[Samba] [OT?] VM or Container for an AD DC?
Andrew Bartlett
abartlet at samba.org
Tue Sep 19 18:31:38 UTC 2017
On Tue, 2017-09-19 at 14:37 +0200, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
> In chel di` si favelave...
>
> > There is a limitation for containers regarding xattrs as I understand
> > it, so you may need to go to a full DC.
>
> ...googling around seems to me that are ''old limitation'', now gone.
>
>
> I've also hitted:
>
> https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-November/012789.html
>
> so seems that 'samba-tool domain provision' check xattr compliance and
> rever to to tdb ACL if not.
> This check it is ''safe'' (full check)? Or i could end in some ''gray''
> area?!
> There's some more checks i can do?
tdb ACLs are a good idea for production use. I really should make
this more clear.
The TDB approach creates a dev/inode indexed DB, rather than using the
file system. This is prone to inode re-use issues, and while we have
defences for the ACL side of that (we hash the POSIX ACL on the file),
there is no such defence for other extended attributes that might also
be stored there.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list