SELinux attributes in Samba domain

Rowland penny rpenny at
Tue Sep 15 15:01:51 UTC 2020

On 15/09/2020 15:52, Alexander Bokovoy wrote:
> On ti, 15 syys 2020, Rowland penny via samba-technical wrote:
>> On 15/09/2020 14:38, Mikhail Novosyolov wrote:
>>> 15 сентября 2020 г. 14:50:52 GMT+03:00, Rowland penny via samba-technical <samba-technical at> пишет:
>>>> On 15/09/2020 12:08, Mikhail Novosyolov wrote:
>>>>> 15 сентября 2020 г. 10:10:32 GMT+03:00, Rowland penny via
>>>> samba-technical <samba-technical at> пишет:
>>>>>> Your problem will come with sssd, it isn't supported by Samba
>>>> (because
>>>>>> we do not produce it and no little about it) and even Red-Hat no
>>>> longer
>>>>>> supports it use with Samba.
>>>>> What is the problem to use sssd as a client to enroll into Samba AD
>>>> domain?
>>>> Before Samba 4.8.0 , the smbd deamon could contact AD directly, this
>>>> meant you could use sssd with Samba, instead of using winbind. From
>>>> Samba 4.8.0, if 'security = ADS' is set in smb.conf, smbd must contact
>>>> winbind, it can no longer contact AD directly. You cannot install sssd
>>>> and winbind together, they both have their own versions of the winbind
>>>> libs.
>>> Yeah, I know that sssd has its own, but did not study details. I still can't understand the initial problem. If sssd and wbclient conflict on the client side, samba's winbind may be turned off, right? What does prevent from using sssd as a client for samba domains?
>>>> If you want to extend the schema to store selinux data, then this
>>>> should
>>>> be possible (you just need the correct .ldif), but you would then need
>>>> a tool to extract them from AD.
>>> In case of using pam_winbind, will it be sth like making an ldap query (using ldspsearch? or which tool will be better?) in PAM stack after pam_winbind, authenticating via kerberos and making a query for the current user name?
>>  From here:
>> There is this:
>> Important
>> Red Hat only supports running Samba as a server with the |winbindd| service
>> to provide domain users and groups to the local system. Due to certain
>> limitations, such as missing Windows access control list (ACL) support and
>> NT LAN Manager (NTLM) fallback, SSSD is not supported.
>> I do not care if anyone says you can use sssd, the Red-Hat documentation
>> says otherwise and they should know , they produce sssd.
>> Do not think that you can use sssd on a Linux client, because as soon as you
>> add one share, it turns into a server as well, or should we just tell
>> everyone not to use Samba as a server ??
> It depends on a use case, as always. Running Samba server on a client
> enrolled into RHEL IdM (FreeIPA) is supported as a technology preview.
> This might give you some idea of a direction where supported
> configurations are moving.
> Rowland, I think you are overly complicating the situation.  There is a
> certain amount of work to do, sure, and we are discussing what is ought
> to be done to get that working. There is no need to critically
> force-reject anyone attempting to improve our options.
No, Alexander, what I am pointing out is that Samba doesn't really need 
sssd, so why waste Samba development time on it. If Red-Hat wants to 
make sssd work with Samba, then that would be a different thing. Mind 
you, this is just my opinion.


More information about the samba-technical mailing list