Hai, @Rowland. Yes, the link is what i have setup, but in less steps without sssd. For the kerberos part, you only need to add the HTTP/UPN. After a join with winbind you have the host/UPN. I must say that the CUPS setup is working great. Only 1 or 2 problems in almost 2 years. @Marco,> ...but you have added 'locally' (eg, in /etc/group > and /etc/shadow) the user 'winadmin', 'otherwinuser' and 'a-linuxuser'?!Yes, i did add my AD admin user to a local group but only once. And its only for the lpadmin group. Everthing else can be done through windows groups. And yes, you can replace the lpadmin group for a windows group but thats more work imo. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 13 juni 2018 17:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NSS and group enumeration in CUPS... > > On Wed, 13 Jun 2018 17:40:35 +0200 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > Mandi! Rowland Penny via samba > > In chel di` si favelave... > > > > > > ...but you have added 'locally' (eg, in /etc/group > > > > and /etc/shadow) the user 'winadmin', 'otherwinuser' and > > > > 'a-linuxuser'?! > > > > Ahem i meant '/etc/group' and '/etc/gshadow', sorry. > > > > > > > It surprises me that nobody has mentioned 'kerberos' yet. > > > > ?! Kerberos can also handle membership information? > > > > No, but AD can, try reading this: > > https://roughlea.wordpress.com/linux-administration/configurin > g-cups-for-kerberos-authentication/ > > mentally replace all mentions of LDAP with AD ;-) > > Never tried it, but it should work. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> Yes, i did add my AD admin user to a local group but only once.Ah, ok. In this way clearly work, but it is all but optimal, you have to manage local membership on every server...> And yes, you can replace the lpadmin group for a windows group but thats more work imo.Seems to me that, apart setting 'winbind enum groups = yes', there's no solution... I've fired up a debian bug, but probably it is better upstream... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901529 -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hai Marco,
Imo, its not a bug, at least not in cups.
You dont need the winbind enum groups = yes.
It works fine but can you post your samba verion, your running this one on
jessie or stretch server?
I "think" you run this server with samba backend set to RID not AD. (
note, that should not matter )
I run my print server with backend AD, on stretch samba 4.8.2
You Debian Jessie, samba 4.5.12 with backend RID. Correct?
If thats the case, i really suggest you upgrade to samba 4.6.15 or up.
And set these on the print server.
idmap config NTDOM : unix_primary_group = yes
idmap config NTDOM : unix_nss_info = yes
The winbind fixed between 4.5.12 and 4.6 and up can help a lot here to resolv
this.
I do understand the use of 4.5.12, thats a choice, but its just not a good
version.
# my repo settings for jessie with 4.6.15
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
echo "deb http://apt.van-belle.nl/debian jessie-backports main contrib
non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian jessie main contrib non-free"
| sudo tee -a /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian unstable main contrib
non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
apt-get update
apt-get dist-upgrade ( you need the dist upgrade because you get a few extra
packages )
Run: net cache flush
An preffer a server reboot also, but thats up 2 you.
Then run id username again and getent group username
See if you get the needed output.
But again, i strongly suggest you upgrade you server to stretch and use samba
4.7+ of better 4.8.2
Note, Jessie is entering LTS mode, so no fixes wil go in samba unless its a
security fix.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: vrijdag 15 juni 2018 10:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NSS and group enumeration in CUPS...
>
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > Yes, i did add my AD admin user to a local group but only once.
>
> Ah, ok. In this way clearly work, but it is all but optimal, you have
> to manage local membership on every server...
>
>
> > And yes, you can replace the lpadmin group for a windows
> group but thats more work imo.
>
> Seems to me that, apart setting 'winbind enum groups = yes',
> there's no
> solution...
>
> I've fired up a debian bug, but probably it is better upstream...
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901529
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> Imo, its not a bug, at least not in cups.Sure, but i think that apps and services have to take into account that some NSS backend does not ''enumerate'' groups by default.> You Debian Jessie, samba 4.5.12 with backend RID. Correct?Near. AD backend.> If thats the case, i really suggest you upgrade to samba 4.6.15 or up. > And set these on the print server. > idmap config NTDOM : unix_primary_group = yes > idmap config NTDOM : unix_nss_info = yesIt is on my plan. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)