samba - Jun 2020 - Cannot change NTACL for share from Windows

On Sun, 31 May 2020 at 20:18, Rowland penny via samba <samba at
lists.samba.org>
wrote:
> On 31/05/2020 17:55, Viktor Trojanovic wrote:
> > It's just what's there from a default Ubuntu (minimal)
install... It
> > looks like snapd depends on it. Anyway, I don't need either here,
so I
> > removed it entirely. The issue persists, though.
>
> Did you reboot ?
>
> You seem to have a smb.conf  very similar to mine and it works for me
> (not that saying that helps you) and the only difference at first glance
> appears to be that I have never used Apparmor.
>
>
Fair point about the reboot. Just did that, then logged out of Windows and
back in. The error remains, I get access denied when trying to change the
share permissions in any form, changing permissions of underlying folders
is not a problem though.

I've set up Samba 4.11 in an unprivileged container. At this point, I can
only assume that this might be the issue here, though I can't quite
understand why. Does anyone happen to have an explanation, is there maybe a
workaround? I know for a fact that it works with privileged containers,
having used several of these myself.

Viktor

Sorry, send to list as well
> I've set up Samba 4.11 in an unprivileged container. At this point, I
can only assume that this might be the issue here, though I
can't
> quite understand why. Does anyone happen to have an explanation, is there
maybe a workaround? I know for a fact that it works
> with privileged containers, having used several of these myself.
> 
> Viktor
That's your problem - it needs a privileged container so that the container
can change the permissions on the underlying filing
system.

HTH,

Roy

On June 1, 2020 00:32:23 Roy Eastwood via samba <samba at lists.samba.org>
wrote:
> Sorry, send to list as well
>> I've set up Samba 4.11 in an unprivileged container. At this point,
I can
>> only assume that this might be the issue here, though I
> can't
>> quite understand why. Does anyone happen to have an explanation, is
there
>> maybe a workaround? I know for a fact that it works
>> with privileged containers, having used several of these myself.
>>
>> Viktor
>
> That's your problem - it needs a privileged container so that the
container
> can change the permissions on the underlying filing
> system.
OK, I found some evidence of this here: 
https://discuss.linuxcontainers.org/t/samba-acls-in-a-lxd-container/4420/7

It seems that changing xattr information requires real root which is why it 
won't work with an unprivileged container.

If what is said in that discussion is true, then the only workaround for a 
non privileged container is to assume no support for xattr and use 
posix:eadb in smb.conf.

https://wiki.samba.org/index.php/File_System_Support#File_systems_without_xattr_support

Not recommended, though, as it comes with a significant performance hit.

There seems to be anecdotal evidence, however, that xattr may work even 
with an unprivileged container when btrfs is used.


https://github.com/lxc/lxc/issues/2708#issuecomment-473466062


I couldn't find more sources to confirm this though. May run some tests of 
my own when I find the time.

Viktor