I was used (in SambaNT/OpenLDAP) to put on CUPS configuration the
statement (/etc/cups/cups-files.conf):
	SystemGroup printops
and add to 'printops' group some users that can manage cups.
Now i'm in AD mode. I'm in 'printops' group:
	root at vdmpp1:~# id gaio
	uid=10000(gaio) gid=10513(domain users) gruppi=10513(domain
users),11001(sir),10999(unixadm),10998(printops),5001(BUILTIN\users),5000(BUILTIN\administrators)
but still if i access the cups web interface, i can login but
administration/management tasks are 'access denied'.
Probably all came from:
	root at vdmpp1:~# getent group printops
	printops:x:10998:
and i know that i can set 'winbind enum groups = yes', but with some
performance penalty.
There's some ''workaround'' at least for a single group?
Thanks.
-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797
		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hai Marco, What i did, i added 1 real linux user in the group unix group lpadmin. With this user i configured the webinterface and set kerberos auth. ( i did already setup ssl things like that for the webinterface. ) Get this file. https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh This shows you all groups and privileges that are setup. You should see almost everywhere. BUILTIN\Administrators And NTDOM\Domain Admins Goto the technet link in that file, and check the windows groups you need. Ps. New link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255(v=ws.11)#print-operators I'll update the file. Set the seprivilege for the needed group ( BUILTIN\Print Operators ) My cups.conf but its almost untouched. I've set these in cupsd.conf and i did not touch any other cups file. Port 631 ServerName print1.internal.domain.tld ServerAlias * ServerTokens None ServerCertificate /etc/cups/ssl/server.crt ServerKey /etc/cups/ssl/server.key Browsing Off BrowseLocalProtocols none DefaultAuthType Negotiate WebInterface Yes The setup. I've given the user winadmin an uid and gid and ive added winadmin to the unix lpadmin group. And you should be done, setup kerberos auth, and configure through the cups webinterface. Now, add yourself as (your winuser gaio) to lpadmin, do note you must have a uid/gid to make this work. ( dont forget to logout and login again ) Check it on linux with : id username That show the user and groups with GIDS also. Like this. uid=10002(someuser) gid=10000(domain users) groups=10000(domain users),4(adm),27(sudo),116(lpadmin),1951(sshgroup),10005(remote-webmail),10004(servers-ssh),10008(servers-www),2001(BUILTIN\users) Running : kinit Administrator net rpc rights list privileges SePrintOperatorPrivilege -S $(hostname -f) -k Shows me : SePrintOperatorPrivilege: BUILTIN\Print Operators NTDOM\Domain Admins BUILTIN\Administrators Still possible that i missed a setting, try above out, you know where to reach us. ;-) Thats about it. I use cups with point and print setup. So the short version of above is... Give a AD user a UID/GID Map BUILTIN\Print Operators with SePrivileges Add the user to lpadmin on the linux server. This was a debian jessie with samba 4.4, and it was al the way upgraded to debian stretch with samba 4.8.2 now. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: woensdag 13 juni 2018 9:33 > Aan: samba at lists.samba.org > Onderwerp: [Samba] NSS and group enumeration in CUPS... > > > I was used (in SambaNT/OpenLDAP) to put on CUPS configuration the > statement (/etc/cups/cups-files.conf): > > SystemGroup printops > > and add to 'printops' group some users that can manage cups. > > > Now i'm in AD mode. I'm in 'printops' group: > > root at vdmpp1:~# id gaio > uid=10000(gaio) gid=10513(domain users) > gruppi=10513(domain > users),11001(sir),10999(unixadm),10998(printops),5001(BUILTIN\ > users),5000(BUILTIN\administrators) > > but still if i access the cups web interface, i can login but > administration/management tasks are 'access denied'. > > Probably all came from: > > root at vdmpp1:~# getent group printops > printops:x:10998: > > and i know that i can set 'winbind enum groups = yes', but with some > performance penalty. > > > There's some ''workaround'' at least for a single group? > > > Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> So the short version of above is... > Give a AD user a UID/GID > Map BUILTIN\Print Operators with SePrivilegesJust done.> Add the user to lpadmin on the linux server.Seems the only way. I've also tried to use pam_group (eg, assign local group to a user based on other infos), but also pam_group does not ''populate'' NSS group data, eg 'getent group lpadmin' return empty, so nothing changed. I think this can also be fired up as bugs agains cups... probably cups enumerate users in admin group, then check against provided user, while have to do the convers (enumerate the groups for the user, and check against admin group). Right? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hai Marco, 
Ok thats strange, this works fine since Jessie and up. 
I did some extra checks and i'll show my outputs so you can compaire them. 
My "domain" admin shows : id winadmin
uid=10000(winadmin) gid=10000(domain users) groups=10000(domain
users),116(lpadmin),10001(domain
admins),2001(BUILTIN\users),2000(BUILTIN\administrators)
My group output: getent group lpadmin
lpadmin:x:116:winadmin,otherwinuser,a-linuxuser
This is my running /etc/nsswitch.conf.
passwd:         compat winbind
group:          compat winbind
( the other part is default ) 
Check if these are installed.
dpkg -l | egrep
"libnss-winbind|libpam-krb5|libpam-winbind|samba|winbind"
( my output on stretch ) 
ii  libnss-winbind:amd64                  2:4.8.2+nmu-1                  amd64  
Samba nameservice integration plugins
ii  libpam-krb5:amd64                     4.7-4                          amd64  
PAM module for MIT Kerberos
ii  libpam-winbind:amd64                  2:4.8.2+nmu-1                  amd64  
Windows domain authentication integration plugin
ii  libwbclient0:amd64                    2:4.8.2+nmu-1                  amd64  
Samba winbind client library
ii  python-samba                          2:4.8.2+nmu-1                  amd64  
Python bindings for Samba
ii  samba                                 2:4.8.2+nmu-1                  amd64  
SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.8.2+nmu-1                  all    
common files used by both the Samba server and client
ii  samba-common-bin                      2:4.8.2+nmu-1                  amd64  
Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64              2:4.8.2+nmu-1                  amd64  
Samba Directory Services Database
ii  samba-libs:amd64                      2:4.8.2+nmu-1                  amd64  
Samba core libraries
ii  samba-vfs-modules:amd64               2:4.8.2+nmu-1                  amd64  
Samba Virtual FileSystem plugins
ii  winbind                               2:4.8.2+nmu-1                  amd64  
service to resolve user and group information from Windows NT servers
And run pam-auth-update
The smb.conf is almost the same as my other member servers. 
Except the below part, thats only for a dedicated printserver.
##### PRINT SERVER PART #######
    # Source :
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server
    ## Enabling spoolssd
    rpc_server:spoolss = external
    rpc_daemon:spoolssd = fork
    spoolss:architecture = Windows x64
    spoolssd:prefork_min_children = 5           # Minimum number of child
processes
    spoolssd:prefork_max_children = 25          # Maximum number of child
processes
    spoolssd:prefork_spawn_rate = 5             # Start (fork) x new childs if
one connection comes in (up to prefork_max_children)
    spoolssd:prefork_max_allowed_clients = 100  # Number of clients, a child
process should be responsible for
    spoolssd:prefork_child_min_life = 60        # Minimum lifetime of a child
process (60 seconds
                                                # is the minimum, even a lower
value has been configured)
    load printers = yes
    # samba prints and snmp..
    # Look here :
https://wiki.samba.org/index.php/Configure_network_printer_ports
# Windows clients look for this share name as a source of downloadable printer
drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   writable = yes
   guest ok = no
   write list = root, administrator, @"Domain Admins", @lpadmin,
@"Print Operators"
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = yes
   printable = yes
   printing = CUPS
Last, thing you can check is the /etc/idmapd.conf
Default should be fine but you can try and set these
( just before [Mapping] 
Domain = your.dnsdomain.tld 
Local-Realm = YOUR.REALDOMAIN.TLD
Greetz, 
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: woensdag 13 juni 2018 14:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NSS and group enumeration in CUPS...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > So the short version of above is...
> > Give a AD user a UID/GID
> > Map BUILTIN\Print Operators with SePrivileges
> 
> Just done.
> 
> 
> > Add the user to lpadmin on the linux server.
> 
> Seems the only way.
> 
> I've also tried to use pam_group (eg, assign local group to a 
> user based
> on other infos), but also pam_group does not ''populate''
NSS group
> data, eg 'getent group lpadmin' return empty, so nothing changed.
> 
> I think this can also be fired up as bugs agains cups... probably cups
> enumerate users in admin group, then check against provided 
> user, while
> have to do the convers (enumerate the groups for the user, and check
> against admin group).
> 
> 
> Right?
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>