SELinux attributes in Samba domain

Rowland penny rpenny at
Tue Sep 15 07:10:32 UTC 2020

On 15/09/2020 01:42, Mikhail Novosyolov via samba-technical wrote:
> Hello everyone!
> I am thinking about storing SELinux attributes of domain users in Samba AD domain.
> The problem is that Samba AD copies Windows domain, but there is no SELinux in Windows.
> Currently FreeIPA can store this as a server in LDAP and sssd can get and apply SELinux attributes from FreeIPA's LDAP:
> $ grep -inHr ipaSELinux
> src/providers/ipa/ipa_config.h:34:#define IPA_CONFIG_SELINUX_DEFAULT_USER_CTX "ipaSELinuxUserMapDefault"
> src/providers/ipa/ipa_config.h:35:#define IPA_CONFIG_SELINUX_MAP_ORDER "ipaSELinuxUserMapOrder"
> src/providers/ipa/ipa_opts.c:271:    { "ipa_selinux_usermap_object_class", "ipaselinuxusermap", SYSDB_SELINUX_USERMAP_CLASS, NULL},
> src/providers/ipa/ipa_opts.c:276:    { "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser", SYSDB_SELINUX_USER, NULL},
> In general it just gets a string and processes it, this email is about storing that string inside the domain per user.
> My question is: how can SELinux attributes be stored inside Samba?
> I understand that it will not a standartized name (but maybe we can come up to upstreamizing something into sssd...?), but I am ready to keep with something not upstream for now and to try to make SSSD to the same for selinux in Samba as it does in FreeIPA.
> I think I should extend Samba's scheme with custom attributes like in the guide
> And then try to make sssd read those values.
> Does it sound like a not very bad approach?
> Thanks!
We have a wikipage about extending  the AD schema:

Your problem will come with sssd, it isn't supported by Samba (because 
we do not produce it and no little about it) and even Red-Hat no longer 
supports it use with Samba.


More information about the samba-technical mailing list