SELinux attributes in Samba domain
Rowland penny
rpenny at samba.org
Tue Sep 15 15:01:51 UTC 2020
On 15/09/2020 15:52, Alexander Bokovoy wrote:
> On ti, 15 syys 2020, Rowland penny via samba-technical wrote:
>> On 15/09/2020 14:38, Mikhail Novosyolov wrote:
>>> 15 сентября 2020 г. 14:50:52 GMT+03:00, Rowland penny via samba-technical <samba-technical at lists.samba.org> пишет:
>>>> On 15/09/2020 12:08, Mikhail Novosyolov wrote:
>>>>> 15 сентября 2020 г. 10:10:32 GMT+03:00, Rowland penny via
>>>> samba-technical <samba-technical at lists.samba.org> пишет:
>>>>>> Your problem will come with sssd, it isn't supported by Samba
>>>> (because
>>>>>> we do not produce it and no little about it) and even Red-Hat no
>>>> longer
>>>>>> supports it use with Samba.
>>>>>>
>>>>> What is the problem to use sssd as a client to enroll into Samba AD
>>>> domain?
>>>>
>>>> Before Samba 4.8.0 , the smbd deamon could contact AD directly, this
>>>> meant you could use sssd with Samba, instead of using winbind. From
>>>> Samba 4.8.0, if 'security = ADS' is set in smb.conf, smbd must contact
>>>> winbind, it can no longer contact AD directly. You cannot install sssd
>>>> and winbind together, they both have their own versions of the winbind
>>>> libs.
>>> Yeah, I know that sssd has its own libwbclient.so.0, but did not study details. I still can't understand the initial problem. If sssd and wbclient conflict on the client side, samba's winbind may be turned off, right? What does prevent from using sssd as a client for samba domains?
>>>
>>>> If you want to extend the schema to store selinux data, then this
>>>> should
>>>> be possible (you just need the correct .ldif), but you would then need
>>>>
>>>> a tool to extract them from AD.
>>>>
>>> In case of using pam_winbind, will it be sth like making an ldap query (using ldspsearch? or which tool will be better?) in PAM stack after pam_winbind, authenticating via kerberos and making a query for the current user name?
>>>
>> From here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
>>
>> There is this:
>>
>> Important
>>
>> Red Hat only supports running Samba as a server with the |winbindd| service
>> to provide domain users and groups to the local system. Due to certain
>> limitations, such as missing Windows access control list (ACL) support and
>> NT LAN Manager (NTLM) fallback, SSSD is not supported.
>>
>> I do not care if anyone says you can use sssd, the Red-Hat documentation
>> says otherwise and they should know , they produce sssd.
>>
>> Do not think that you can use sssd on a Linux client, because as soon as you
>> add one share, it turns into a server as well, or should we just tell
>> everyone not to use Samba as a server ??
> It depends on a use case, as always. Running Samba server on a client
> enrolled into RHEL IdM (FreeIPA) is supported as a technology preview.
> This might give you some idea of a direction where supported
> configurations are moving.
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm
>
> Rowland, I think you are overly complicating the situation. There is a
> certain amount of work to do, sure, and we are discussing what is ought
> to be done to get that working. There is no need to critically
> force-reject anyone attempting to improve our options.
>
>
No, Alexander, what I am pointing out is that Samba doesn't really need
sssd, so why waste Samba development time on it. If Red-Hat wants to
make sssd work with Samba, then that would be a different thing. Mind
you, this is just my opinion.
Rowland
More information about the samba-technical
mailing list