Samba secondary DC in an unprivileged LXC container with Debian Buster

Sep 15, 2019
6
0
1
42
Hello together,

Currently I'm running Proxmox VE 5.4-2 (running kernel: 4.15.18-20-pve) and I wanted to have a secondary Samba 4 domain controller in an unprivileged LXC container.

I installed in a container the debian-10.0-standard_10.0-1_amd64.tar.gz and upgraded it afterwards to Debian 10.1.
Then I installed samba
Code:
apt-get install samba smbclient heimdal-clients ldb-tools
Then ntp
Code:
apt-get install ntp
Configured ntp to use the host clock and not trying to adjust the clock, as the host already is synched to a ntp server.

After that I wanted to setup the replication of the sysvol.
Thats were the trouble started.

I installed rsync
Code:
apt-get install rsync
I tried then to rsync the sysvol located on the primary domain controller:
Code:
rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass rsync://sysvol-repl@pri-dc/sysvol/ /var/lib/samba/sysvol/
Which gave the following error for every file and folder in sysvol:
Code:
rsync_xal_set: lsetxattr("/var/lib/samba/sysvol/int.my-dom.de/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI","security.NTACL") failed: Operation not permitted (1)
The container config file /etc/pve/lxc/302.conf is as follows:
Code:
arch: amd64
cores: 1
features: nesting=1
hostname: dc-302
memory: 1600
net0: name=eth0,bridge=vmbr1,firewall=1,gw=10.0.0.1,hwaddr=CA:08:26:BF:55:F2,ip=10.0.1.5/8,tag=2,type=veth
onboot: 0
ostype: debian
rootfs: hdd_zfs_guests:subvol-302-disk-0,size=16G
swap: 1600
unprivileged: 1
lxc.idmap: u 0 100000 6000000
lxc.idmap: g 0 100000 6000000
lxc.cap.drop: sys_admin
The files /etc/subuid and /etc/subguid have both this content
Code:
root:100000:6000000
With
Code:
mount | grep acl
I'll get the following output:
Code:
hdd_zfs_guests on /hdd_zfs_guests type zfs (rw,xattr,noacl)
hdd_zfs_guests/subvol-201-disk-0 on /hdd_zfs_guests/subvol-201-disk-0 type zfs (rw,xattr,posixacl)
hdd_zfs_guests/subvol-202-disk-0 on /hdd_zfs_guests/subvol-202-disk-0 type zfs (rw,xattr,posixacl)
hdd_zfs_guests/subvol-203-disk-0 on /hdd_zfs_guests/subvol-203-disk-0 type zfs (rw,xattr,posixacl)
hdd_zfs_guests/subvol-301-disk-0 on /hdd_zfs_guests/subvol-301-disk-0 type zfs (rw,xattr,posixacl)
hdd_zfs_guests/subvol-302-disk-0 on /hdd_zfs_guests/subvol-302-disk-0 type zfs (rw,xattr,posixacl)
Backup of the container with restore as privileged container works, but that is something I would like to avoid.

Besides of this I tried the following lxc.cap.drop options in adition to sys_admin:
Code:
sys_module setfcap setpcap mac_admin mac_override fowner dac_override chown lease mknod sys_chroot sys_resource
I really would appreciate any hint which might point me into the right direction how to get the sysvol replication up and runnig in an unprivileged LXC container.
Or is it just fact that what I'm trying to do is not possible in an unprivileged container?

Thanks in advance!

Christian

Btw.: I found this thread in the german forum but no solution to it: https://forum.proxmox.com/threads/erweiterte-dateisystematribute-xatrr-in-unprivilegiert-container.36652/
 
Sep 15, 2019
6
0
1
42
I have, unfortunately also no solution but a question:



You're right, but why do you install ntp then?
NTP runs as server to provide the time to the Windows clients in case the primary DC goes down and I have to have transfer the PDC emulator to the secondary DC. So it is just in case. Otherwise, as long as the proxmox host and the primary DC are synchronizing to the same NTP server, you're probably right. No need to setup NTP on the secondary DC. But I'm not sure if no NTP server on the secondary DC is really something to consider.

If you're interested in Samba and time synchronization here is the link to the Samba: https://wiki.samba.org/index.php/Time_Synchronisation

Btw: The primary DC is not on the same machine as the secondary DC.
 
Sep 15, 2019
6
0
1
42
Sorry for the double post. This post was originally my first post. After editing this post because of typos, it disappeared and I couldn't find it again. Thought I deleted it and created for that reason the other one you replied to. (Had a backup in my text editor ;-) )
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!