SELinux attributes in Samba domain
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Tue Sep 15 13:38:40 UTC 2020
15 сентября 2020 г. 14:50:52 GMT+03:00, Rowland penny via samba-technical <samba-technical at lists.samba.org> пишет:
>On 15/09/2020 12:08, Mikhail Novosyolov wrote:
>>
>> 15 сентября 2020 г. 10:10:32 GMT+03:00, Rowland penny via
>samba-technical <samba-technical at lists.samba.org> пишет:
>>> Your problem will come with sssd, it isn't supported by Samba
>(because
>>> we do not produce it and no little about it) and even Red-Hat no
>longer
>>> supports it use with Samba.
>>>
>> What is the problem to use sssd as a client to enroll into Samba AD
>domain?
>
>Before Samba 4.8.0 , the smbd deamon could contact AD directly, this
>meant you could use sssd with Samba, instead of using winbind. From
>Samba 4.8.0, if 'security = ADS' is set in smb.conf, smbd must contact
>winbind, it can no longer contact AD directly. You cannot install sssd
>and winbind together, they both have their own versions of the winbind
>libs.
Yeah, I know that sssd has its own libwbclient.so.0, but did not study details. I still can't understand the initial problem. If sssd and wbclient conflict on the client side, samba's winbind may be turned off, right? What does prevent from using sssd as a client for samba domains?
>
>If you want to extend the schema to store selinux data, then this
>should
>be possible (you just need the correct .ldif), but you would then need
>
>a tool to extract them from AD.
>
In case of using pam_winbind, will it be sth like making an ldap query (using ldspsearch? or which tool will be better?) in PAM stack after pam_winbind, authenticating via kerberos and making a query for the current user name?
More information about the samba-technical
mailing list