Web lists-archives.com

Re: [Samba] NSS and group enumeration in CUPS...




Hai Marco, 

What i did, i added 1 real linux user in the group unix group lpadmin. 
With this user i configured the webinterface and set kerberos auth. 
( i did already setup ssl things like that for the webinterface. ) 

Get this file.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh 
This shows you all groups and privileges that are setup. 
You should see almost everywhere.
  BUILTIN\Administrators
And   NTDOM\Domain Admins 


Goto the technet link in that file, and check the windows groups you need.
Ps. New link:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)#print-operators 
I'll update the file. 
Set the seprivilege for the needed group ( BUILTIN\Print Operators )
My cups.conf but its almost untouched. I've set these in cupsd.conf and i did not touch any other cups file. 

Port 631
ServerName print1.internal.domain.tld
ServerAlias *
ServerTokens None
ServerCertificate /etc/cups/ssl/server.crt
ServerKey /etc/cups/ssl/server.key
Browsing Off
BrowseLocalProtocols none
DefaultAuthType Negotiate
WebInterface Yes


The setup. 
I've given the user winadmin an uid and gid and ive added winadmin to the unix lpadmin group. 
And you should be done, setup kerberos auth, and configure through the cups webinterface.

Now, add yourself as (your winuser gaio) to lpadmin, do note you must have a uid/gid to make this work. 
( dont forget to logout and login again )
Check it on linux with : id username
That show the user and groups with GIDS also. Like this. 
uid=10002(someuser) gid=10000(domain users) groups=10000(domain users),4(adm),27(sudo),116(lpadmin),1951(sshgroup),10005(remote-webmail),10004(servers-ssh),10008(servers-www),2001(BUILTIN\users)


Running : 
kinit Administrator 
net rpc rights list privileges SePrintOperatorPrivilege -S $(hostname -f) -k 

Shows me : 
SePrintOperatorPrivilege:
  BUILTIN\Print Operators
  NTDOM\Domain Admins
  BUILTIN\Administrators

Still possible that i missed a setting, try above out, you know where to reach us. ;-) 

Thats about it. I use cups with point and print setup. 

So the short version of above is...
Give a AD user a UID/GID
Map BUILTIN\Print Operators with SePrivileges
Add the user to lpadmin on the linux server.

This was a debian jessie with samba 4.4, and it was al the way upgraded to debian stretch with samba 4.8.2 now. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: woensdag 13 juni 2018 9:33
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] NSS and group enumeration in CUPS...
> 
> 
> I was used (in SambaNT/OpenLDAP) to put on CUPS configuration the
> statement (/etc/cups/cups-files.conf):
> 
> 	SystemGroup printops
> 
> and add to 'printops' group some users that can manage cups.
> 
> 
> Now i'm in AD mode. I'm in 'printops' group:
> 
> 	root@vdmpp1:~# id gaio
> 	uid=10000(gaio) gid=10513(domain users) 
> gruppi=10513(domain 
> users),11001(sir),10999(unixadm),10998(printops),5001(BUILTIN\
> users),5000(BUILTIN\administrators)
> 
> but still if i access the cups web interface, i can login but
> administration/management tasks are 'access denied'.
> 
> Probably all came from:
> 
> 	root@vdmpp1:~# getent group printops
> 	printops:x:10998:
> 
> and i know that i can set 'winbind enum groups = yes', but with some
> performance penalty.
> 
> 
> There's some ''workaround'' at least for a single group?
> 
> 
> Thanks.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba