Hi Marco, anybody,> + must be 'privileged' container (no unprivileged ones)I have seen containers with and without calling for being privileged, but you never know without trying and testing carefully... Googling I found https://github.com/lxc/lxd/issues/3442#issuecomment-312560949 but I am not really clear about the conclusion. Does it really have to be privileged? Thanks & Best Regards, Joachim
Mandi! Joachim Lindenberg via samba In chel di` si favelave...> > + must be 'privileged' container (no unprivileged ones) > I have seen containers with and without calling for being privileged, but you never know without trying and testing carefully... > Googling I found https://github.com/lxc/lxd/issues/3442#issuecomment-312560949 but I am not really clear about the conclusion. > Does it really have to be privileged?I've not done extensive tests about that, i'm in a rather ''secure'' environment and so i really don't need the extra separation/paranoia that unprivileged container have. But... i've tried to setup a DC with an unprivileged container, and simply does not work (if i remember well, trouble with ACLs/xATTRs), so i've simply switched to privileged ones. Looking at the bug/link, seems to confirm. Samba in AD mode *need* acl_xattr (is on by default), that need security.* namespaces, that are available only to root. bingo. ;) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 05/07/2019 15:11, Joachim Lindenberg via samba wrote:> Hi Marco, anybody, >> + must be 'privileged' container (no unprivileged ones) > I have seen containers with and without calling for being privileged, but you never know without trying and testing carefully... > Googling I found https://github.com/lxc/lxd/issues/3442#issuecomment-312560949 but I am not really clear about the conclusion. > Does it really have to be privileged? > Thanks & Best Regards, JoachimNot an expert on containers, but it sounds like you must use 'privileged' ones, All DC's are fileservers even if you don't think they are (Sysvol, Netlogon) and the required Windows ACL's are stored in security.NTACL Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 5 juli 2019 16:30 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Container setup? > > On 05/07/2019 15:11, Joachim Lindenberg via samba wrote: > > Hi Marco, anybody, > >> + must be 'privileged' container (no unprivileged ones) > > I have seen containers with and without calling for being > privileged, but you never know without trying and testing carefully... > > Googling I found > https://github.com/lxc/lxd/issues/3442#issuecomment-312560949 > but I am not really clear about the conclusion. > > Does it really have to be privileged? > > Thanks & Best Regards, Joachim > > Not an expert on containers, but it sounds like you must use 'privileged' ones, > > All DC's are fileservers even if you don't think they are (Sysvol, > Netlogon) and the required Windows ACL's are stored in security.NTACL > > RowlandEven if you set: acl_xattr:ignore system acls = yes. ?? ( Im not a container expert also. ) :-/ Greetz, Louis
On 05/07/2019 15:34, L.P.H. van Belle via samba wrote:> > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: vrijdag 5 juli 2019 16:30 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Container setup? >> >> On 05/07/2019 15:11, Joachim Lindenberg via samba wrote: >>> Hi Marco, anybody, >>>> + must be 'privileged' container (no unprivileged ones) >>> I have seen containers with and without calling for being >> privileged, but you never know without trying and testing carefully... >>> Googling I found >> https://github.com/lxc/lxd/issues/3442#issuecomment-312560949 >> but I am not really clear about the conclusion. >>> Does it really have to be privileged? >>> Thanks & Best Regards, Joachim >> Not an expert on containers, but it sounds like you must use 'privileged' ones, >> >> All DC's are fileservers even if you don't think they are (Sysvol, >> Netlogon) and the required Windows ACL's are stored in security.NTACL >> >> Rowland > > Even if you set: acl_xattr:ignore system acls = yes. ?? > ( Im not a container expert also. ) :-/ > > > Greetz, > > Louis > >Yes, pull that line in bits: acl_xattr: type of ACL module (very basic description) ignore system acls = yes: this tells 'acl_xattr' to ignore the system acls (Unix rwx) So basically you are telling Samba to only use security.NTACL Rowland