samba-dc: Configure samba4 winbind
The *samba-dc* role now configures `winbindd` on domain controllers to support identity mapping on the local machine. This will allow domain users to log into the domain controller itself, e.g. via SSH. The Fedora packaging of *samba4* still has some warts. Specifically, it does not have a proper SELinux policy, so some work-arounds need to be put into place in order for confined processes to communicate with winbind.
This commit is contained in:
12
roles/samba-dc/files/relabel-winbindd.conf
Normal file
12
roles/samba-dc/files/relabel-winbindd.conf
Normal file
@@ -0,0 +1,12 @@
|
||||
# Fedora does not yet have a SELinux policy for the Samba AD DC process,
|
||||
# so it runs as unconfined_service_t. This causes all of its child
|
||||
# processes to run there as well, which prevents they create from being
|
||||
# labelled correctly. This is particularly problematic for winbindd, as
|
||||
# several outside processes need to communicate with it for identity
|
||||
# mapping, etc., so its socket absolutely must have the right label.
|
||||
#
|
||||
# To work around this problem, restorecon is run after samba starts up
|
||||
# to set the correct label on the winbindd socket directory.
|
||||
|
||||
[Service]
|
||||
ExecStartPost=/usr/sbin/restorecon -RFv /run/samba/winbindd
|
||||
Reference in New Issue
Block a user