[Samba] Setting ACLs with smbcacls fails (partly)

Chris samba at kirsche.org
Tue Dec 31 14:53:11 UTC 2019

On 27/12/2019 16:05 Chris via samba wrote:
> On 27/12/2019 14:13, Rowland penny via samba wrote:
>> Don't run Samba in your container.
The correct answer is don't run samba in an unprivileged LXC / LXD 
container. I got trapped by the fact, that when I converted my 
unprivileged LXC container to a privileged container the winbind_priv 
folder hadn't the correct permissions, which caused then winbind to 
fail. After sorting this out the privileged container is running.

Good news is, that it is not an issue of ZFS.

> But there is still one thing I didn't understand. Why is there the 
> error from the smbcacls command but the permissions are set when 
> checking them? And obviously the ACLs are interpreted correct by 
> Windows and smbcacls. So when I give the Testuser only read 
> permissions, Testuser isn't allowed  to create or modify objects in 
> the share. This is what drives me really nuts.
This error can be explained - I think - by the fact that the 
|security.*| namespace is reserved for root. This namespace is only 
available when runnning the container as privileged container.

It is kind of a sad, as the performance difference between Samba running 
in a container and Samba running on a VM is huge. But if you want/ need 
to have the better isolation of an unprivileged container, you need to 
use a VM.

@Rowland penny: Thanks for taking the time and helping me


More information about the samba mailing list