On Wed, 13 Jun 2018 17:07:39 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > Ok thats strange, this works fine since Jessie and up. > > Ahe,, probably i'm not explaining me well. I've not 'windows' > troubles, i've troubles accessing CUPS web interface, because i can > login on, but my status of 'SystemGroup' are not granted, even if i'm > a member of 'systemgroup'. > > > > My group output: getent group lpadmin > > lpadmin:x:116:winadmin,otherwinuser,a-linuxuser > > ...but you have added 'locally' (eg, in /etc/group and /etc/shadow) > the user 'winadmin', 'otherwinuser' and 'a-linuxuser'?! > > > If so, clearly works, also for me! But is rather ''unoptimal'', > because i've to setup users for every single server i have... >It surprises me that nobody has mentioned 'kerberos' yet. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> > ...but you have added 'locally' (eg, in /etc/group and /etc/shadow) > > the user 'winadmin', 'otherwinuser' and 'a-linuxuser'?!Ahem i meant '/etc/group' and '/etc/gshadow', sorry.> It surprises me that nobody has mentioned 'kerberos' yet.?! Kerberos can also handle membership information? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 13 Jun 2018 17:40:35 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > > ...but you have added 'locally' (eg, in /etc/group > > > and /etc/shadow) the user 'winadmin', 'otherwinuser' and > > > 'a-linuxuser'?! > > Ahem i meant '/etc/group' and '/etc/gshadow', sorry. > > > > It surprises me that nobody has mentioned 'kerberos' yet. > > ?! Kerberos can also handle membership information? >No, but AD can, try reading this: https://roughlea.wordpress.com/linux-administration/configuring-cups-for-kerberos-authentication/ mentally replace all mentions of LDAP with AD ;-) Never tried it, but it should work. Rowland
Hai, @Rowland. Yes, the link is what i have setup, but in less steps without sssd. For the kerberos part, you only need to add the HTTP/UPN. After a join with winbind you have the host/UPN. I must say that the CUPS setup is working great. Only 1 or 2 problems in almost 2 years. @Marco,> ...but you have added 'locally' (eg, in /etc/group > and /etc/shadow) the user 'winadmin', 'otherwinuser' and 'a-linuxuser'?!Yes, i did add my AD admin user to a local group but only once. And its only for the lpadmin group. Everthing else can be done through windows groups. And yes, you can replace the lpadmin group for a windows group but thats more work imo. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 13 juni 2018 17:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NSS and group enumeration in CUPS... > > On Wed, 13 Jun 2018 17:40:35 +0200 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > Mandi! Rowland Penny via samba > > In chel di` si favelave... > > > > > > ...but you have added 'locally' (eg, in /etc/group > > > > and /etc/shadow) the user 'winadmin', 'otherwinuser' and > > > > 'a-linuxuser'?! > > > > Ahem i meant '/etc/group' and '/etc/gshadow', sorry. > > > > > > > It surprises me that nobody has mentioned 'kerberos' yet. > > > > ?! Kerberos can also handle membership information? > > > > No, but AD can, try reading this: > > https://roughlea.wordpress.com/linux-administration/configurin > g-cups-for-kerberos-authentication/ > > mentally replace all mentions of LDAP with AD ;-) > > Never tried it, but it should work. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Thu, 14 Jun 2018 15:40:32 +0200 Marco Gaiarin <gaio at sv.lnf.it> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > https://roughlea.wordpress.com/linux-administration/configuring-cups-for-kerberos-authentication/ > > This does not solve my question but... interesting, thanks. ;-) >It should, it describes how to set up AD and kerberos to admin cups (okay it is written for ldap and a standalone KDC, but this is basically what AD is), so if it doesn't work, then it is a CUPS problem. Rowland