SELinux attributes in Samba domain

Mikhail Novosyolov m.novosyolov at
Tue Sep 15 00:42:49 UTC 2020

Hello everyone!

I am thinking about storing SELinux attributes of domain users in Samba AD domain.

The problem is that Samba AD copies Windows domain, but there is no SELinux in Windows.

Currently FreeIPA can store this as a server in LDAP and sssd can get and apply SELinux attributes from FreeIPA's LDAP:

$ grep -inHr ipaSELinux
src/providers/ipa/ipa_config.h:34:#define IPA_CONFIG_SELINUX_DEFAULT_USER_CTX "ipaSELinuxUserMapDefault"
src/providers/ipa/ipa_config.h:35:#define IPA_CONFIG_SELINUX_MAP_ORDER "ipaSELinuxUserMapOrder"
src/providers/ipa/ipa_opts.c:271:    { "ipa_selinux_usermap_object_class", "ipaselinuxusermap", SYSDB_SELINUX_USERMAP_CLASS, NULL},
src/providers/ipa/ipa_opts.c:276:    { "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser", SYSDB_SELINUX_USER, NULL},

In general it just gets a string and processes it, this email is about storing that string inside the domain per user.

My question is: how can SELinux attributes be stored inside Samba?
I understand that it will not a standartized name (but maybe we can come up to upstreamizing something into sssd...?), but I am ready to keep with something not upstream for now and to try to make SSSD to the same for selinux in Samba as it does in FreeIPA.

I think I should extend Samba's scheme with custom attributes like in the guide
And then try to make sssd read those values.
Does it sound like a not very bad approach?


More information about the samba-technical mailing list