G'day
I need to configure Centos 6.5 desktop systems to bind to an AD domain, so I can setup the clients to be able to print using windows / SMB style printer queues.

I can configure kerberos authentication, with ldap using SSSD, and this works fine. But does not allow users to print to a windows print queue, as in CUPS doesn't see the account as being part of a domain, and print requests are denied.

Question is: What is the best way to configure Centos 6.5 system to bind to an AD domain, (get all the account/password aging/locket etc...) so users can print to printer resources that are authenticated via AD domain accounts.

Is Winbind the way to go, with an smblclient? I can print using this, but its a command line solution, and user has to authenticate every time he/she wants to print.

This type of setup is new to me. Don't know if I need to shut sssd down, as winbind / sssd don't play well. Usernames / passwords in a clear text file are not permitted btw

I hope I have made this clear? fwiw, I have to do the same with ubuntu 14.04.1 too, but I'll leave that until later on.

Thanks all

Wow... didn't think this was so uncommon. I have found something that I believe might do the trick. I don't have time today or tomorrow to work on it. But will try it later this week. In lieu of winbind, I can use adcli, which I believe is a type of "realmd". This will work in conjuction with sssd. My kerberos setup will be the same. Its just a matter of seeing if a user logs into the "domain", will he or her get access to the printers?

So the new question is, to all those out there who have used adcli, does this give you direct access to windows print queue's?

Thanks

Ok, since no one else seems to have done this, I will throw in some of my findings.

Using adcli and sssd, I can bind to the domain, but not under the corporate OU structure, but another less restrictive OU. Which is odd, but something I'm still trying to figure out. So I can create the computer account and password on the domain controller. In addition to that, I can authenticate user accounts and see all of the group memberships, print queues. Authentication is fast, but displaying group credentials is slow as hell, 30 second delay.

I configure sssd to authenticate, basic config:

# authconfig --enablesssd --enablesssdauth --update

Under the [DOMAIN] section in my sssd.conf, I configure the following providers:

id_provider = ad
auth_provider = ad

get that all setup and looking pretty. Run adcli join whatever.com to my bogus CN=xxxx OU=xxx and authenticate as the Administrator of that OU.


This does the trick once I configure the kerberos portion. A user can now ssh into the host and login using his/her windows passwords. The user CANNOT login via X, gdm. I don't know what's wrong with my PAM config. So if someone could point me to or suggest how to enable kerberos authentication via gdm, I'd really appreciate it.

I don't believe that this is a clean solution. In addition to all this fun, the windows clowns created all the corporate print queues with spaces in the names. CUPS hates that, and will now make my life more complicated.

</end of rant>