SELinux attributes in Samba domain

Tue Sep 15 15:06:21 UTC 2020

On ti, 15 syys 2020, Rowland penny via samba-technical wrote:
> On 15/09/2020 15:52, Alexander Bokovoy wrote:
> > On ti, 15 syys 2020, Rowland penny via samba-technical wrote:
> > > On 15/09/2020 14:38, Mikhail Novosyolov wrote:
> > > > 15 сентября 2020 г. 14:50:52 GMT+03:00, Rowland penny via samba-technical <samba-technical at lists.samba.org> пишет:
> > > > > On 15/09/2020 12:08, Mikhail Novosyolov wrote:
> > > > > > 15 сентября 2020 г. 10:10:32 GMT+03:00, Rowland penny via
> > > > > samba-technical <samba-technical at lists.samba.org> пишет:
> > > > > > > Your problem will come with sssd, it isn't supported by Samba
> > > > > (because
> > > > > > > we do not produce it and no little about it) and even Red-Hat no
> > > > > longer
> > > > > > > supports it use with Samba.
> > > > > > > 
> > > > > > What is the problem to use sssd as a client to enroll into Samba AD
> > > > > domain?
> > > > > 
> > > > > Before Samba 4.8.0 , the smbd deamon could contact AD directly, this
> > > > > meant you could use sssd with Samba, instead of using winbind. From
> > > > > Samba 4.8.0, if 'security = ADS' is set in smb.conf, smbd must contact
> > > > > winbind, it can no longer contact AD directly. You cannot install sssd
> > > > > and winbind together, they both have their own versions of the winbind
> > > > > libs.
> > > > Yeah, I know that sssd has its own libwbclient.so.0, but did not study details. I still can't understand the initial problem. If sssd and wbclient conflict on the client side, samba's winbind may be turned off, right? What does prevent from using sssd as a client for samba domains?
> > > > 
> > > > > If you want to extend the schema to store selinux data, then this
> > > > > should
> > > > > be possible (you just need the correct .ldif), but you would then need
> > > > > 
> > > > > a tool to extract them from AD.
> > > > > 
> > > > In case of using pam_winbind, will it be sth like making an ldap query (using ldspsearch? or which tool will be better?) in PAM stack after pam_winbind, authenticating via kerberos and making a query for the current user name?
> > > > 
> > >  From here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
> > > 
> > > There is this:
> > > 
> > > Important
> > > 
> > > Red Hat only supports running Samba as a server with the |winbindd| service
> > > to provide domain users and groups to the local system. Due to certain
> > > limitations, such as missing Windows access control list (ACL) support and
> > > NT LAN Manager (NTLM) fallback, SSSD is not supported.
> > > 
> > > I do not care if anyone says you can use sssd, the Red-Hat documentation
> > > says otherwise and they should know , they produce sssd.
> > > 
> > > Do not think that you can use sssd on a Linux client, because as soon as you
> > > add one share, it turns into a server as well, or should we just tell
> > > everyone not to use Samba as a server ??
> > It depends on a use case, as always. Running Samba server on a client
> > enrolled into RHEL IdM (FreeIPA) is supported as a technology preview.
> > This might give you some idea of a direction where supported
> > configurations are moving.
> > 
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm
> > 
> > Rowland, I think you are overly complicating the situation.  There is a
> > certain amount of work to do, sure, and we are discussing what is ought
> > to be done to get that working. There is no need to critically
> > force-reject anyone attempting to improve our options.
> > 
> > 
> No, Alexander, what I am pointing out is that Samba doesn't really need
> sssd, so why waste Samba development time on it. If Red-Hat wants to make
> sssd work with Samba, then that would be a different thing. Mind you, this
> is just my opinion.

Re-read my recommendation and you'll see that what I proposed has
nothing to do with SSSD. The suggestions I gave would work for any client of
Samba AD DC, including pam_winbind. They aren't for tying anything to
SSSD, btw.

Let us focus on a technical part of the discussion.

-- 
/ Alexander Bokovoy