[Samba] [OT?] VM or Container for an AD DC?

Andrew Bartlett abartlet at samba.org
Tue Sep 19 18:31:38 UTC 2017

On Tue, 2017-09-19 at 14:37 +0200, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> > There is a limitation for containers regarding xattrs as I understand
> > it, so you may need to go to a full DC.
> ...googling around seems to me that are ''old limitation'', now gone.
> I've also hitted:
> 	https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-November/012789.html
> so seems that 'samba-tool domain provision' check xattr compliance and
> rever to to tdb ACL if not.
> This check it is ''safe'' (full check)? Or i could end in some ''gray''
> area?!
> There's some more checks i can do?

tdb ACLs are a good idea for production use.   I really should make
this more clear. 

The TDB approach creates a dev/inode indexed DB, rather than using the
file system.  This is prone to inode re-use issues, and while we have
defences for the ACL side of that (we hash the POSIX ACL on the file),
there is no such defence for other extended attributes that might also
be stored there.

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list