samba - Jun 2018 - NSS and group enumeration in CUPS...

Hai Marco, 

Ok thats strange, this works fine since Jessie and up. 
I did some extra checks and i'll show my outputs so you can compaire them. 

My "domain" admin shows : id winadmin
uid=10000(winadmin) gid=10000(domain users) groups=10000(domain
users),116(lpadmin),10001(domain
admins),2001(BUILTIN\users),2000(BUILTIN\administrators)

My group output: getent group lpadmin
lpadmin:x:116:winadmin,otherwinuser,a-linuxuser

This is my running /etc/nsswitch.conf.
passwd:         compat winbind
group:          compat winbind
( the other part is default ) 

Check if these are installed.
dpkg -l | egrep
"libnss-winbind|libpam-krb5|libpam-winbind|samba|winbind"
( my output on stretch ) 
ii  libnss-winbind:amd64                  2:4.8.2+nmu-1                  amd64  
Samba nameservice integration plugins
ii  libpam-krb5:amd64                     4.7-4                          amd64  
PAM module for MIT Kerberos
ii  libpam-winbind:amd64                  2:4.8.2+nmu-1                  amd64  
Windows domain authentication integration plugin
ii  libwbclient0:amd64                    2:4.8.2+nmu-1                  amd64  
Samba winbind client library
ii  python-samba                          2:4.8.2+nmu-1                  amd64  
Python bindings for Samba
ii  samba                                 2:4.8.2+nmu-1                  amd64  
SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.8.2+nmu-1                  all    
common files used by both the Samba server and client
ii  samba-common-bin                      2:4.8.2+nmu-1                  amd64  
Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64              2:4.8.2+nmu-1                  amd64  
Samba Directory Services Database
ii  samba-libs:amd64                      2:4.8.2+nmu-1                  amd64  
Samba core libraries
ii  samba-vfs-modules:amd64               2:4.8.2+nmu-1                  amd64  
Samba Virtual FileSystem plugins
ii  winbind                               2:4.8.2+nmu-1                  amd64  
service to resolve user and group information from Windows NT servers

And run pam-auth-update

The smb.conf is almost the same as my other member servers. 
Except the below part, thats only for a dedicated printserver.

##### PRINT SERVER PART #######
    # Source :
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server
    ## Enabling spoolssd
    rpc_server:spoolss = external
    rpc_daemon:spoolssd = fork
    spoolss:architecture = Windows x64
    spoolssd:prefork_min_children = 5           # Minimum number of child
processes
    spoolssd:prefork_max_children = 25          # Maximum number of child
processes
    spoolssd:prefork_spawn_rate = 5             # Start (fork) x new childs if
one connection comes in (up to prefork_max_children)
    spoolssd:prefork_max_allowed_clients = 100  # Number of clients, a child
process should be responsible for
    spoolssd:prefork_child_min_life = 60        # Minimum lifetime of a child
process (60 seconds
                                                # is the minimum, even a lower
value has been configured)
    load printers = yes

    # samba prints and snmp..
    # Look here :
https://wiki.samba.org/index.php/Configure_network_printer_ports

# Windows clients look for this share name as a source of downloadable printer
drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   writable = yes
   guest ok = no
   write list = root, administrator, @"Domain Admins", @lpadmin,
@"Print Operators"

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = yes
   printable = yes
   printing = CUPS


Last, thing you can check is the /etc/idmapd.conf
Default should be fine but you can try and set these
( just before [Mapping] 

Domain = your.dnsdomain.tld 
Local-Realm = YOUR.REALDOMAIN.TLD

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: woensdag 13 juni 2018 14:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NSS and group enumeration in CUPS...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > So the short version of above is...
> > Give a AD user a UID/GID
> > Map BUILTIN\Print Operators with SePrivileges
> 
> Just done.
> 
> 
> > Add the user to lpadmin on the linux server.
> 
> Seems the only way.
> 
> I've also tried to use pam_group (eg, assign local group to a 
> user based
> on other infos), but also pam_group does not ''populate''
NSS group
> data, eg 'getent group lpadmin' return empty, so nothing changed.
> 
> I think this can also be fired up as bugs agains cups... probably cups
> enumerate users in admin group, then check against provided 
> user, while
> have to do the convers (enumerate the groups for the user, and check
> against admin group).
> 
> 
> Right?
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> Ok thats strange, this works fine since Jessie and up. 
Ahe,, probably i'm not explaining me well. I've not 'windows'
troubles,
i've troubles accessing CUPS web interface, because i can login on, but
my status of 'SystemGroup' are not granted, even if i'm a member of
'systemgroup'.

> My group output: getent group lpadmin
> lpadmin:x:116:winadmin,otherwinuser,a-linuxuser
...but you have added 'locally' (eg, in /etc/group and /etc/shadow) the
user 'winadmin', 'otherwinuser' and 'a-linuxuser'?!


If so, clearly works, also for me! But is rather ''unoptimal'',
because
i've to setup users for every single server i have...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 13 Jun 2018 17:07:39 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > Ok thats strange, this works fine since Jessie and up. 
> 
> Ahe,, probably i'm not explaining me well. I've not
'windows'
> troubles, i've troubles accessing CUPS web interface, because i can
> login on, but my status of 'SystemGroup' are not granted, even if
i'm
> a member of 'systemgroup'.
> 
> 
> > My group output: getent group lpadmin
> > lpadmin:x:116:winadmin,otherwinuser,a-linuxuser
> 
> ...but you have added 'locally' (eg, in /etc/group and /etc/shadow)
> the user 'winadmin', 'otherwinuser' and
'a-linuxuser'?!
> 
> 
> If so, clearly works, also for me! But is rather
''unoptimal'',
> because i've to setup users for every single server i have...
> 
It surprises me that nobody has mentioned 'kerberos' yet.

Rowland