SELinux attributes in Samba domain
Rowland penny
rpenny at samba.org
Tue Sep 15 14:41:28 UTC 2020
On 15/09/2020 14:38, Mikhail Novosyolov wrote:
>
> 15 сентября 2020 г. 14:50:52 GMT+03:00, Rowland penny via samba-technical <samba-technical at lists.samba.org> пишет:
>> On 15/09/2020 12:08, Mikhail Novosyolov wrote:
>>> 15 сентября 2020 г. 10:10:32 GMT+03:00, Rowland penny via
>> samba-technical <samba-technical at lists.samba.org> пишет:
>>>> Your problem will come with sssd, it isn't supported by Samba
>> (because
>>>> we do not produce it and no little about it) and even Red-Hat no
>> longer
>>>> supports it use with Samba.
>>>>
>>> What is the problem to use sssd as a client to enroll into Samba AD
>> domain?
>>
>> Before Samba 4.8.0 , the smbd deamon could contact AD directly, this
>> meant you could use sssd with Samba, instead of using winbind. From
>> Samba 4.8.0, if 'security = ADS' is set in smb.conf, smbd must contact
>> winbind, it can no longer contact AD directly. You cannot install sssd
>> and winbind together, they both have their own versions of the winbind
>> libs.
> Yeah, I know that sssd has its own libwbclient.so.0, but did not study details. I still can't understand the initial problem. If sssd and wbclient conflict on the client side, samba's winbind may be turned off, right? What does prevent from using sssd as a client for samba domains?
>
>> If you want to extend the schema to store selinux data, then this
>> should
>> be possible (you just need the correct .ldif), but you would then need
>>
>> a tool to extract them from AD.
>>
> In case of using pam_winbind, will it be sth like making an ldap query (using ldspsearch? or which tool will be better?) in PAM stack after pam_winbind, authenticating via kerberos and making a query for the current user name?
>
From here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
There is this:
Important
Red Hat only supports running Samba as a server with the |winbindd|
service to provide domain users and groups to the local system. Due to
certain limitations, such as missing Windows access control list (ACL)
support and NT LAN Manager (NTLM) fallback, SSSD is not supported.
I do not care if anyone says you can use sssd, the Red-Hat documentation
says otherwise and they should know , they produce sssd.
Do not think that you can use sssd on a Linux client, because as soon as
you add one share, it turns into a server as well, or should we just
tell everyone not to use Samba as a server ??
Rowland
More information about the samba-technical
mailing list