SELinux attributes in Samba domain

Mikhail Novosyolov m.novosyolov at
Tue Sep 15 13:38:40 UTC 2020

15 сентября 2020 г. 14:50:52 GMT+03:00, Rowland penny via samba-technical <samba-technical at> пишет:
>On 15/09/2020 12:08, Mikhail Novosyolov wrote:
>> 15 сентября 2020 г. 10:10:32 GMT+03:00, Rowland penny via
>samba-technical <samba-technical at> пишет:
>>> Your problem will come with sssd, it isn't supported by Samba
>>> we do not produce it and no little about it) and even Red-Hat no
>>> supports it use with Samba.
>> What is the problem to use sssd as a client to enroll into Samba AD
>Before Samba 4.8.0 , the smbd deamon could contact AD directly, this 
>meant you could use sssd with Samba, instead of using winbind. From 
>Samba 4.8.0, if 'security = ADS' is set in smb.conf, smbd must contact 
>winbind, it can no longer contact AD directly. You cannot install sssd 
>and winbind together, they both have their own versions of the winbind

Yeah, I know that sssd has its own, but did not study details. I still can't understand the initial problem. If sssd and wbclient conflict on the client side, samba's winbind may be turned off, right? What does prevent from using sssd as a client for samba domains?

>If you want to extend the schema to store selinux data, then this
>be possible (you just need the correct .ldif), but you would then need 
>a tool to extract them from AD.
In case of using pam_winbind, will it be sth like making an ldap query (using ldspsearch? or which tool will be better?) in PAM stack after pam_winbind, authenticating via kerberos and making a query for the current user name? 

More information about the samba-technical mailing list