[Freeipa-users] samba & IPA

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 23 22:01:31 UTC 2012 

On Tue, 21 Feb 2012, Steven Jones wrote:

> Hi,
> 
> Any good docs on making samba / smbclient / clients work with ipa?  
> not having much luck with google....
The stack of protocols that Samba is implementing disassociates 
authentication and actual connection to the shares. First you 
authenticate and once authenticated, you can connect to any share 
within the server. At this point there might be per-share limitations 
put on but authentication step is done already.

As part of authentication, Samba may enforce PAM accounting 
restrictions if 'obey pam restriction' option is set in the 
configuration file. This would give you a way to enforce HBAC rules 
per user connected to the server -- make sure your smbd PAM config is 
using sssd for accounting purposes and then SSSD would do checks over 
HBAC rules with 'smbd' service.

However, this would only limit access to the host globally as it 
happens during authentication phase, not later, when actual connection 
to the share would be done.

In order to limit per-share connection, Samba has 'valid users' and 
'allow hosts' options. These specify lists of users and hosts 
correspondingly. Unfortunately, the way it is implemented in Samba, 
these lists are taken directly from the configuration source, thus no 
way to dynamically change them other than playing with configuration 
files.

One could do configuration file tuning per connected host, for 
example, or per user, using 'include = /path/to/config' and Samba 
configuration macros. This would still not give you dynamic 
configuration though.

One could also do a 'preexec script' hook that is run before 
connection to a share is made. This approach allows you to implement a 
simple PAM-enabled tool that could be spawned from Samba at connection 
to share time and use SSSD HBAC tests (on PAM account) plus something 
additional to perform per-share restriction (see below why).

All other methods would require modifying Samba to change 
'allow_access()' function API and implementation. This is not planned 
at the moment -- neither from FreeIPA nor from Samba Team side. There 
are also considerable performance requirements to this particular 
function.

However, even if anything like that is performed, we have one specific 
issue that HBAC rules do not allow to differentiate between service 
and its (optional) sub-services. You can think about shares as 
sub-services of a service 'smbd' but HBAC in FreeIPA doesn't allow to 
specify those. Ideally, ipaHBACService object class could be extended 
to include sub-services but handling those in UI would become a 
nightmare -- after all, you'll need to have as much ipaHBACService 
objects as number of servers x number of shares. Something better 
needs to be created.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list