[rsbac] rsbac + ldap/samba

Alexander Bokovoy ab at altlinux.org
Thu Jan 12 14:59:10 CET 2006

Amon Ott wrote:
> RSBAC always uses real user ids. You can auth in whatever way you 
> like, but only RSBAC User Management can guarantee that a user has 
> provided a password before the setuid succeeds.
> Most samba versions do not setuid, but rather seteuid. In this case,
>  RSBAC can only control the complete samba as a black box. You can 
> probably hack your samba sources to make it use setuid again and then
>  control by user.
Samba needs to jump back and forth between superuser and a regular user
account, that's why we use seteuid(). Changing that to setuid will not help.

> A samba extension for RSBAC ACLs has been planned for years now, but
>  never been done. With such an extension, you could administrate your
>  RSBAC ACLs e.g. from a Windows system over network. We are always 
> looking for volunteers...
I remember that mouse at altlinux.org did some work on RSBAC-based ACLs for
  Samba few years ago though that work was still unfinished.

We still have no real solution for both RSBAC and SELinux w.r.t. Samba.
/ Alexander Bokovoy
Samba Team                      http://www.samba.org/
ALT Linux Team                  http://www.altlinux.org/
Midgard Project Ry              http://www.midgard-project.org/

More information about the rsbac mailing list