SELinux attributes in Samba domain

Andrew Bartlett abartlet at samba.org
Tue Sep 15 07:39:41 UTC 2020 

On Tue, 2020-09-15 at 08:10 +0100, Rowland penny via samba-technical
wrote:
> On 15/09/2020 01:42, Mikhail Novosyolov via samba-technical wrote:
> > Hello everyone!
> > 
> > I am thinking about storing SELinux attributes of domain users in
> > Samba AD domain.
> > 
> > The problem is that Samba AD copies Windows domain, but there is no
> > SELinux in Windows.
> > 
> > Currently FreeIPA can store this as a server in LDAP and sssd can
> > get and apply SELinux attributes from FreeIPA's LDAP:
> > 
> > $ grep -inHr ipaSELinux
> > src/providers/ipa/ipa_config.h:34:#define
> > IPA_CONFIG_SELINUX_DEFAULT_USER_CTX "ipaSELinuxUserMapDefault"
> > src/providers/ipa/ipa_config.h:35:#define
> > IPA_CONFIG_SELINUX_MAP_ORDER "ipaSELinuxUserMapOrder"
> > src/providers/ipa/ipa_opts.c:271:    {
> > "ipa_selinux_usermap_object_class", "ipaselinuxusermap",
> > SYSDB_SELINUX_USERMAP_CLASS, NULL},
> > src/providers/ipa/ipa_opts.c:276:    {
> > "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser",
> > SYSDB_SELINUX_USER, NULL},
> > 
> > In general it just gets a string and processes it, this email is
> > about storing that string inside the domain per user.
> > 
> > My question is: how can SELinux attributes be stored inside Samba?
> > I understand that it will not a standartized name (but maybe we can
> > come up to upstreamizing something into sssd...?), but I am ready
> > to keep with something not upstream for now and to try to make SSSD
> > to the same for selinux in Samba as it does in FreeIPA.
> > 
> > I think I should extend Samba's scheme with custom attributes like
> > in the guide 
> > http://david-latham.blogspot.com/2012/12/extending-ad-schema-on-samba4.html
> > And then try to make sssd read those values.
> > Does it sound like a not very bad approach?
> > 
> > Thanks!
> > 
> > 
> We have a wikipage about extending  the AD schema: 
> https://wiki.samba.org/index.php/Samba_AD_schema_extensions
> 
> Your problem will come with sssd, it isn't supported by Samba
> (because 
> we do not produce it and no little about it) and even Red-Hat no
> longer 
> supports it use with Samba.

For managing pure Linux clients it would be really awesome if we could
make this work well.  I've long dreamed that Samba be the ideal posix
directory server, because there is no good reason why it can't do that
as well as be an AD DC - why should sites have to run both FreeIPA and
Samba (and have the complexity of trusts) just to get really good
management of their Linux clients.

Rowland,

While the combination of Samba and sssd on the same host is a known
problem, outside this case we should work hard to have sssd be a great
domain member in Samba domains, just as much as we hope for good
outcomes for MacOS or Windows clients. 

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list