[Samba] security.NTACL Not Being Set Using LXC Containers
chris.hayes at proporta.com
chris.hayes at proporta.com
Thu Aug 8 15:54:13 MDT 2013
On Thu, 08 Aug 2013 22:28:46 +0100, chris.hayes at proporta.com wrote:
> Hi,
>
> My Samba 3.6.6 file server isn't setting the security.NTACL extended
> attribute. It can set the user.DOSATTRIB without any issue. This
> appears to be an LXC container issue, as outside the container I can
> set this using the setfattr command without issue, whereas I can't do
> this inside.
>
> Despite this not being a Samba issue, I was wondering whether anybody
> has any encountered problems like this; and whether anyone could
> offer
> me their experience or advice?
This can be worked around by allowing CAP_SYS_ADMIN; see the
lxc.cap.drop declarations in your container configuration. Not
necessarily a good idea, though as it appears to decrease the degree of
container isolation from the host system.
I don't believe there's any way to request that Samba use a different
namespace, though. The only other option would be to not use the
filesystem at all.
Does anyone know how NTACLs in XATTR compare to using 'vfs objects =
xattr_tdb' or any other options that I'm unaware of?
>
> Thanks,
> Chris Hayes
More information about the samba
mailing list