator privilege, not a member of the printoperator builtin group and is not in printer admin listapi_pipe_bind_req: spoolss -> spoolss rpc service
check_bind_req for spoolss context_id=0
check_bind_req: spoolss -> spoolss rpc service
api_rpcTNP: rpc command: SPOOLSS_OPENPRINTEREX
checking name: \\PRN-02
Setting printer type=\\PRN-02

Здесь видно, что доступ закрыт из-за отсутствия привилегий у учётной записи, которая является администратором домена.
Хотя пользователь admin является членом группы DOMAIN\admins