SELinux attributes in Samba domain

Tue Sep 15 14:52:47 UTC 2020

On ti, 15 syys 2020, Rowland penny via samba-technical wrote:
> On 15/09/2020 14:38, Mikhail Novosyolov wrote:
> > 
> > 15 сентября 2020 г. 14:50:52 GMT+03:00, Rowland penny via samba-technical <samba-technical at lists.samba.org> пишет:
> > > On 15/09/2020 12:08, Mikhail Novosyolov wrote:
> > > > 15 сентября 2020 г. 10:10:32 GMT+03:00, Rowland penny via
> > > samba-technical <samba-technical at lists.samba.org> пишет:
> > > > > Your problem will come with sssd, it isn't supported by Samba
> > > (because
> > > > > we do not produce it and no little about it) and even Red-Hat no
> > > longer
> > > > > supports it use with Samba.
> > > > > 
> > > > What is the problem to use sssd as a client to enroll into Samba AD
> > > domain?
> > > 
> > > Before Samba 4.8.0 , the smbd deamon could contact AD directly, this
> > > meant you could use sssd with Samba, instead of using winbind. From
> > > Samba 4.8.0, if 'security = ADS' is set in smb.conf, smbd must contact
> > > winbind, it can no longer contact AD directly. You cannot install sssd
> > > and winbind together, they both have their own versions of the winbind
> > > libs.
> > Yeah, I know that sssd has its own libwbclient.so.0, but did not study details. I still can't understand the initial problem. If sssd and wbclient conflict on the client side, samba's winbind may be turned off, right? What does prevent from using sssd as a client for samba domains?
> > 
> > > If you want to extend the schema to store selinux data, then this
> > > should
> > > be possible (you just need the correct .ldif), but you would then need
> > > 
> > > a tool to extract them from AD.
> > > 
> > In case of using pam_winbind, will it be sth like making an ldap query (using ldspsearch? or which tool will be better?) in PAM stack after pam_winbind, authenticating via kerberos and making a query for the current user name?
> > 
> From here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
> 
> There is this:
> 
> Important
> 
> Red Hat only supports running Samba as a server with the |winbindd| service
> to provide domain users and groups to the local system. Due to certain
> limitations, such as missing Windows access control list (ACL) support and
> NT LAN Manager (NTLM) fallback, SSSD is not supported.
> 
> I do not care if anyone says you can use sssd, the Red-Hat documentation
> says otherwise and they should know , they produce sssd.
> 
> Do not think that you can use sssd on a Linux client, because as soon as you
> add one share, it turns into a server as well, or should we just tell
> everyone not to use Samba as a server ??

It depends on a use case, as always. Running Samba server on a client
enrolled into RHEL IdM (FreeIPA) is supported as a technology preview.
This might give you some idea of a direction where supported
configurations are moving.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm

Rowland, I think you are overly complicating the situation.  There is a
certain amount of work to do, sure, and we are discussing what is ought
to be done to get that working. There is no need to critically
force-reject anyone attempting to improve our options.

-- 
/ Alexander Bokovoy