From 8965ede50a20fa3dc220eb8a9b9ea8209cab7174 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 22 Aug 2022 20:32:07 -0500 Subject: [PATCH] r/samba-dc: Remove winbindd restorecon workaround This work-around is no longer necessary as the default Fedora policy now covers the Samba DC daemon. It never really worked correctly, anyway, because Samba doesn't start `winbindd` fast enough for the `/run/samba/winbindd` directory to be created before systemd spawns the `restorecon` process, so it would usually fail to start the service the first time after a reboot. --- roles/samba-dc/files/relabel-winbindd.conf | 12 ------------ roles/samba-dc/tasks/main.yml | 8 -------- 2 files changed, 20 deletions(-) delete mode 100644 roles/samba-dc/files/relabel-winbindd.conf diff --git a/roles/samba-dc/files/relabel-winbindd.conf b/roles/samba-dc/files/relabel-winbindd.conf deleted file mode 100644 index bd7bba7..0000000 --- a/roles/samba-dc/files/relabel-winbindd.conf +++ /dev/null @@ -1,12 +0,0 @@ -# Fedora does not yet have a SELinux policy for the Samba AD DC process, -# so it runs as unconfined_service_t. This causes all of its child -# processes to run there as well, which prevents they create from being -# labelled correctly. This is particularly problematic for winbindd, as -# several outside processes need to communicate with it for identity -# mapping, etc., so its socket absolutely must have the right label. -# -# To work around this problem, restorecon is run after samba starts up -# to set the correct label on the winbindd socket directory. - -[Service] -ExecStartPost=/usr/sbin/restorecon -RFv /run/samba/winbindd diff --git a/roles/samba-dc/tasks/main.yml b/roles/samba-dc/tasks/main.yml index 9e5bc9a..aa115cc 100644 --- a/roles/samba-dc/tasks/main.yml +++ b/roles/samba-dc/tasks/main.yml @@ -74,14 +74,6 @@ path=/etc/systemd/system/samba.service.d mode=0755 state=directory -- name: ensure samba4/winbind selinux work-around is in place - copy: - src=relabel-winbindd.conf - dest=/etc/systemd/system/samba.service.d/relabel-winbindd.conf - mode=0644 - notify: - - reload systemd - - restart samba - name: ensure samba starts at boot service: