Permission denied on a SMB mountpoint for a non root user inside a LXC

[cyprien-griot]

Greetings all,

I'm facing a problem with SMB mount point, permissions and containers. I'm not sure if I'm using the right method according to best practices but at least it seemed logical to me. Yet it isn't fully working so far..

I have a TrueNAS server, linked to a Samba AD, that has several SMB shares with specific ACL.
I was able to connect shares from the Proxmox cluster storage menu so that all hosts can access it (those shares contain data, not iso or dumps or else for Proxmox), I created a mount point on a container. It seemed handier that way to me, as I will be needing many containers to access these SMB shares.

It works fine with the local root user of the container : root can write inside the mount point as the user used to mount the share on the cluster (which is not root). Not sure if this is very clear ^^'
But I would like the mountpoint to be writable by the other local non root users. And so far, I haven't found the solution yet...

The storage conf :

cifs: DonneesAcquisition
        path /mnt/pve/DonneesAcquisition
        server X.X.X.X
        share DonneesAcquisition
        content images
        mkdir 0
        username sysop@X.X

Mount result on the host :

//X.X.X.X/DonneesAcquisition on /mnt/pve/DonneesAcquisition type cifs (rw,relatime,vers=3.1.1,cache=strict,username=sysop@X.X,uid=0,noforceuid,gid=0,noforcegid,addr=X.X.X.X,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)

The container conf :

#### Ordonnanceur / AIRFLOW
arch: amd64
cores: 4
features: mount=cifs,nesting=1
hostname: PitonPayanke
memory: 4096
mp0: /mnt/pve/DonneesAcquisition,mp=/mnt/DonneesAcquisition
nameserver: X.X.X.X
net0: name=eth0,bridge=vmbr0,firewall=1,gw=X.X.X.X,hwaddr=X.X.X.X,ip=X.X.X.X/25,tag=100,type=veth
ostype: debian
rootfs: local-zfs:subvol-113-disk-0,size=50G
searchdomain: X.X
swap: 4096

If anyone has a clue or an advice, it would be greatly appreciated
Thanks in advance !

 

[intrax]

I have same problem. Seems all cifs/smb storage is mounted as root (755) and immutable.

Even if I mount a cifs storage and than create a directory in it with a non-root user the storage subsystem immediately will change it to root (755).

This doesn't look right to me! See also my thread : https://forum.proxmox.com/threads/cifs-storage-permission-problem.136440/

 

[cyprien-griot]

Well it seems that we have a slightly different problem : I have TrueNAS server that shares an SMB share where only an user called "sysop" has read/write permissions. This user isn't root.

On my Proxmox cluster, I can connect this share through the storage menu. I do this as sysop, but on the host (and then the container I mount this share in), I indeed see the share belonging to root. However, if I write anything from the root session of my container (or my host), it's all good on my TrueNAS server (files belong to sysop).

My problem is, on the container, I would like to be able to use the share with non root users and I don't find a way to give them the permissions.

 

[fabian]

if the container is unprivileged, those users will have very high UIDs (100000+). you probably need to give access to those, or force them being mapped to the user doing the mount.

 

[cyprien-griot]

The container is privileged, but so far I haven't found the way to give permanent access to them. I guess I do something wrong..

 

[fabian]

the same applies still - just for users in the regular range

 

[cyprien-griot]

I'll give another try to mapping then, as I didn't succeed to make it work the first time. And I don't see another way to give access to standard users (chown or chmod or creating a specific groups did not work)

 

[intrax]

Well it seems that we have a slightly different problem : I have TrueNAS server that shares an SMB share where only an user called "sysop" has read/write permissions. This user isn't root.
My problem is, on the container, I would like to be able to use the share with non root users and I don't find a way to give them the permissions.

Agreed, but the permission problem is the same. The share is allways mapped to root(755).

 

[cyprien-griot]

Indeed. I can't get it working.. I've tried id mapping but I guess I just don't understand how it works and either there is no results or the container does not boot anymore. .
If anyone has some hints or some advice, I'd be very grateful !