Re: [Samba] NSS and group enumeration in CUPS...
- Date: Wed, 13 Jun 2018 10:11:28 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] NSS and group enumeration in CUPS...
What i did, i added 1 real linux user in the group unix group lpadmin.
With this user i configured the webinterface and set kerberos auth.
( i did already setup ssl things like that for the webinterface. )
Get this file.
This shows you all groups and privileges that are setup.
You should see almost everywhere.
And NTDOM\Domain Admins
Goto the technet link in that file, and check the windows groups you need.
Ps. New link:
I'll update the file.
Set the seprivilege for the needed group ( BUILTIN\Print Operators )
My cups.conf but its almost untouched. I've set these in cupsd.conf and i did not touch any other cups file.
I've given the user winadmin an uid and gid and ive added winadmin to the unix lpadmin group.
And you should be done, setup kerberos auth, and configure through the cups webinterface.
Now, add yourself as (your winuser gaio) to lpadmin, do note you must have a uid/gid to make this work.
( dont forget to logout and login again )
Check it on linux with : id username
That show the user and groups with GIDS also. Like this.
uid=10002(someuser) gid=10000(domain users) groups=10000(domain users),4(adm),27(sudo),116(lpadmin),1951(sshgroup),10005(remote-webmail),10004(servers-ssh),10008(servers-www),2001(BUILTIN\users)
net rpc rights list privileges SePrintOperatorPrivilege -S $(hostname -f) -k
Shows me :
Still possible that i missed a setting, try above out, you know where to reach us. ;-)
Thats about it. I use cups with point and print setup.
So the short version of above is...
Give a AD user a UID/GID
Map BUILTIN\Print Operators with SePrivileges
Add the user to lpadmin on the linux server.
This was a debian jessie with samba 4.4, and it was al the way upgraded to debian stretch with samba 4.8.2 now.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Marco Gaiarin via samba
> Verzonden: woensdag 13 juni 2018 9:33
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] NSS and group enumeration in CUPS...
> I was used (in SambaNT/OpenLDAP) to put on CUPS configuration the
> statement (/etc/cups/cups-files.conf):
> SystemGroup printops
> and add to 'printops' group some users that can manage cups.
> Now i'm in AD mode. I'm in 'printops' group:
> root@vdmpp1:~# id gaio
> uid=10000(gaio) gid=10513(domain users)
> but still if i access the cups web interface, i can login but
> administration/management tasks are 'access denied'.
> Probably all came from:
> root@vdmpp1:~# getent group printops
> and i know that i can set 'winbind enum groups = yes', but with some
> performance penalty.
> There's some ''workaround'' at least for a single group?
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the