SELinux attributes in Samba domain
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Tue Sep 15 11:16:18 UTC 2020
15 сентября 2020 г. 10:39:41 GMT+03:00, Andrew Bartlett via samba-technical <samba-technical at lists.samba.org> пишет:
>On Tue, 2020-09-15 at 08:10 +0100, Rowland penny via samba-technical
>wrote:
>> On 15/09/2020 01:42, Mikhail Novosyolov via samba-technical wrote:
>> > Hello everyone!
>> >
>> > I am thinking about storing SELinux attributes of domain users in
>> > Samba AD domain.
>> >
>> > The problem is that Samba AD copies Windows domain, but there is no
>> > SELinux in Windows.
>> >
>> > Currently FreeIPA can store this as a server in LDAP and sssd can
>> > get and apply SELinux attributes from FreeIPA's LDAP:
>> >
>> > $ grep -inHr ipaSELinux
>> > src/providers/ipa/ipa_config.h:34:#define
>> > IPA_CONFIG_SELINUX_DEFAULT_USER_CTX "ipaSELinuxUserMapDefault"
>> > src/providers/ipa/ipa_config.h:35:#define
>> > IPA_CONFIG_SELINUX_MAP_ORDER "ipaSELinuxUserMapOrder"
>> > src/providers/ipa/ipa_opts.c:271: {
>> > "ipa_selinux_usermap_object_class", "ipaselinuxusermap",
>> > SYSDB_SELINUX_USERMAP_CLASS, NULL},
>> > src/providers/ipa/ipa_opts.c:276: {
>> > "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser",
>> > SYSDB_SELINUX_USER, NULL},
>> >
>> > In general it just gets a string and processes it, this email is
>> > about storing that string inside the domain per user.
>> >
>> > My question is: how can SELinux attributes be stored inside Samba?
>> > I understand that it will not a standartized name (but maybe we can
>> > come up to upstreamizing something into sssd...?), but I am ready
>> > to keep with something not upstream for now and to try to make SSSD
>> > to the same for selinux in Samba as it does in FreeIPA.
>> >
>> > I think I should extend Samba's scheme with custom attributes like
>> > in the guide
>> >
>http://david-latham.blogspot.com/2012/12/extending-ad-schema-on-samba4.html
>> > And then try to make sssd read those values.
>> > Does it sound like a not very bad approach?
>> >
>> > Thanks!
>> >
>> >
>> We have a wikipage about extending the AD schema:
>> https://wiki.samba.org/index.php/Samba_AD_schema_extensions
>>
>> Your problem will come with sssd, it isn't supported by Samba
>> (because
>> we do not produce it and no little about it) and even Red-Hat no
>> longer
>> supports it use with Samba.
>
>For managing pure Linux clients it would be really awesome if we could
>make this work well. I've long dreamed that Samba be the ideal posix
>directory server, because there is no good reason why it can't do that
>as well as be an AD DC - why should sites have to run both FreeIPA and
>Samba (and have the complexity of trusts) just to get really good
>management of their Linux clients.
Yes! FreeIPA is a great thing, but a VERY complex and resource hungry one!
>
>Rowland,
>
>While the combination of Samba and sssd on the same host is a known
>problem,
Why may it be needed to run samba and sssd on the same host? Samba is server, sssd is client, but it probably does use smbd? Which problems are there?
>outside this case we should work hard to have sssd be a great
>domain member in Samba domains, just as much as we hope for good
>outcomes for MacOS or Windows clients.
--
Простите за краткость, создано в K-9 Mail.
More information about the samba-technical
mailing list