Web lists-archives.com

Re: [Samba] NSS and group enumeration in CUPS...




Hai Marco, 

Ok thats strange, this works fine since Jessie and up. 
I did some extra checks and i'll show my outputs so you can compaire them. 

My "domain" admin shows : id winadmin
uid=10000(winadmin) gid=10000(domain users) groups=10000(domain users),116(lpadmin),10001(domain admins),2001(BUILTIN\users),2000(BUILTIN\administrators)

My group output: getent group lpadmin
lpadmin:x:116:winadmin,otherwinuser,a-linuxuser

This is my running /etc/nsswitch.conf.
passwd:         compat winbind
group:          compat winbind
( the other part is default ) 

Check if these are installed.
dpkg -l | egrep "libnss-winbind|libpam-krb5|libpam-winbind|samba|winbind"
( my output on stretch ) 
ii  libnss-winbind:amd64                  2:4.8.2+nmu-1                  amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                     4.7-4                          amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64                  2:4.8.2+nmu-1                  amd64        Windows domain authentication integration plugin
ii  libwbclient0:amd64                    2:4.8.2+nmu-1                  amd64        Samba winbind client library
ii  python-samba                          2:4.8.2+nmu-1                  amd64        Python bindings for Samba
ii  samba                                 2:4.8.2+nmu-1                  amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.8.2+nmu-1                  all          common files used by both the Samba server and client
ii  samba-common-bin                      2:4.8.2+nmu-1                  amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64              2:4.8.2+nmu-1                  amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.8.2+nmu-1                  amd64        Samba core libraries
ii  samba-vfs-modules:amd64               2:4.8.2+nmu-1                  amd64        Samba Virtual FileSystem plugins
ii  winbind                               2:4.8.2+nmu-1                  amd64        service to resolve user and group information from Windows NT servers

And run pam-auth-update

The smb.conf is almost the same as my other member servers. 
Except the below part, thats only for a dedicated printserver.

##### PRINT SERVER PART #######
    # Source : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server
    ## Enabling spoolssd
    rpc_server:spoolss = external
    rpc_daemon:spoolssd = fork
    spoolss:architecture = Windows x64
    spoolssd:prefork_min_children = 5           # Minimum number of child processes
    spoolssd:prefork_max_children = 25          # Maximum number of child processes
    spoolssd:prefork_spawn_rate = 5             # Start (fork) x new childs if one connection comes in (up to prefork_max_children)
    spoolssd:prefork_max_allowed_clients = 100  # Number of clients, a child process should be responsible for
    spoolssd:prefork_child_min_life = 60        # Minimum lifetime of a child process (60 seconds
                                                # is the minimum, even a lower value has been configured)
    load printers = yes

    # samba prints and snmp..
    # Look here : https://wiki.samba.org/index.php/Configure_network_printer_ports

# Windows clients look for this share name as a source of downloadable printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   writable = yes
   guest ok = no
   write list = root, administrator, @"Domain Admins", @lpadmin, @"Print Operators"

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = yes
   printable = yes
   printing = CUPS


Last, thing you can check is the /etc/idmapd.conf
Default should be fine but you can try and set these
( just before [Mapping] 

Domain = your.dnsdomain.tld 
Local-Realm = YOUR.REALDOMAIN.TLD

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: woensdag 13 juni 2018 14:28
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] NSS and group enumeration in CUPS...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > So the short version of above is...
> > Give a AD user a UID/GID
> > Map BUILTIN\Print Operators with SePrivileges
> 
> Just done.
> 
> 
> > Add the user to lpadmin on the linux server.
> 
> Seems the only way.
> 
> I've also tried to use pam_group (eg, assign local group to a 
> user based
> on other infos), but also pam_group does not ''populate'' NSS group
> data, eg 'getent group lpadmin' return empty, so nothing changed.
> 
> I think this can also be fired up as bugs agains cups... probably cups
> enumerate users in admin group, then check against provided 
> user, while
> have to do the convers (enumerate the groups for the user, and check
> against admin group).
> 
> 
> Right?
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba