[Samba] security.NTACL Not Being Set Using LXC Containers

Andrew Bartlett abartlet at samba.org
Fri Aug 9 00:15:52 MDT 2013

On Thu, 2013-08-08 at 22:54 +0100, chris.hayes at proporta.com wrote:
> On Thu, 08 Aug 2013 22:28:46 +0100, chris.hayes at proporta.com wrote:
> > Hi,
> >
> > My Samba 3.6.6 file server isn't setting the security.NTACL extended
> > attribute. It can set the user.DOSATTRIB without any issue. This
> > appears to be an LXC container issue, as outside the container I can
> > set this using the setfattr command without issue, whereas I can't do
> > this inside.
> >
> > Despite this not being a Samba issue, I was wondering whether anybody
> > has any encountered problems like this; and whether anyone could 
> > offer
> > me their experience or advice?
> This can be worked around by allowing CAP_SYS_ADMIN; see the 
> lxc.cap.drop declarations in your container configuration. Not 
> necessarily a good idea, though as it appears to decrease the degree of 
> container isolation from the host system.
> I don't believe there's any way to request that Samba use a different 
> namespace, though. The only other option would be to not use the 
> filesystem at all.
> Does anyone know how NTACLs in XATTR compare to using 'vfs objects = 
> xattr_tdb' or any other options that I'm unaware of?

Using the TDB backend is a very poor second choice, because if something
other than Samba adds/deletes files, the inode-related entry may be
either be left dangling, or may suddenly apply to a different file.  We
saw this in 'make test' where we have to use this, and it isn't pretty.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list