SELinux attributes in Samba domain
Rowland penny
rpenny at samba.org
Tue Sep 15 15:56:51 UTC 2020
On 15/09/2020 16:06, Alexander Bokovoy wrote:
> On ti, 15 syys 2020, Rowland penny via samba-technical wrote:
>> On 15/09/2020 15:52, Alexander Bokovoy wrote:
>>> On ti, 15 syys 2020, Rowland penny via samba-technical wrote:
>>>> On 15/09/2020 14:38, Mikhail Novosyolov wrote:
>>>>> 15 сентября 2020 г. 14:50:52 GMT+03:00, Rowland penny via samba-technical <samba-technical at lists.samba.org> пишет:
>>>>>> On 15/09/2020 12:08, Mikhail Novosyolov wrote:
>>>>>>> 15 сентября 2020 г. 10:10:32 GMT+03:00, Rowland penny via
>>>>>> samba-technical <samba-technical at lists.samba.org> пишет:
>>>>>>>> Your problem will come with sssd, it isn't supported by Samba
>>>>>> (because
>>>>>>>> we do not produce it and no little about it) and even Red-Hat no
>>>>>> longer
>>>>>>>> supports it use with Samba.
>>>>>>>>
>>>>>>> What is the problem to use sssd as a client to enroll into Samba AD
>>>>>> domain?
>>>>>>
>>>>>> Before Samba 4.8.0 , the smbd deamon could contact AD directly, this
>>>>>> meant you could use sssd with Samba, instead of using winbind. From
>>>>>> Samba 4.8.0, if 'security = ADS' is set in smb.conf, smbd must contact
>>>>>> winbind, it can no longer contact AD directly. You cannot install sssd
>>>>>> and winbind together, they both have their own versions of the winbind
>>>>>> libs.
>>>>> Yeah, I know that sssd has its own libwbclient.so.0, but did not study details. I still can't understand the initial problem. If sssd and wbclient conflict on the client side, samba's winbind may be turned off, right? What does prevent from using sssd as a client for samba domains?
>>>>>
>>>>>> If you want to extend the schema to store selinux data, then this
>>>>>> should
>>>>>> be possible (you just need the correct .ldif), but you would then need
>>>>>>
>>>>>> a tool to extract them from AD.
>>>>>>
>>>>> In case of using pam_winbind, will it be sth like making an ldap query (using ldspsearch? or which tool will be better?) in PAM stack after pam_winbind, authenticating via kerberos and making a query for the current user name?
>>>>>
>>>> From here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
>>>>
>>>> There is this:
>>>>
>>>> Important
>>>>
>>>> Red Hat only supports running Samba as a server with the |winbindd| service
>>>> to provide domain users and groups to the local system. Due to certain
>>>> limitations, such as missing Windows access control list (ACL) support and
>>>> NT LAN Manager (NTLM) fallback, SSSD is not supported.
>>>>
>>>> I do not care if anyone says you can use sssd, the Red-Hat documentation
>>>> says otherwise and they should know , they produce sssd.
>>>>
>>>> Do not think that you can use sssd on a Linux client, because as soon as you
>>>> add one share, it turns into a server as well, or should we just tell
>>>> everyone not to use Samba as a server ??
>>> It depends on a use case, as always. Running Samba server on a client
>>> enrolled into RHEL IdM (FreeIPA) is supported as a technology preview.
>>> This might give you some idea of a direction where supported
>>> configurations are moving.
>>>
>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm
>>>
>>> Rowland, I think you are overly complicating the situation. There is a
>>> certain amount of work to do, sure, and we are discussing what is ought
>>> to be done to get that working. There is no need to critically
>>> force-reject anyone attempting to improve our options.
>>>
>>>
>> No, Alexander, what I am pointing out is that Samba doesn't really need
>> sssd, so why waste Samba development time on it. If Red-Hat wants to make
>> sssd work with Samba, then that would be a different thing. Mind you, this
>> is just my opinion.
> Re-read my recommendation and you'll see that what I proposed has
> nothing to do with SSSD. The suggestions I gave would work for any client of
> Samba AD DC, including pam_winbind. They aren't for tying anything to
> SSSD, btw.
>
> Let us focus on a technical part of the discussion.
>
>
I am all for improving Samba, but only if it doesn't tie Samba to an
outside project that Samba has no control over. Samba has been there
with Openchange and that didn't end well.
This thread started as a discussion with regards to Samba and sssd, it
now seems to have morphed into a 'how can we improve Samba' discussion.
I repeat, I am not anti sssd, it has its place, but not with Samba when
it means setting up smb.conf with a backend outside the control of Samba.
Rowland
More information about the samba-technical
mailing list