SELinux attributes in Samba domain

Rowland penny rpenny at
Tue Sep 15 08:04:29 UTC 2020

On 15/09/2020 08:39, Andrew Bartlett wrote:
> On Tue, 2020-09-15 at 08:10 +0100, Rowland penny via samba-technical
> wrote:
>> On 15/09/2020 01:42, Mikhail Novosyolov via samba-technical wrote:
>>> Hello everyone!
>>> I am thinking about storing SELinux attributes of domain users in
>>> Samba AD domain.
>>> The problem is that Samba AD copies Windows domain, but there is no
>>> SELinux in Windows.
>>> Currently FreeIPA can store this as a server in LDAP and sssd can
>>> get and apply SELinux attributes from FreeIPA's LDAP:
>>> $ grep -inHr ipaSELinux
>>> src/providers/ipa/ipa_config.h:34:#define
>>> src/providers/ipa/ipa_config.h:35:#define
>>> src/providers/ipa/ipa_opts.c:271:    {
>>> "ipa_selinux_usermap_object_class", "ipaselinuxusermap",
>>> src/providers/ipa/ipa_opts.c:276:    {
>>> "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser",
>>> In general it just gets a string and processes it, this email is
>>> about storing that string inside the domain per user.
>>> My question is: how can SELinux attributes be stored inside Samba?
>>> I understand that it will not a standartized name (but maybe we can
>>> come up to upstreamizing something into sssd...?), but I am ready
>>> to keep with something not upstream for now and to try to make SSSD
>>> to the same for selinux in Samba as it does in FreeIPA.
>>> I think I should extend Samba's scheme with custom attributes like
>>> in the guide
>>> And then try to make sssd read those values.
>>> Does it sound like a not very bad approach?
>>> Thanks!
>> We have a wikipage about extending  the AD schema:
>> Your problem will come with sssd, it isn't supported by Samba
>> (because
>> we do not produce it and no little about it) and even Red-Hat no
>> longer
>> supports it use with Samba.
> For managing pure Linux clients it would be really awesome if we could
> make this work well.  I've long dreamed that Samba be the ideal posix
> directory server, because there is no good reason why it can't do that
> as well as be an AD DC - why should sites have to run both FreeIPA and
> Samba (and have the complexity of trusts) just to get really good
> management of their Linux clients.
Totally agree with this, it would be great if Samba could do for Linux 
what AD did for Windows.
> Rowland,
> While the combination of Samba and sssd on the same host is a known
> problem, outside this case we should work hard to have sssd be a great
> domain member in Samba domains, just as much as we hope for good
> outcomes for MacOS or Windows clients.
> Andrew Bartlett
Nope, we should make Samba work so well that nobody needs sssd. Lets be 
honest, there is very little that sssd does that Samba doesn't, 
especially when David's GPO tools come on line.

It shouldn't be down to Samba to make sssd work in a Samba domain, it 
should be down to Red-Hat to do this. There are more important things 
that need fixing first, Sysvol for one.


More information about the samba-technical mailing list