Samba file server in LXC container

[Mrt12]

I want to setup a Samba file server in an LXC container.
I found that it works perfectly fine when I use a privileged container. However, I am unsure if it is a good idea to use a privileged container.
I could sleep well better if I used a unprivileged container, but using the exactly same configuration, I cannot make it work in unprivileged container. On the Proxmox VE I get an "AppArmor denied" in the log dmesg whenever I want to connect to the Samba file server.
So following questions:

a) is it a good idea to use a privileged container or is this a bad practice?
b) what security problems could I run into when using a privileged container?
c) is it somehow possible to configure a unprivileged container such that the Samba file server works fine? I read on this forum a couple times that people have done this, but I cannot figure out what config they used, obviously some AppArmor profile needs to be configured for the container to work, but I have no experience with this.

Thanks for any hints!

 

[Mrt12]

good day,
are there any hints on how to use an unprivileged LXC as samba server?
with privileged LXC and Nesting enabled, it works fine. But would prefer unprivileged LXC.

 

[tdrift]

good day,
are there any hints on how to use an unprivileged LXC as samba server?
with privileged LXC and Nesting enabled, it works fine. But would prefer unprivileged LXC.

Turnkey fileserver uses a Debian 11/12 LXC template and samba + nfs servers that work straight out of the box, you can install one and have a look at the configs.

A hint - to make it work with iOS foto's you need to tweak the vfs config as well (just google it). Also I still have not managed to transfer unix to samba users properly, this is important for really shared storage, full pools independant of vm/lxc, if the storage is only for samba (part of the pool the lxc is on) it works out of the box.