On Fri, 2020-02-28 at 17:12 +0000, Rowland penny via samba
wrote:> On 28/02/2020 17:02, Marco Gaiarin via samba wrote:
> > I came back on this topic.
> >
> > As just depicted on:
> >
> > https://lists.samba.org/archive/samba/2019-December/227626.html
> >
> > there's no way to run samba AD DC on a unprivileged LXC container,
> > because samba need the XATTR SYSTEM namespace that is reserved on
> > container.
> >
> > Could be doable 'offloading' all XATTR from filesystem with a
module
> > like xattr_tdb?
> > https://wiki.samba.org/index.php/Using_the_xattr_tdb_VFS_Module
> > how much is 'inefficient' for an AD DC?
> >
> > There's some way, eventually, to ''backup'' XATTR
and restore it to
> > migrate from filesystem to xattr_tdb?
> >
> >
> > Thanks.
> >
> It doesn't scale, if it did, don't you think Samba would do this ?
Marco,
I realise the attraction with putting a Samba AD DC into a container
but sadly we do need some privileged support from the OS to operate
safely.
It isn't just that putting XATTRs in a TDB does not scale, and that
isn't even the main issue. The issue is that if a file is deleted and
re-created outside Samba's knowledge, then the xattrs are silently
transferred between the old and new files.
This isn't theoretical, we had flapping tests in 'make test' (which
is
the only legitimate use of this module) because of this.
I've updated the wiki page.
The FreeBSD folks have a similar pain trying to run Samba in a FreeBSD
jail:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220844
https://bugzilla.samba.org/show_bug.cgi?id=12912
Some there have attempted to get around the issue by changing the code
to use the unprivileged 'user' namespace, but this creates security
issues (we use the privileged XATTR namespaces for a reason).
Sorry!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba