[SOLVED] Samba Fileserver on (unprivileged) LXC container - Setting ACLs with smbcacls fails (partly)

[chriskirsche]

Hello together,
posted this already on the samba mailinglist but maybe someone in here can point me into the right direction.

I'm running a PDC in a privilegded lxc container and try to setup a fileserver in an unprivileged lxc container.
The shares of the file server are on the ZFS of the host and mapped via bind-mount.
I've got the problem, that I get error messages when setting the ACLs of a samba share either via the Windows explorer or using the smbcacls command.

On Windows explorer I get the error message:
"Failed To Enumerate Objects In The Container, Access Is Denied"

With smbcacls when adding a user the error is:

root@svr-002:/# smbcacls //svr-002/users / -U administrator --add ACL:S-1-5-21-106799508-1697487934-2302158525-1604:ALLOWED/3/FULL -d=0
    Enter MYWRKGRP\administrator's password:
    ERROR: security descriptor set failed: NT_STATUS_ACCESS_DENIED

Creating files and folders from within windows explorer works. I just can't set the permissons on the elements without the error mesage.

Funny thing is, that ACL is set, even when there appears the above error message:

So before issuing the smbcacls add command the ACLs are as follows:

root@svr-002:/# smbcacls //svr-002/users / -U administrator
    lp_load_ex: changing to config backend registry
    Enter MYWRKGRP\administrator's password:
    REVISION:1
    CONTROL:SR|SI|DI|DP
    OWNER:MYWRKGRP\Administrator
    GROUP:Unix Group\root
    ACL:MYWRKGRP\Administrator:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
    ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\Administrator:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
    ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
    ACL:Unix User\root:ALLOWED/OI|CI/FULL
    ACL:Everyone:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
    ACL:Unix Group\root:ALLOWED/0x0/FULL
    ACL:Unix Group\root:ALLOWED/0x0/FULL
    ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
    ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
    ACL:Creator Group:ALLOWED/OI|CI|IO/
    ACL:Unix Group\root:ALLOWED/OI|CI|IO/

After issuing the smbcacls add command

root@svr-002:/# smbcacls //svr-002/users / -U administrator
    lp_load_ex: changing to config backend registry
    Enter MYWRKGRP\administrator's password:
    REVISION:1
    CONTROL:SR|SI|DP
    OWNER:MYWRKGRP\administrator
    GROUP:Unix Group\root
    ACL:MYWRKGRP\administrator:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\Testuser:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
    ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\administrator:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
    ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
    ACL:Unix User\root:ALLOWED/OI|CI/FULL
    ACL:Everyone:ALLOWED/OI|CI/FULL
    ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
    ACL:Unix Group\root:ALLOWED/0x0/FULL
    ACL:Unix Group\root:ALLOWED/0x0/FULL
    ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
    ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
    ACL:Creator Group:ALLOWED/OI|CI|IO/
    ACL:Unix Group\root:ALLOWED/OI|CI|IO/

As you can see, the user Testuser (the one with the SID S-1-5-21-106799508-1697487934-2302158525-1604) has been added to the ACL

Similar behaviour under Windows. When I remove the user in the Advanced Security Settings Dialog and press apply, the error message "Failed To Enumerate Objects In The Container, Access Is Denied" appears.
When I leave the Advanced Security Settings dialog with cancel, the settings have however been applied. So after the removal of user Testuser from the Windows Explorer the check with smbcacls shows that the user has been removed.

Has any one an idea what might causing this issue?

---- Things I've tried without success:

Playing around with

acl_xattr:ignore system acls
    acl_xattr:default acl style

Setting up the file server in a privileged container
rejoining to the domain

playing around with different chmod and chgrp settings

----
---- Used software versions
Host is Proxmox 6.1-5, Kernel version 5.3.13-1-pve
The lxc containers are based on Debian 10.
Samba Version is 4.9.5-Debian
Windows Pro 10.0.17134
----

------------ file server settings ----------------------
--- smb.conf of the fileserver

[global]
        workgroup = MYWRKGRP
        realm = MYWRKGRP.MYDOM.COM
        netbios name = SVR-002
        security = ADS
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = no
        winbind refresh tickets = Yes
        template shell = /bin/bash
        idmap config * : range = 10000 - 19999
        idmap config MYWRKGRP : backend = rid
        idmap config MYWRKGRP : range = 1000000 - 1999999
        map acl inherit = yes
        inherit acls = Yes
        inherit permissions = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr
        bind interfaces only = no

    [users]
        path = /home/MYWRKGRP/
        comment = Home Directories
        guest ok = no
        read only = no
        browseable = no
        create mask = 700
        directory mask = 700

----
---- nsswitch.conf of the fileserver

passwd:         files winbind
    group:          files winbind
    shadow:         files
    gshadow:        files

    hosts:          files dns
    networks:       files

    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files

    netgroup:       nis

----
---- output of net rpc rights

root@svr-002:/# net rpc rights list privileges SeDiskOperatorPrivilege -Uadministrator
    Enter administrator's password:
    SeDiskOperatorPrivilege:
    MYWRKGRP\administrator
    BUILTIN\Administrators
    MYWRKGRP\Domain Admins

----

---- output of getfacl

getfacl: Removing leading '/' from absolute path names
    # file: home/MYWRKGRP/
    # owner: MYWRKGRP\\administrator
    # group: root
    # flags: ss-
    user::rwx
    user:root:rwx
    user:1000512:rwx
    user:1000513:r-x
    user:MYWRKGRP\\Testuser:rwx
    user:1002103:rwx
    group::rwx
    group:root:rwx
    group:MYWRKGRP\\administrator:rwx
    group:MYWRKGRP\\domain\040admins:rwx
    group:MYWRKGRP\\domain\040users:r-x
    group:MYWRKGRP\\Testuser:rwx
    group:MYWRKGRP\\unix\040admins:rwx
    mask::rwx
    other::rwx
    default:user::rwx
    default:user:root:rwx
    default:user:MYWRKGRP\\administrator:rwx
    default:user:1000512:rwx
    default:user:1000513:r-x
    default:user:MYWRKGRP\\Testuser:rwx
    default:group::---
    default:group:root:---
    default:group:MYWRKGRP\\administrator:rwx
    default:group:MYWRKGRP\\domain\040admins:rwx
    default:group:MYWRKGRP\\domain\040users:r-x
    default:group:MYWRKGRP\\Testuser:rwx
    default:mask::rwx
    default:other::rwx

----
---- output of getfattr

root@svr-002:/# getfattr -n security.NTACL -d /home/MYWRKGRP/
    /home/MYWRKGRP/: security.NTACL: No such attribute

----

--------------------- PDC settings --------------------------------
---- smb.conf of the PDC

 [global]
            netbios name = DC-101
            realm = MYWRKGRP.MYDOM.COM
            server role = active directory domain controller
            dns forwarder = 10.0.0.1
            workgroup = MYWRKGRP
    [netlogon]
            path = /var/lib/samba/sysvol/mywrkgrp.mydom.com/scripts
            read only = No

    [sysvol]
            path = /var/lib/samba/sysvol
            read only = No

----

----------------- lxc and settings on the lxc host ---------------------
---- ZFS is setup as follows:

root@proxmox02:/etc/pve/lxc# zfs get xattr hdd_zfs_guests/home
    NAME                 PROPERTY  VALUE  SOURCE
    hdd_zfs_guests/home  xattr     sa     inherited from hdd_zfs_guests

    root@proxmox02:/etc/pve/lxc# zfs get acltype hdd_zfs_guests/home
    NAME                 PROPERTY  VALUE     SOURCE
    hdd_zfs_guests/home  acltype   posixacl  local

    root@proxmox02:/etc/pve/lxc# zfs get aclinherit hdd_zfs_guests/home
    NAME                 PROPERTY    VALUE          SOURCE
    hdd_zfs_guests/home  aclinherit  passthrough    local

----
---- The container is setup as follows:

arch: amd64
    cores: 2
    hostname: svr-002
    memory: 1024
    mp0: /hdd_zfs_guests/shares,mp=/shares
    mp1: /hdd_zfs_guests/home,mp=/home
    nameserver: 10.0.1.5
    net0: name=eth0,bridge=vmbr1,gw=10.0.0.1,hwaddr=56:19:46:64:BA:6B,ip=10.0.2.3/8,tag=2,type=veth
    ostype: debian
    rootfs: hdd_zfs_guests:subvol-312-disk-5,acl=1,size=8G
    searchdomain: mywrkgrp.mydom.com
    swap: 1024
    unprivileged: 1
    lxc.idmap: u 0 100000 2000000
    lxc.idmap: g 0 100000 2000000

----
---- files /etc/setgid and /etc/setuid have the same content

root:10000:2100000

----
-------------------------------------------------------------------------

I got the following hint from the samba mailing list:
Upgrade to Samba 4.10.x, this definitely has /usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so

OR

Don't run Samba in your container.

OR

Don't use ZFS

So maybe there is another workaround for this problem. Any help here is highly appreciated!

Thanks

Christian

 

[ltechnet]

Hi Chris

did you already tried to set the acltype on the subvol or pool?
i was on the same task the last few days. I only set those two

zfs set acltype=posixacl rpool/subvol-1001-disk-1
zfs set aclinherit=passthrough rpool/subvol-1001-disk-1

Take a look at those two links: (google translate may help)

https://www.ja-ki.eu/2016/09/19/gedaechtnisstuetze-acls-mit-zfs-on-linux-und-samba-4-5/
https://confluence.alitecs.de/display/KB/Samba4+in+LXC

I think on my server it's working. But i did not have the time to check it 100%
I really like the performance of the setup (Samba inside LXC with MountPoint on Host on a ZFS Pool)
Let me know if you got it working.

BR
Yves

 

[chriskirsche]

Hi Chris

did you already tried to set the acltype on the subvol or pool?
i was on the same task the last few days. I only set those two


Take a look at those two links: (google translate may help)

https://www.ja-ki.eu/2016/09/19/gedaechtnisstuetze-acls-mit-zfs-on-linux-und-samba-4-5/
https://confluence.alitecs.de/display/KB/Samba4+in+LXC

I think on my server it's working. But i did not have the time to check it 100%
I really like the performance of the setup (Samba inside LXC with MountPoint on Host on a ZFS Pool)
Let me know if you got it working.

BR
Yves

Hello Yves,
thanks for your answer. I set this on the subvol. I came across those postings a few days ago.

Copying and creating of files and folders is working and the performance of this setup great. But I still can't set the permissions without error message. The point is if you try to set this on a directrory tree, the error message is issued for every element in this directory tree which is very annoying.

Just to be sure it is not an issue on my DC or in the samba configuration in general, I setup a fileserver in a VM with the same samba settings as in the container (of course on a raw disk not on a bind mount). Here the errors don't show up, when I set the permission from within windows explorer.

Could you do me a favor please? Would you try to setup the permissions on a folder on your fileserver with windows explorer? Is this working without an error message?

Thanks!

Chris

 

[ltechnet]

Hello Chris

I just tried to set the acl's inside windows explorer and with remote computer management.
On my setup there is no problem. No error message and ACL's where set as expected.

Here ist my simple smb.conf:

[global]
        workgroup = DOMAIN
        realm = AD.DOMAIN.NET
        netbios name = srv-fi-2001
        security = ADS
        dns forwarder = 10.xx.xxx.xx

idmap config * : backend = tdb       
idmap config *:range = 50000-1000000

   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

username map = /etc/samba/user.map

#Disable Printing
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

#SHARES

[tank]
        path = /mnt/tank
        writeable = yes

 

[chriskirsche]

Hello Yves,

Hello Chris

I just tried to set the acl's inside windows explorer and with remote computer management.
On my setup there is no problem. No error message and ACL's where set as expected.

Thanks for testing. Good thing is, that the problem seems to be within my configuration. I assume your Samba version is below 4.10.x. I've now the feeling that I messed up the UID/ GID of lxc with the idmaps of samba.
How did you set the lxc.idamp in the <containerid>.conf file and how did you setup the IDs in the /etc/setgid and the /etc/setgid files?

Thanks again for helping me out!

Chris

 

[ltechnet]

Hi Chris

Im running the default Debian Buster Samba Version (Samba version 4.9.5-Debian )
To be honest, i did never set anything like UID/GID in the lxc config or in /etc/setgid eg. /etc/setgid

 

[chriskirsche]

Hi Chris

Im running the default Debian Buster Samba Version (Samba version 4.9.5-Debian )
To be honest, i did never set anything like UID/GID in the lxc config or in /etc/setgid eg. /etc/setgid

Hi Yves,

So you are running it in an unprivileged or in a priveliged container?

Thanks,

Chris

 

[ltechnet]

Hi Chris
Im running it as an priviliged container.
Maybe that's why its working on my side

Edit:
I found something about the UID's inside LXC...: https://github.com/lxc/lxc/issues/2708#issuecomment-473466062

 

[chriskirsche]

Hi Yves,
maybe. On the other hand I tried a priviliged container too. Same behaviour. I'm really scratching my head. I dont't understand why this is not working.

Thanks again.

 

[chriskirsche]

A little update: For an privileged container it is working now.
Problem was that I made the privileged container out of the backup from the unprivileged one. This screwed up some of the file owner rights. The chmod I issued was ok, but the file rights of the sambashares folder and the winbindd_priv folder in /var/lib/samba were still not correct.
After fixing this the privileged container works now. I guess when I would have started from scratch, it would have worked with the privileged container out of the box.

So the samba config itsef is correct.

Next thing I try is to get the unprivileged container running. I guess the issue is related to the idmap settings.

 

[chriskirsche]

So I think I finally give up trying to set this up in an unprivileged container. Found no workaround.

Has anyone else an idea? Or has a fileserver running in an unprivileged container?
Thanks!

Chris

EDIT: Changed the thread subject - Added (unprivileged) to the subject

 

[chriskirsche]

Ok. I found out what causes the error message.
It is more or less the same reason what causes my test trying to run the DCs in an unprivileged container to fail.
The error meesage is caused by the fact that samba uses the security.* namespace for storing the NTACLs. When yu try to set the permissions on a file or folder from within Windows Explorer, those NTACLS can't be set. Had the hope that this was only true for DCs. But it also applies to fileservers.

TLDR: Unprivileged SAMBA 4 Server of any kind can not be run as unprivileged container!

The answer for the DC can be found here https://forum.proxmox.com/threads/s...d-operation-not-permitted-1.58026/post-267549

 

[ommanipadmehum]

in samba 4.18 added acl_xattr:security_acl_name = user.NTACL
permissions can now be changed in an unprivileged container

#getfattr -n user.NTACL -d /shared/folder1
getfattr: Removing leading '/' from absolute path names
# file: shared/folder1
user.NTACL=0sBAAEAAAAAgAEAAIAAQDi8OWObhHTx...


https://wiki.samba.org/index.php/Sa..._option_to_change_the_NT_ACL_default_location

New option to change the NT ACL default location​

Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content.

 

[Mrt12]

in samba 4.18 added acl_xattr:security_acl_name = user.NTACL
permissions can now be changed in an unprivileged container

#getfattr -n user.NTACL -d /shared/folder1
getfattr: Removing leading '/' from absolute path names
# file: shared/folder1
user.NTACL=0sBAAEAAAAAgAEAAIAAQDi8OWObhHTx...


https://wiki.samba.org/index.php/Sa..._option_to_change_the_NT_ACL_default_location

thanks for this hint.
I just tried to use it to run a SAMBA Server in an unprivileged LXC. However it didn't work (do I need to set this before installing SAMBA? also I am joined to a domain, if that matters).
Still, my SAMBA server only works in privileged LXC. I would prefer if it were unprivileged, though

 

[ommanipadmehum]

thanks for this hint.
I just tried to use it to run a SAMBA Server in an unprivileged LXC. However it didn't work (do I need to set this before installing SAMBA? also I am joined to a domain, if that matters).
Still, my SAMBA server only works in privileged LXC. I would prefer if it were unprivileged, though

I've been using zfs and as I recall you have to enable it:

#zfs create ZFS/shared
#zfs set acltype=posixacl ZFS/shared

lxc config

arch: amd64
cores: 2
features: nesting=1
hostname: FS2
memory: 2048
mp0: /ZFS/shared,mp=/shared
nameserver: 192.168.1.1
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=BC:24:11:22:FF:FF,ip=192.168.1.10/24,type=veth
ostype: ubuntu
rootfs: ZFS:subvol-214-disk-0,acl=1,size=20G
searchdomain: domain.lan
swap: 512
tags: ubuntu;unpriv
unprivileged: 1

 

[Mrt12]

Thanks, I will try again. How can I take advantage of the

acl_xattr:security_acl_name = user.NTACL

SAMBA parameter? cause I would like to use the SAMBA file server together with an SAMBA AD DC, and in this case, I think for some reason this particular security context is used and this is the resaon why unprivileged LXC cannot be used for SAMBA. However, you just proved that it works, I am wondering why, I am totally puzzled but it would be really great to be able to use unprivileged LXC.

If, at some day, also the ZFS delegation would work properly, it would be phantastic, in this case then the SAMBA file server could even manage its own ZFS dataset. This would be like a dream