On 27/12/2019 12:59, Chris via samba wrote:> On 25/12/2019 20:04, Rowland penny via samba wrote: > >> On 25/12/2019 16:46, Chris via samba wrote: >>> Hello, >> Merry Christmas > Thanks Rowland! Hope you had a Merry Christmas too >>> The shares of the file server are on the ZFS of the host and mapped >>> via bind-mount. >> >> Ah, that could be a problem, ZFS uses NFSv4 ACLs >>> >> Try 'nfs4acl_xattr' instead, see 'man vfs_nfs4acl_xattr' > > I tried to set in the [users] share. The result in the log.smbd looks > like this: > > ------ > > root at svr-002:/# tail -f /var/log/samba/log.smbd [2019/12/27 > 13:39:51.454236,? 0] ../source3/smbd/service.c:631(make_connection_snum) > ? make_connection_snum: vfs_init failed for service users > [2019/12/27 13:39:51.455426,? 0] ../lib/util/modules.c:49(load_module) > ? Error loading module > '/usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so': > /usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so: cannot open > shared object file: No such file or directory > [2019/12/27 13:39:51.455461,? 0] > ../source3/smbd/vfs.c:184(vfs_init_custom) > ? error probing vfs module 'nfs4acl_xattr': NT_STATUS_UNSUCCESSFUL > [2019/12/27 13:39:51.455479,? 0] ../source3/smbd/vfs.c:379(smbd_vfs_init) > ? smbd_vfs_init: vfs_init_custom failed for nfs4acl_xattr > [2019/12/27 13:39:51.455494,? 0] > ../source3/smbd/service.c:631(make_connection_snum) > ? make_connection_snum: vfs_init failed for service users > ------ > > I think thats due to the fact, that the NFSv4 support is probably not > build in the Linux ZFS version of proxmox. According to what I found > on github, the support for NFSv4 ACL is still under development. > > Any other ideas? > > Thanks, > > Christian >Yes, but you are probably not going to like them ;-) Upgrade to Samba 4.10.x, this definitely has /usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so OR Don't run Samba in your container. OR Don't use ZFS Rowland
On 27/12/2019 14:13, Rowland penny via samba wrote:> On 27/12/2019 12:59, Chris via samba wrote: >> Any other ideas? >> > Yes, but you are probably not going to like them ;-) >You are right. ;-)> Upgrade to Samba 4.10.x, this definitely has > /usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so > > OR > > Don't run Samba in your container. > > OR > > Don't use ZFSI need some more coffee to get to a final decission. But there is still one thing I didn't understand. Why is there the error from the smbcacls command but the permissions are set when checking them? And obviously the ACLs are interpreted correct by Windows and smbcacls. So when I give the Testuser only read permissions, Testuser isn't allowed? to create or modify objects in the share. This is what drives me really nuts. Thanks, Chris
On 27/12/2019 16:05 Chris via samba wrote:> > On 27/12/2019 14:13, Rowland penny via samba wrote: >> >> Don't run Samba in your container. >>The correct answer is don't run samba in an unprivileged LXC / LXD container. I got trapped by the fact, that when I converted my unprivileged LXC container to a privileged container the winbind_priv folder hadn't the correct permissions, which caused then winbind to fail. After sorting this out the privileged container is running. Good news is, that it is not an issue of ZFS.> But there is still one thing I didn't understand. Why is there the > error from the smbcacls command but the permissions are set when > checking them? And obviously the ACLs are interpreted correct by > Windows and smbcacls. So when I give the Testuser only read > permissions, Testuser isn't allowed? to create or modify objects in > the share. This is what drives me really nuts. >This error can be explained - I think - by the fact that the |security.*| namespace is reserved for root. This namespace is only available when runnning the container as privileged container. It is kind of a sad, as the performance difference between Samba running in a container and Samba running on a VM is huge. But if you want/ need to have the better isolation of an unprivileged container, you need to use a VM. @Rowland penny: Thanks for taking the time and helping me Chris