How to properly map users and groups across Proxmox LXC and Docker VM for shared media folders?

[schrackin]

Hi everyone,

I just started learning Proxmox VE, so please be kind with me.

I recently bought a Ugreen DXP2800 NAS (8GB RAM, 512GB M.2 SSD, 8TB SATA HDD) for my home server. I successfully moved HomeAssistant from my NUC to a VM on Proxmox, but I’m struggling to move my Samba file server and ARR stack to Proxmox.

Here’s what I have done so far:

Formatted the HDD to ext4, mounted it on the node, and copied 4TB of media files and documents from my USB HDD.

Installed a Debian 12 unprivileged LXC with Cockpit and Samba to share files over my network and provide a Time Machine backup target for my Mac.

Installed a Docker VM for my ARR stack using Proxmox helper scripts.

I’m confused about the proper way to create and map users and groups across the Proxmox host, LXC, and Docker VM, so that the media and backup folders can be shared without UID/GID conflicts.

I’ve read these blog posts:

Proxmox ZFS mounts and id mapping: https://blog.kye.dev/proxmox-zfs-mounts

Tips for idmap in unprivileged LXC: https://www.apalrd.net/posts/2023/tip_idmap/

…but I still don’t fully understand the best approach.

My plan is to create separate users and relevant groups for:

media, backup, tm-backup, containers, myself

Here’s my file server LXC config (/etc/pve/lxc/102.conf):

arch: amd64
cores: 2
features: nesting=1
hostname: fileserver
memory: 512
mp1: /mnt/shdd1/media/,mp=/mnt/media,size=5T
mp2: /mnt/shdd1/backup-timemachine/,mp=/mnt/backup-timemachine,size=500G
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.0.254,hwaddr=x,ip=192.168.0.6>
net1: name=eth1,bridge=vmbr0,firewall=1,gw=192.168.0.254,hwaddr=x,ip=192.168.0.7>
ostype: debian
rootfs: local:102/vm-102-disk-0.raw,size=8G
swap: 512
unprivileged: 1

Folder structure on the host:

/mnt/shdd1/
├── backup-files
│ ├── containers
│ └── homeassistant
├── backup-timemachine
│ └── Laptop.sparsebundle
├── documents
│ └── docs
├── downloads
│ ├── books
│ ├── movies
│ ├── music
│ ├── qbittorrent
│ ├── tv
│ └── ytdl
├── media
│ ├── books
│ ├── movies
│ ├── music
│ ├── syncthing
│ ├── tv
│ └── videos

How should I properly map users and groups across the Proxmox host, LXC, and Docker VM, so that all these folders are shared correctly and safely, without running into UID/GID conflicts?

Thanks in advance for any guidance!

 

[Gilou]

This is more of a Samba question than Proxmox VE, I'd say. I never feel using containers for NAS software, but I guess samba should work that way.

As for uid mapping, well, why would those on the pve host matter? Do you need the Samba shares to be mounted on the host? For vzdump backups maybe? EDIT: just read again.. ok, your files are directly on the host.. why not put them "inside" the container instead?

Anyway, the simplest approach is to set users with a non conflicting uids (set them to 2000x or so) and to use the same on the client, and the server. If it's simple enough, have an user / share, make the UID on the clients the same as on the samba server. If you can't, find how the mapping is done.. on linux you can forceuid / map uid. On mac, the user mounting is mapped to the samba user, I don't think there's much more to be done..

One can also use a directory (like LDAP) to have a central database for the uids (and uid mapping can happen there), but that is quite a can of worms..

 

[UdoB]

One can also use a directory (like LDAP) to have a central database for the uids

This!

When you have more than a single digit devices you want to have some single source of truth, resulting in johndoe being the same johndoe on all systems. There is a multitude of solutions for this. Each and every one needs some attention, experience and maintenance.

My personal choice is a full blown Windows compatible AD where I can "join" my Linux systems. I am utilizing https://en.wikipedia.org/wiki/Univention_Corporate_Server (based on Debian) for this - but I have to admit that this approach is purely overkill at my homelab. (In my $dayjob an "upstream department" gives me corresponding features, by using other means.)