SELinux attributes in Samba domain
Rowland penny
rpenny at samba.org
Tue Sep 15 07:10:32 UTC 2020
On 15/09/2020 01:42, Mikhail Novosyolov via samba-technical wrote:
> Hello everyone!
>
> I am thinking about storing SELinux attributes of domain users in Samba AD domain.
>
> The problem is that Samba AD copies Windows domain, but there is no SELinux in Windows.
>
> Currently FreeIPA can store this as a server in LDAP and sssd can get and apply SELinux attributes from FreeIPA's LDAP:
>
> $ grep -inHr ipaSELinux
> src/providers/ipa/ipa_config.h:34:#define IPA_CONFIG_SELINUX_DEFAULT_USER_CTX "ipaSELinuxUserMapDefault"
> src/providers/ipa/ipa_config.h:35:#define IPA_CONFIG_SELINUX_MAP_ORDER "ipaSELinuxUserMapOrder"
> src/providers/ipa/ipa_opts.c:271: { "ipa_selinux_usermap_object_class", "ipaselinuxusermap", SYSDB_SELINUX_USERMAP_CLASS, NULL},
> src/providers/ipa/ipa_opts.c:276: { "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser", SYSDB_SELINUX_USER, NULL},
>
> In general it just gets a string and processes it, this email is about storing that string inside the domain per user.
>
> My question is: how can SELinux attributes be stored inside Samba?
> I understand that it will not a standartized name (but maybe we can come up to upstreamizing something into sssd...?), but I am ready to keep with something not upstream for now and to try to make SSSD to the same for selinux in Samba as it does in FreeIPA.
>
> I think I should extend Samba's scheme with custom attributes like in the guide http://david-latham.blogspot.com/2012/12/extending-ad-schema-on-samba4.html
> And then try to make sssd read those values.
> Does it sound like a not very bad approach?
>
> Thanks!
>
>
We have a wikipage about extending the AD schema:
https://wiki.samba.org/index.php/Samba_AD_schema_extensions
Your problem will come with sssd, it isn't supported by Samba (because
we do not produce it and no little about it) and even Red-Hat no longer
supports it use with Samba.
Rowland
More information about the samba-technical
mailing list