[Samba] security.NTACL Not Being Set Using LXC Containers

chris.hayes at proporta.com chris.hayes at proporta.com
Thu Aug 8 15:54:13 MDT 2013

On Thu, 08 Aug 2013 22:28:46 +0100, chris.hayes at proporta.com wrote:
> Hi,
> My Samba 3.6.6 file server isn't setting the security.NTACL extended
> attribute. It can set the user.DOSATTRIB without any issue. This
> appears to be an LXC container issue, as outside the container I can
> set this using the setfattr command without issue, whereas I can't do
> this inside.
> Despite this not being a Samba issue, I was wondering whether anybody
> has any encountered problems like this; and whether anyone could 
> offer
> me their experience or advice?

This can be worked around by allowing CAP_SYS_ADMIN; see the 
lxc.cap.drop declarations in your container configuration. Not 
necessarily a good idea, though as it appears to decrease the degree of 
container isolation from the host system.

I don't believe there's any way to request that Samba use a different 
namespace, though. The only other option would be to not use the 
filesystem at all.

Does anyone know how NTACLs in XATTR compare to using 'vfs objects = 
xattr_tdb' or any other options that I'm unaware of?

> Thanks,
> Chris Hayes

More information about the samba mailing list