SELinux attributes in Samba domain

Rowland penny rpenny at
Tue Sep 15 11:42:05 UTC 2020

On 15/09/2020 12:16, Mikhail Novosyolov wrote:
> 15 сентября 2020 г. 10:39:41 GMT+03:00, Andrew Bartlett via samba-technical <samba-technical at> пишет:
>> On Tue, 2020-09-15 at 08:10 +0100, Rowland penny via samba-technical
>> wrote:
>>> On 15/09/2020 01:42, Mikhail Novosyolov via samba-technical wrote:
>>>> Hello everyone!
>>>> I am thinking about storing SELinux attributes of domain users in
>>>> Samba AD domain.
>>>> The problem is that Samba AD copies Windows domain, but there is no
>>>> SELinux in Windows.
>>>> Currently FreeIPA can store this as a server in LDAP and sssd can
>>>> get and apply SELinux attributes from FreeIPA's LDAP:
>>>> $ grep -inHr ipaSELinux
>>>> src/providers/ipa/ipa_config.h:34:#define
>>>> src/providers/ipa/ipa_config.h:35:#define
>>>> src/providers/ipa/ipa_opts.c:271:    {
>>>> "ipa_selinux_usermap_object_class", "ipaselinuxusermap",
>>>> src/providers/ipa/ipa_opts.c:276:    {
>>>> "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser",
>>>> In general it just gets a string and processes it, this email is
>>>> about storing that string inside the domain per user.
>>>> My question is: how can SELinux attributes be stored inside Samba?
>>>> I understand that it will not a standartized name (but maybe we can
>>>> come up to upstreamizing something into sssd...?), but I am ready
>>>> to keep with something not upstream for now and to try to make SSSD
>>>> to the same for selinux in Samba as it does in FreeIPA.
>>>> I think I should extend Samba's scheme with custom attributes like
>>>> in the guide
>>>> And then try to make sssd read those values.
>>>> Does it sound like a not very bad approach?
>>>> Thanks!
>>> We have a wikipage about extending  the AD schema:
>>> Your problem will come with sssd, it isn't supported by Samba
>>> (because
>>> we do not produce it and no little about it) and even Red-Hat no
>>> longer
>>> supports it use with Samba.
>> For managing pure Linux clients it would be really awesome if we could
>> make this work well.  I've long dreamed that Samba be the ideal posix
>> directory server, because there is no good reason why it can't do that
>> as well as be an AD DC - why should sites have to run both FreeIPA and
>> Samba (and have the complexity of trusts) just to get really good
>> management of their Linux clients.
> Yes! FreeIPA is a great thing, but a VERY complex and resource hungry one!
>> Rowland,
>> While the combination of Samba and sssd on the same host is a known
>> problem,
> Why may it be needed to run samba and sssd on the same host? Samba is server, sssd is client, but it probably does use smbd? Which problems are there?

There are a lot of people out there using sssd with Samba, which was 
okay before Samba 4.8.0, but isn't now. Samba is a server, but it is 
also a client and it can be both at the same time.


More information about the samba-technical mailing list