samba - Aug 2013 - security.NTACL Not Being Set Using LXC Containers

Hi,

My Samba 3.6.6 file server isn't setting the security.NTACL extended 
attribute. It can set the user.DOSATTRIB without any issue. This appears 
to be an LXC container issue, as outside the container I can set this 
using the setfattr command without issue, whereas I can't do this 
inside.

Despite this not being a Samba issue, I was wondering whether anybody 
has any encountered problems like this; and whether anyone could offer 
me their experience or advice?

Thanks,
Chris Hayes

On Thu, 08 Aug 2013 22:28:46 +0100, chris.hayes at proporta.com
wrote:
> Hi,
>
> My Samba 3.6.6 file server isn't setting the security.NTACL extended
> attribute. It can set the user.DOSATTRIB without any issue. This
> appears to be an LXC container issue, as outside the container I can
> set this using the setfattr command without issue, whereas I can't do
> this inside.
>
> Despite this not being a Samba issue, I was wondering whether anybody
> has any encountered problems like this; and whether anyone could 
> offer
> me their experience or advice?
This can be worked around by allowing CAP_SYS_ADMIN; see the 
lxc.cap.drop declarations in your container configuration. Not 
necessarily a good idea, though as it appears to decrease the degree of 
container isolation from the host system.

I don't believe there's any way to request that Samba use a different 
namespace, though. The only other option would be to not use the 
filesystem at all.

Does anyone know how NTACLs in XATTR compare to using 'vfs objects = 
xattr_tdb' or any other options that I'm unaware of?
>
> Thanks,
> Chris Hayes