[Samba] Printers permissions

Christian HAESSIG christian.haessig at ircad.u-strasbg.fr
Wed Apr 28 08:09:01 GMT 2004


Hi Jerry, Hi everybody,

Thanks for your answer.

Yes, I use winbindd.
I had a better look on what happens, and I found out this :

when I run net getlocalsid, the answer is : SID for domain PRINTSRV2 is:
<sid>
but the domain to which belongs this machine is not PRINTSRV2. Actuellay,
PRINTSRV2 is the netbios name of the samba server ( see conf files below ).

But the net ads join worked without any problem (the computer has been
created in AD), and the getent passwd and getent group returns all
users/groups of the AD domain to which belongs the samba server ; so winbind
seems to work.

Any idea ?
Do you need the log.smbd (in log level 10) ?

Below you will find my smb.conf global section and the krb5.conf file.

Christian


smb.conf :
   workgroup = D_IRCAD
   netbios name = PRINTSRV2
   client use spnego = yes
   unix charset = "UTF8"
   display charset = "UTF8"
   server string = %h server (Samba %v)
   wins support = no
   wins server = 192.168.0.1
   dns proxy = no
   log file = /var/log/samba/log.%m
   log level = 3
   winbind separator = +
   winbind enable local accounts = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /home/%D/%U
   template shell = /bin/bash
   security = ads
   password server = IRCADSRV
   realm = IRCAD.FR
   encrypt passwords = true
   passdb backend = tdbsam guest
   invalid users = root


krb5.conf :
[logging]
  default = FILE:/var/log/krb5/libs.log
  kdc = FILE:/var/log/krb5/kdc.log
  admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
  ticket_lifetime = 24000
  default_realm = IRCAD.FR
  default_tgs_enctypes = des-cbc-crc des-cbc-md5
  default_tkt_enctypes = des-cbc-crc des-cbc-md5
  forwardable = true
  proxiable = true
  dns_lookup_realm = true
  dns_lookup_kdc = true

[realms]
  IRCAD.FR = {
    kdc = ircadsrv.ircad.fr:88
    default_domain = ircad.fr
  }

 [domain_realm]
   .ircad.fr = IRCAD.FR
   ircad.fr = IRCAD.FR

 [kdc]
   profile = /var/kerberos/krb5kdc/kdc.conf

 [pam]
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

> -----Message d'origine-----
> De : Gerald (Jerry) Carter [mailto:jerry at samba.org]
> Envoye : lundi 19 avril 2004 19:37
> A : Christian HAESSIG
> Cc : samba at lists.samba.org
> Objet : Re: [Samba] Printers permissions
>
>
> Christian HAESSIG wrote:
>
> > So, after check, I found out that the user SIDs seen on
>  > the samba server ARE NOT THE SAME as the ones on the AD domain
>  > controler ! Is this a samba bug ? The wbinfo command works fine,
>  > and returns me all users an groups from the AD domain ...
>
> Are you running winbindd ?
>
> > Another question : do I have to install the acl if I want
>  > to set specific permissions on the printers ? Or is
>  > acl only necessary for disk sharing ?
>
> smbd handles security descriptors for printers internally.
>
>
>
>
> cheers, jerry
>
> ----------------------------------------------------------------------
> Hewlett-Packard            ------------------------- http://www.hp.com
> SAMBA Team                 ---------------------- http://www.samba.org
> GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
> "...a hundred billion castaways looking for a home." ----------- Sting



More information about the samba mailing list