[Samba] Setting ACLs with smbcacls fails (partly)
samba at kirsche.org
Tue Dec 31 14:53:11 UTC 2019
On 27/12/2019 16:05 Chris via samba wrote:
> On 27/12/2019 14:13, Rowland penny via samba wrote:
>> Don't run Samba in your container.
The correct answer is don't run samba in an unprivileged LXC / LXD
container. I got trapped by the fact, that when I converted my
unprivileged LXC container to a privileged container the winbind_priv
folder hadn't the correct permissions, which caused then winbind to
fail. After sorting this out the privileged container is running.
Good news is, that it is not an issue of ZFS.
> But there is still one thing I didn't understand. Why is there the
> error from the smbcacls command but the permissions are set when
> checking them? And obviously the ACLs are interpreted correct by
> Windows and smbcacls. So when I give the Testuser only read
> permissions, Testuser isn't allowed to create or modify objects in
> the share. This is what drives me really nuts.
This error can be explained - I think - by the fact that the
|security.*| namespace is reserved for root. This namespace is only
available when runnning the container as privileged container.
It is kind of a sad, as the performance difference between Samba running
in a container and Samba running on a VM is huge. But if you want/ need
to have the better isolation of an unprivileged container, you need to
use a VM.
@Rowland penny: Thanks for taking the time and helping me
More information about the samba