ACLs on an Ubuntu LXC

[Stamp1219]

Hi,

I have a privileged LXC, and the directory is provided as a bind mount from the proxmox host. Users and group membership are from AD configured with SSSD with id mapping disabled and users strictly having uidNumber and gidNumber defined. I have confirmed the users and group in question are correctly being pulled over correctly. I can't see anything in apparmor that would be relevant:

root@docker-01:/mnt/media# aa-status
apparmor module is loaded.
14 profiles are loaded.
12 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /{,usr/}sbin/dhclient
   docker-default
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
2 profiles are in complain mode.
   /usr/sbin/sssd
   /usr/sbin/sssd//null-/usr/bin/nsupdate
0 profiles are in kill mode.
0 profiles are in unconfined mode.
4 processes have profiles defined.
0 processes are in enforce mode.
4 processes are in complain mode.
   /usr/sbin/sssd (108)
   /usr/libexec/sssd/sssd_be (139) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_nss (141) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_pam (142) /usr/sbin/sssd
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

The directory structure is as follows:

root@docker-01:/mnt/media# tree -L 1 /mnt/media
/mnt/media
|-- audiobooks
|-- downloads
|-- ebooks
|-- movies
`-- tv

I have the following groups:

• media_read_users #R_X to /mnt/media and all subdirectories/files within
• media_write_users #RWX to /mnt/media and all subdirectories/files within
• audiobooks_read_users #R_X to /mnt/media/audiobooks and all subdirectories/files within
• audiobooks_write_users #RWX to /mnt/media/audiobooks and all subdirectories/files within
• downloads_read_users #R_X to /mnt/media/downloads and all subdirectories/files within
• downloads_write_users #RWX to /mnt/media/downloads and all subdirectories/files within
• ebooks_read_users #R_X to /mnt/media/ebooks and all subdirectories/files within
• ebooks_write_users #RWX to /mnt/media/ebooks and all subdirectories/files within
• movies_read_users #R_X to /mnt/media/movies and all subdirectories/files within
• movies_write_users #RWX to /mnt/media/movies and all subdirectories/files within
• tv_read_users #R_X to /mnt/media/tv and all subdirectories/files within tv_write_users #RWX to
• /mnt/media/tv and all subdirectories/files within

Using /mnt/media as an example, the ACL is as follows:

root@docker-01:/mnt# getfacl /mnt/media
getfacl: Removing leading '/' from absolute path names
# file: mnt/media
# owner: root
# group: root
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:media_write_users:rwx
default:group:media_read_users:r-x
default:mask::rwx
default:other::---

When root (or via sudo) I can write to the directory. But non-root users, such as "myuser" can't. "myuser" is a member of the media_write_users group, but can't read or write to /mnt/media:

myuser@docker-01:/mnt/media$ id
uid=2100(myuser) gid=2100(myuser) groups=2100(myuser),3104(docker),3200(media_write_users),3300(linux_admins)

myuser@docker-01:/mnt/media$ touch why_wont_this_work
touch: cannot touch 'why_wont_this_work': Permission denied

If I use chgrp to change the group outside of the ACLs, I can write to the directory as a group member. However I'm keen to use ACLs to allow me to have the overarching group (media_{read,write}_users) control access to /mnt/media and subdirectories regardless of other memberships, and the subdirectory groups control access to each specified subdirectory with the permissions I need.

I'm sure I'm doing something wrong, but does anyone have any ideas?

Thanks