[Samba] A working CUPS authentication now fails without change anything...
Daniel Carrasco Marín
danielmadrid19 at gmail.com
Mon May 4 11:25:48 MDT 2015
2015-05-04 18:50 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
> Greetings, Daniel Carrasco Marín!
>
> >>> Just a moments ago i've sent a message to other user saying that I've a
> >>> working server with CUPS authentication using AD groups. Well, that
> >>> authentication is not working anymore and i've not changed anything...
> >>>
> >>> The thursday I was configuring the server to allow the management of
> cups
> >>> with AD groups and was working perfect. After that i've added some
> printer
> >>> alias to samba configuration and I've disabled the "load printers"
> option
> >>> to hide the real name.
> >>> Today i've tried to enter to CUPS to change the default paper size on
> >>> printers but it failed (local account works). I've not changed any
> >>> configuration in domain or member smb.cfg files (at least in general),
> >>> then
> >>> I don't know where is the problem...
> >>>
> >>> My smb.conf looks:
> >>> [global]
> >>> workgroup = Domain
> >>> security = ADS
> >>> realm = DOMAIN.RED
> >>> dedicated keytab file = /etc/krb5.keytab
> >>> kerberos method = secrets and keytab
> >>> encrypt passwords = yes
> >>>
> >>> idmap config *:backend = tdb
> >>> idmap config *:range = 10000-20000000
> >>> idmap config DOMAIN:backend = ad
> >>> idmap config DOMAIN:schema_mode = rfc2307
> >>> idmap config DOMAIN:range = 10000-20000000
> >>>
> >>
> >> It might help if you didn't use the same range for '*' and 'DOMAIN'
>
> > Changed to:
> > idmap config *:backend = tdb
> > idmap config *:range = 40000-70000
> > idmap config ND:backend = ad
> > idmap config ND:schema_mode = rfc2307
> > idmap config ND:range = 10000-30000
>
> > rebooted and same problem. I've to clear any cache or something?
>
> Check the actual syslog. And show CUPS configuration too.
> May be CUPS is blocked by apparmor and unable to read necessary files (i.e.
> KDC tickets).
>
>
> --
> With best regards,
> Andrey Repin
> Monday, May 4, 2015 19:49:20
>
> Sorry for my terrible english...
I don't have apparmor and on cups I've added the group to SystemGroup:
SystemGroup printadmin lpadmin
and the other in cupsd.conf
LogLevel warn
MaxLogSize 0
# Allow remote access
Port 80
Listen /var/run/cups/cups.sock
# Share local printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseRemoteProtocols
BrowseAddress @LOCAL
BrowseLocalProtocols CUPS dnssd
DefaultAuthType Basic
WebInterface Yes
DefaultLanguage es
<Location />
# Allow shared printing...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin>
Order allow,deny
Allow From *
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
<Policy default>
JobPrivateAccess all
JobPrivateValues none
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job
CUPS-Get-Document>
Require user @OWNER @SYSTEM printersjobsmanagers
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer
Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs
CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess all
JobPrivateValues none
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job
CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer
Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs
CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
and syslog don't have any new info:
May 4 18:47:12 print winbindd[2491]: [2015/05/04 18:47:12.659066, 0]
../lib/util/fault.c:72(fault_report)
May 4 18:47:12 print winbindd[2491]:
===============================================================
May 4 18:47:12 print winbindd[2491]: [2015/05/04 18:47:12.659695, 0]
../lib/util/fault.c:73(fault_report)
May 4 18:47:12 print winbindd[2491]: INTERNAL ERROR: Signal 11 in pid
2491 (4.1.17-Debian)
May 4 18:47:12 print winbindd[2491]: Please read the Trouble-Shooting
section of the Samba HOWTO
May 4 18:47:12 print winbindd[2491]: [2015/05/04 18:47:12.660320, 0]
../lib/util/fault.c:75(fault_report)
May 4 18:47:12 print winbindd[2491]:
===============================================================
May 4 18:47:12 print winbindd[2491]: [2015/05/04 18:47:12.660754, 0]
../source3/lib/util.c:785(smb_panic_s3)
May 4 18:47:12 print winbindd[2491]: PANIC (pid 2491): internal error
May 4 18:47:12 print winbindd[2491]: [2015/05/04 18:47:12.662065, 0]
../source3/lib/util.c:896(log_stack_trace)
May 4 18:47:12 print winbindd[2491]: BACKTRACE: 27 stack frames:
May 4 18:47:12 print winbindd[2491]: #0
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a)
[0x7f926398be1a]
May 4 18:47:12 print winbindd[2491]: #1
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20)
[0x7f926398bef0]
May 4 18:47:12 print winbindd[2491]: #2
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f)
[0x7f9267cc270f]
May 4 18:47:12 print winbindd[2491]: #3
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x1e906) [0x7f9267cc2906]
May 4 18:47:12 print winbindd[2491]: #4
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf0a0) [0x7f92680ef0a0]
May 4 18:47:12 print winbindd[2491]: #5
/usr/lib/x86_64-linux-gnu/libkrb5.so.26(krb5_storage_free+0x1)
[0x7f92624cc9e1]
May 4 18:47:12 print winbindd[2491]: #6
/usr/lib/x86_64-linux-gnu/libkrb5.so.26(+0x482ad) [0x7f92624b22ad]
May 4 18:47:12 print winbindd[2491]: #7
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x97bf) [0x7f92645277bf]
May 4 18:47:12 print winbindd[2491]: #8
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0x18b)
[0x7f9264527d8b]
May 4 18:47:12 print winbindd[2491]: #9
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xbb48) [0x7f9264529b48]
May 4 18:47:12 print winbindd[2491]: #10
/usr/lib/x86_64-linux-gnu/libgensec.so.0(gensec_start_mech+0x42)
[0x7f92649ba7e2]
May 4 18:47:12 print winbindd[2491]: #11
/usr/lib/x86_64-linux-gnu/libgensec.so.0(gensec_start_mech_by_oid+0x2e)
[0x7f92649bab3e]
May 4 18:47:12 print winbindd[2491]: #12
/usr/sbin/winbindd(kerberos_return_pac+0x491) [0x7f9268546d61]
May 4 18:47:12 print winbindd[2491]: #13
/usr/sbin/winbindd(winbindd_dual_pam_auth+0xab8) [0x7f926856e558]
May 4 18:47:12 print winbindd[2491]: #14 /usr/sbin/winbindd(+0x663bc)
[0x7f92685843bc]
May 4 18:47:12 print winbindd[2491]: #15
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x986b) [0x7f92619ee86b]
May 4 18:47:12 print winbindd[2491]: #16
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x7d56) [0x7f92619ecd56]
May 4 18:47:12 print winbindd[2491]: #17
/usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d)
[0x7f92619e93ed]
May 4 18:47:12 print winbindd[2491]: #18 /usr/sbin/winbindd(+0x688c0)
[0x7f92685868c0]
May 4 18:47:12 print winbindd[2491]: #19 /usr/sbin/winbindd(+0x68fd5)
[0x7f9268586fd5]
May 4 18:47:12 print winbindd[2491]: #20
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe2)
[0x7f92619e9ca2]
May 4 18:47:12 print winbindd[2491]: #21
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9601) [0x7f92619ee601]
May 4 18:47:12 print winbindd[2491]: #22
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x7d56) [0x7f92619ecd56]
May 4 18:47:12 print winbindd[2491]: #23
/usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d)
[0x7f92619e93ed]
May 4 18:47:12 print winbindd[2491]: #24 /usr/sbin/winbindd(main+0xaeb)
[0x7f926854604b]
May 4 18:47:12 print winbindd[2491]: #25
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f9261678ead]
May 4 18:47:12 print winbindd[2491]: #26 /usr/sbin/winbindd(+0x286bd)
[0x7f92685466bd]
May 4 18:47:12 print winbindd[2491]: [2015/05/04 18:47:12.667553, 0]
../source3/lib/dumpcore.c:312(dump_core)
May 4 18:47:12 print winbindd[2491]: unable to change to
/var/log/samba/cores/winbindd
May 4 18:47:12 print winbindd[2491]: refusing to dump core
Greetings!!
More information about the samba
mailing list