Samba secondary DC in an unprivileged LXC container with Debian Buster - ..."security.NTACL") failed: Operation not permitted (1)

[chriskirsche]

Hello together,

Currently I'm running Proxmox VE 5.4-2 (running kernel: 4.15.18-20-pve) and I wanted to have a secondary Samba 4 domain controller in an unprivileged LXC container.

I installed in a container the debian-10.0-standard_10.0-1_amd64.tar.gz and upgraded it afterwards to Debian 10.1.
Then I installed samba

apt-get install samba smbclient heimdal-clients ldb-tools

Then ntp

apt-get install ntp

Configured ntp to use the host clock and not trying to adjust the clock, as the host already is synched to a ntp server.

After that I wanted to setup the replication of the sysvol.
Thats were the trouble started.

I installed rsync

apt-get install rsync

I tried then to rsync the sysvol located on the primary domain controller:

rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass rsync://sysvol-repl@pri-dc/sysvol/ /var/lib/samba/sysvol/

Which gave the following error for every file and folder in sysvol:

rsync_xal_set: lsetxattr("/var/lib/samba/sysvol/int.my-dom.de/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI","security.NTACL") failed: Operation not permitted (1)

The container config file /etc/pve/lxc/302.conf is as follows:

arch: amd64
cores: 1
features: nesting=1
hostname: dc-302
memory: 1600
net0: name=eth0,bridge=vmbr1,firewall=1,gw=10.0.0.1,hwaddr=CA:08:26:BF:55:F2,ip=10.0.1.5/8,tag=2,type=veth
onboot: 0
ostype: debian
rootfs: hdd_zfs_guests:subvol-302-disk-0,size=16G
swap: 1600
unprivileged: 1
lxc.idmap: u 0 100000 6000000
lxc.idmap: g 0 100000 6000000
lxc.cap.drop: sys_admin

The files /etc/subuid and /etc/subguid have both this content

root:100000:6000000

With

mount | grep acl

I'll get the following output:

hdd_zfs_guests on /hdd_zfs_guests type zfs (rw,xattr,noacl)
hdd_zfs_guests/subvol-201-disk-0 on /hdd_zfs_guests/subvol-201-disk-0 type zfs (rw,xattr,posixacl)
hdd_zfs_guests/subvol-202-disk-0 on /hdd_zfs_guests/subvol-202-disk-0 type zfs (rw,xattr,posixacl)
hdd_zfs_guests/subvol-203-disk-0 on /hdd_zfs_guests/subvol-203-disk-0 type zfs (rw,xattr,posixacl)
hdd_zfs_guests/subvol-301-disk-0 on /hdd_zfs_guests/subvol-301-disk-0 type zfs (rw,xattr,posixacl)
hdd_zfs_guests/subvol-302-disk-0 on /hdd_zfs_guests/subvol-302-disk-0 type zfs (rw,xattr,posixacl)

Backup of the container with restore as privileged container works, but that is something I would like to avoid.

Besides of this I tried the following lxc.cap.drop options in adition to sys_admin:

sys_module setfcap setpcap mac_admin mac_override fowner dac_override chown lease mknod sys_chroot sys_resource

I really would appreciate any hint which might point me into the right direction how to get the sysvol replication up and runnig in an unprivileged LXC container.
Or is it just fact that what I'm trying to do is not possible in an unprivileged container?

Thanks in advance!

Christian

Btw.: I found this post in the german forum but no solution to it: https://forum.proxmox.com/threads/e...bute-xatrr-in-unprivilegiert-container.36652/

Edit: Found some typos

 

[oguz]

hi,

Or is it just fact that what I'm trying to do is not possible in an unprivileged container?

the security.* namespace is reserved for root, so it won't work with unprivileged containers (privileged containers run as real root so they don't have this restriction)

unfortunately it seems like samba uses security.NTACL [0] instead of a userspace implementation. you could try setting the acl_xattr:ignore system acls option to 'no', but i'm not sure what it exactly does in that case.

[0]: https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html

 

[chriskirsche]

So after playing around for hours with different settings / approaches, I'm pretty sure now, that a Samba DC can only be setup in a privileged container.

As @oguz pointed out, this is due to fact that Samba is using the security.* namespace.

So either set up Samba in a privileged container or in a VM, depending on your security / performance requirements.