/lxd

Installing samba on ZFS inside container #3442

Closed
laralar opened this Issue Jun 24, 2017 · 17 comments

Comments

Assignees
No one assigned
Labels
Incomplete
Projects
None yet
Milestone
No milestone
4 participants
@laralar @stgraber @brauner @JLKreider
@laralar

laralar commented Jun 24, 2017

Required information

  • Distribution: Ubuntu
  • Distribution version: 16.04
  • The output of "lxc info" or if that fails:
    • Kernel version:4.4.0-81-generic
    • LXC version:2.14
    • LXD version:2.14
    • Storage backend in use:zfs

Issue description

I'm trying to install SAMBA on a ZFS container. for that I executed the following command
'zfs set acltype=posixacl vol0/lxd/containers/zentyal`

I restarted the container, just in case,

Steps to reproduce

It is an unprivileged container, installing zentyal Domain Controller which installs samba and gives the following output in zentyal.log

Information to attach

`
2017/06/24 08:41:49 ERROR> GlobalImpl.pm:661 EBox::GlobalImpl::saveAllModules - Failed to save changes in module samba: root command samba-tool domain provision --domain='aibl' --realm='AIBL.NET' --dns-backend=BIND9_DLZ --use-xattrs=yes --use-rfc2307 --function-level=2003 --server-role='dc' --host-name='zentyal' --host-ip='10.30.60.250' --adminpass='cat /var/lib/zentyal/tmp/VV7Qtr' failed.
Error output: lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
...
set_nt_acl: chown /var/lib/samba/sysvol. uid = 0, gid = 3000000.
Security context active token stack underflow!
PANIC (pid 8094): Security context active token stack underflow!
BACKTRACE: 44 stack frames:
#0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1c) [0x7f165143dc0c]
#1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f165143dce0]
#2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f166404819f]
#3 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(sec_ctx_active_token+0x83) [0x7f164dbbf8e3]
#4 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(try_chown+0xa9) [0x7f164dbcb5d9]
#5 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(set_nt_acl+0x1ce) [0x7f164dbcb7fe]
#6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1e2ef1) [0x7f164dc91ef1]
#7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smb_vfs_call_fset_nt_acl+0x2d) [0x7f164dbc3cfd]
#8 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x23d9) [0x7f163e8d83d9]
#9 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x4ff6) [0x7f163e8daff6]
#10 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smb_vfs_call_fset_nt_acl+0x2d) [0x7f164dbc3cfd]
#11 /usr/lib/python2.7/dist-packages/samba/samba3/smbd.x86_64-linux-gnu.so(+0x25f4) [0x7f164dff55f4]
#12 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6da2) [0x4cada2]
#13 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
#14 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6099) [0x4ca099]
#15 /usr/bin/python2.7(PyEval_EvalFrameEx+0x5d8f) [0x4c9d8f]
#16 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
#17 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6099) [0x4ca099]
#18 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
#19 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6099) [0x4ca099]
#20 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
#21 /usr/bin/python2.7() [0x4de8b8]
#22 /usr/bin/python2.7(PyObject_Call+0x43) [0x4b0cb3]
#23 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
#24 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
#25 /usr/bin/python2.7() [0x4de6fe]
#26 /usr/bin/python2.7(PyObject_Call+0x43) [0x4b0cb3]
#27 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
#28 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
#29 /usr/bin/python2.7() [0x4de6fe]
#30 /usr/bin/python2.7(PyObject_Call+0x43) [0x4b0cb3]
#31 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
#32 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
#33 /usr/bin/python2.7() [0x4de6fe]
#34 /usr/bin/python2.7(PyObject_Call+0x43) [0x4b0cb3]
#35 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
#36 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
#37 /usr/bin/python2.7(PyEval_EvalCode+0x19) [0x4c2509]
#38 /usr/bin/python2.7() [0x4f1def]
#39 /usr/bin/python2.7(PyRun_FileExFlags+0x82) [0x4ec652]
#40 /usr/bin/python2.7(PyRun_SimpleFileExFlags+0x191) [0x4eae31]
#41 /usr/bin/python2.7(Py_Main+0x68a) [0x49e14a]
#42 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0) [0x7f16651b2830]
#43 /usr/bin/python2.7(_start+0x29) [0x49d9d9]
Can not dump core: corepath not set up

Command output: .
Exit value: 1
2017/06/24 08:41:49 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: logs
2017/06/24 08:41:50 ERROR> GlobalImpl.pm:736 EBox::GlobalImpl::saveAllModules - The following modules failed while saving their changes, their state is unknown: samba at The following modules failed while saving their changes, their state is unknown: samba at /usr/share/perl5/EBox/GlobalImpl.pm line 736
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x5d5bf40)', 'progress', 'EBox::ProgressIndicator=HASH(0x5d11ee0)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x5d12918)', 'progress', 'EBox::ProgressIndicator=HASH(0x5d11ee0)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30
4861,1 Bot
4746,1 97%

`

Any clues?

I am trying to avoid using a VM
@stgraber
Owner

stgraber commented Jun 26, 2017

You may want to also set "xattr" to "sa" on your ZFS filesystem but I'm not sure if that's the cause of the problem here.

Any chance you can re-run just the failing command to reproduce the crash and if that works, then run it under strace to see exactly what syscall failed?
@stgraber
Owner

stgraber commented Jun 26, 2017

I do run 6 samba4 domain controllers inside unprivileged LXD containers on ZFS, but those aren't deployed with zentyal, instead just directly installed on Ubuntu 14.04 or 16.04 and all my ZFS pools have acltype=posixacl and xattr=sa

@stgraber stgraber added the Incomplete label Jun 26, 2017

@laralar

laralar commented Jun 28, 2017
Edited 1 time

i did the xattr=sa an executed command line with strace, does it seems to be something related with the chown?

09:58:44.222946 fcntl(29, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=39416, l_len=1}) = 0
09:58:44.222990 fcntl(29, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=39416, l_len=1}) = 0
09:58:44.223034 fcntl(29, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=11800, l_len=1}) = 0
09:58:44.223091 fcntl(29, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=11800, l_len=1}) = 0
09:58:44.223142 fcntl(29, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=22900, l_len=1}) = 0
09:58:44.223189 fcntl(29, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=22900, l_len=1}) = 0
09:58:44.223267 fcntl(24, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=3684, l_len=1}) = 0
09:58:44.223308 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=3684, l_len=1}) = 0
09:58:44.223359 fcntl(24, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=35332, l_len=1}) = 0
09:58:44.223399 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=35332, l_len=1}) = 0
09:58:44.223456 fcntl(37, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=276, l_len=1}) = 0
09:58:44.223495 fcntl(37, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=276, l_len=1}) = 0
09:58:44.223571 fstat(36, {st_mode=S_IFDIR|0755, st_size=3, ...}) = 0
09:58:44.223631 fstat(36, {st_mode=S_IFDIR|0755, st_size=3, ...}) = 0
09:58:44.223677 fcntl(37, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=180, l_len=1}) = 0
09:58:44.223716 fcntl(37, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=180, l_len=1}) = 0
09:58:44.223761 write(2, "unpack_nt_owners: owner sid mapp"..., 44unpack_nt_owners: owner sid mapped to uid 0
) = 44
09:58:44.223802 fcntl(37, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=264, l_len=1}) = 0
09:58:44.223838 fcntl(37, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=264, l_len=1}) = 0
09:58:44.223882 lstat("/var/run/samba/winbindd", 0x7ffed5acdcb0) = -1 ENOENT (No such file or directory)
09:58:44.223993 fcntl(29, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=33916, l_len=1}) = 0
09:58:44.224029 fcntl(29, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=33916, l_len=1}) = 0
09:58:44.224075 fcntl(29, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=19912, l_len=1}) = 0
09:58:44.224112 fcntl(29, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=19912, l_len=1}) = 0
09:58:44.224159 fcntl(29, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=6336, l_len=1}) = 0
09:58:44.224220 fcntl(29, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=6336, l_len=1}) = 0
09:58:44.224306 fcntl(24, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=19912, l_len=1}) = 0
09:58:44.224343 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=19912, l_len=1}) = 0
09:58:44.224382 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=8, l_len=1}) = 0
09:58:44.224416 fcntl(24, F_SETLK, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=168, l_len=40000}) = 0
09:58:44.224448 fcntl(24, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=40168, l_len=0}) = 0
09:58:44.224499 fstat(24, {st_mode=S_IFREG|0600, st_size=1286144, ...}) = 0
09:58:44.224537 munmap(0x7fa8ba992000, 1286144) = 0
09:58:44.224586 mmap(NULL, 1286144, PROT_READ|PROT_WRITE, MAP_SHARED, 24, 0) = 0x7fa8ba992000
09:58:44.224744 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.224781 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.224818 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.224852 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.224902 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.224936 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.224998 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225032 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225090 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225125 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225170 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225204 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225248 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225279 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225318 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225348 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=48, l_len=1}) = 0
09:58:44.225384 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=168, l_len=0}) = 0
09:58:44.225413 fcntl(24, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0
09:58:44.225474 fdatasync(24)           = 0
09:58:44.231862 msync(0x7fa8ba99f000, 24652, MS_SYNC) = 0
09:58:44.231940 fdatasync(24)           = 0
09:58:44.241702 msync(0x7fa8ba99f000, 24, MS_SYNC) = 0
09:58:44.241781 fdatasync(24)           = 0
09:58:44.251424 msync(0x7fa8ba992000, 1286144, MS_SYNC) = 0
09:58:44.251471 utime("/var/lib/samba/private/idmap.ldb", NULL) = 0
09:58:44.251574 fdatasync(24)           = 0
09:58:44.260806 msync(0x7fa8ba99f000, 24, MS_SYNC) = 0
09:58:44.260853 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=168, l_len=0}) = 0
09:58:44.260898 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=8, l_len=1}) = 0
09:58:44.260945 fcntl(24, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0
09:58:44.261047 fcntl(37, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=336, l_len=1}) = 0
09:58:44.261095 fcntl(37, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=336, l_len=1}) = 0
09:58:44.261157 fcntl(37, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=268, l_len=1}) = 0
09:58:44.261193 fcntl(37, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=268, l_len=1}) = 0
09:58:44.261239 write(2, "unpack_nt_owners: group sid mapp"..., 50unpack_nt_owners: group sid mapped to gid 3000000
) = 50
09:58:44.261292 write(2, "set_nt_acl: chown /var/lib/samba"..., 65set_nt_acl: chown /var/lib/samba/sysvol. uid = 0, gid = 3000000.
) = 65
09:58:44.261332 fchown(36, 0, 3000000)  = -1 EINVAL (Invalid argument)
09:58:44.261382 write(2, "Security context active token st"..., 47Security context active token stack underflow!
) = 47
09:58:44.261420 write(2, "PANIC (pid 2468): Security conte"..., 65PANIC (pid 2468): Security context active token stack underflow!
) = 65
09:58:44.261582 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 39
09:58:44.261639 fstat(39, {st_mode=S_IFREG|0644, st_size=29156, ...}) = 0
09:58:44.261689 mmap(NULL, 29156, PROT_READ, MAP_PRIVATE, 39, 0) = 0x7fa8df96f000
09:58:44.261740 close(39)               = 0
09:58:44.261793 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
09:58:44.261838 open("/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 39
09:58:44.261889 read(39, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p*\0\0\0\0\0\0"..., 832) = 832
09:58:44.261931 fstat(39, {st_mode=S_IFREG|0644, st_size=89696, ...}) = 0
09:58:44.262000 mmap(NULL, 2185488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 39, 0) = 0x7fa8b5250000
09:58:44.262039 mprotect(0x7fa8b5266000, 2093056, PROT_NONE) = 0
09:58:44.262080 mmap(0x7fa8b5465000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 39, 0x15000) = 0x7fa8b5465000
09:58:44.262133 close(39)               = 0
09:58:44.262206 munmap(0x7fa8df96f000, 29156) = 0
09:58:44.262257 futex(0x7fa8df607110, FUTEX_WAKE_PRIVATE, 2147483647) = 0
09:58:44.262356 futex(0x7fa8b5465680, FUTEX_WAKE_PRIVATE, 2147483647) = 0
09:58:44.263088 write(2, "BACKTRACE: 44 stack frames:\n", 28BACKTRACE: 44 stack frames:
) = 28
09:58:44.263127 write(2, " #0 /usr/lib/x86_64-linux-gnu/li"..., 85 #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1c) [0x7fa8cb4eac0c]
) = 85
09:58:44.263161 write(2, " #1 /usr/lib/x86_64-linux-gnu/li"..., 82 #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7fa8cb4eace0]
) = 82
09:58:44.263195 write(2, " #2 /usr/lib/x86_64-linux-gnu/li"..., 82 #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7fa8de0f519f]
) = 82
09:58:44.263229 write(2, " #3 /usr/lib/x86_64-linux-gnu/sa"..., 98 #3 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(sec_ctx_active_token+0x83) [0x7fa8c7c6c8e3]
) = 98
09:58:44.263263 write(2, " #4 /usr/lib/x86_64-linux-gnu/sa"..., 87 #4 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(try_chown+0xa9) [0x7fa8c7c785d9]
) = 87
09:58:44.263298 write(2, " #5 /usr/lib/x86_64-linux-gnu/sa"..., 89 #5 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(set_nt_acl+0x1ce) [0x7fa8c7c787fe]
) = 89
09:58:44.263332 write(2, " #6 /usr/lib/x86_64-linux-gnu/sa"..., 82 #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1e2ef1) [0x7fa8c7d3eef1]
) = 82
09:58:44.263367 write(2, " #7 /usr/lib/x86_64-linux-gnu/sa"..., 102 #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smb_vfs_call_fset_nt_acl+0x2d) [0x7fa8c7c70cfd]
) = 102
09:58:44.263401 write(2, " #8 /usr/lib/x86_64-linux-gnu/sa"..., 79 #8 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x23d9) [0x7fa8b8abf3d9]
) = 79
09:58:44.263435 write(2, " #9 /usr/lib/x86_64-linux-gnu/sa"..., 79 #9 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x4ff6) [0x7fa8b8ac1ff6]
) = 79
09:58:44.263468 write(2, " #10 /usr/lib/x86_64-linux-gnu/s"..., 103 #10 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smb_vfs_call_fset_nt_acl+0x2d) [0x7fa8c7c70cfd]
) = 103
09:58:44.263503 write(2, " #11 /usr/lib/python2.7/dist-pac"..., 102 #11 /usr/lib/python2.7/dist-packages/samba/samba3/smbd.x86_64-linux-gnu.so(+0x25f4) [0x7fa8c80a25f4]
) = 102
09:58:44.263537 write(2, " #12 /usr/bin/python2.7(PyEval_E"..., 62 #12 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6da2) [0x4cada2]
) = 62
09:58:44.263571 write(2, " #13 /usr/bin/python2.7(PyEval_E"..., 60 #13 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
) = 60
09:58:44.263604 write(2, " #14 /usr/bin/python2.7(PyEval_E"..., 62 #14 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6099) [0x4ca099]
) = 62
09:58:44.263639 write(2, " #15 /usr/bin/python2.7(PyEval_E"..., 62 #15 /usr/bin/python2.7(PyEval_EvalFrameEx+0x5d8f) [0x4c9d8f]
) = 62
09:58:44.263674 write(2, " #16 /usr/bin/python2.7(PyEval_E"..., 60 #16 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
) = 60
09:58:44.263709 write(2, " #17 /usr/bin/python2.7(PyEval_E"..., 62 #17 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6099) [0x4ca099]
) = 62
09:58:44.263744 write(2, " #18 /usr/bin/python2.7(PyEval_E"..., 60 #18 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
) = 60
09:58:44.263777 write(2, " #19 /usr/bin/python2.7(PyEval_E"..., 62 #19 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6099) [0x4ca099]
) = 62
09:58:44.263810 write(2, " #20 /usr/bin/python2.7(PyEval_E"..., 60 #20 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
) = 60
09:58:44.263843 write(2, " #21 /usr/bin/python2.7() [0x4de"..., 37 #21 /usr/bin/python2.7() [0x4de8b8]
) = 37
09:58:44.263877 write(2, " #22 /usr/bin/python2.7(PyObject"..., 55 #22 /usr/bin/python2.7(PyObject_Call+0x43) [0x4b0cb3]
) = 55
09:58:44.263911 write(2, " #23 /usr/bin/python2.7(PyEval_E"..., 62 #23 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
) = 62
09:58:44.263948 write(2, " #24 /usr/bin/python2.7(PyEval_E"..., 60 #24 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
) = 60
09:58:44.263983 write(2, " #25 /usr/bin/python2.7() [0x4de"..., 37 #25 /usr/bin/python2.7() [0x4de6fe]
) = 37
09:58:44.264017 write(2, " #26 /usr/bin/python2.7(PyObject"..., 55 #26 /usr/bin/python2.7(PyObject_Call+0x43) [0x4b0cb3]
) = 55
09:58:44.264052 write(2, " #27 /usr/bin/python2.7(PyEval_E"..., 62 #27 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
) = 62
09:58:44.264086 write(2, " #28 /usr/bin/python2.7(PyEval_E"..., 60 #28 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
) = 60
09:58:44.264120 write(2, " #29 /usr/bin/python2.7() [0x4de"..., 37 #29 /usr/bin/python2.7() [0x4de6fe]
) = 37
09:58:44.264154 write(2, " #30 /usr/bin/python2.7(PyObject"..., 55 #30 /usr/bin/python2.7(PyObject_Call+0x43) [0x4b0cb3]
) = 55
09:58:44.264189 write(2, " #31 /usr/bin/python2.7(PyEval_E"..., 62 #31 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
) = 62
09:58:44.264223 write(2, " #32 /usr/bin/python2.7(PyEval_E"..., 60 #32 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
) = 60
09:58:44.264257 write(2, " #33 /usr/bin/python2.7() [0x4de"..., 37 #33 /usr/bin/python2.7() [0x4de6fe]
) = 37
09:58:44.264293 write(2, " #34 /usr/bin/python2.7(PyObject"..., 55 #34 /usr/bin/python2.7(PyObject_Call+0x43) [0x4b0cb3]
) = 55
09:58:44.264327 write(2, " #35 /usr/bin/python2.7(PyEval_E"..., 62 #35 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
) = 62
09:58:44.264361 write(2, " #36 /usr/bin/python2.7(PyEval_E"..., 60 #36 /usr/bin/python2.7(PyEval_EvalCodeEx+0x255) [0x4c2765]
) = 60
09:58:44.264396 write(2, " #37 /usr/bin/python2.7(PyEval_E"..., 57 #37 /usr/bin/python2.7(PyEval_EvalCode+0x19) [0x4c2509]
) = 57
09:58:44.264431 write(2, " #38 /usr/bin/python2.7() [0x4f1"..., 37 #38 /usr/bin/python2.7() [0x4f1def]
) = 37
09:58:44.264466 write(2, " #39 /usr/bin/python2.7(PyRun_Fi"..., 59 #39 /usr/bin/python2.7(PyRun_FileExFlags+0x82) [0x4ec652]
) = 59
09:58:44.264501 write(2, " #40 /usr/bin/python2.7(PyRun_Si"..., 66 #40 /usr/bin/python2.7(PyRun_SimpleFileExFlags+0x191) [0x4eae31]
) = 66
09:58:44.264535 write(2, " #41 /usr/bin/python2.7(Py_Main+"..., 50 #41 /usr/bin/python2.7(Py_Main+0x68a) [0x49e14a]
) = 50
09:58:44.264568 write(2, " #42 /lib/x86_64-linux-gnu/libc."..., 78 #42 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0) [0x7fa8df25f830]
) = 78
09:58:44.264602 write(2, " #43 /usr/bin/python2.7(_start+0"..., 48 #43 /usr/bin/python2.7(_start+0x29) [0x49d9d9]
) = 48
09:58:44.264634 prctl(PR_SET_PTRACER, 2468) = 0
09:58:44.264673 geteuid()               = 0
09:58:44.264703 write(2, "Can not dump core: corepath not "..., 39Can not dump core: corepath not set up
) = 39
09:58:44.266358 exit_group(1)           = ?
09:58:44.272581 +++ exited with 1 +++
root@zentyal:/var/log/zentyal#
@laralar

laralar commented Jun 28, 2017
Edited 1 time

It sees that the chown 0:3000000 on /var/lib/samba/sysvol is not accepted .. it actually only accepts 65535 as max GID

i tried increasing GID_MAX in /etc/login.defs in the container to no avail

Do I need to change some parameters in the host?
/etc/subgid and /etc/subuid are set to

lxd:100000:1000000000
root:100000:1000000000
@laralar

laralar commented Jun 28, 2017

as a privileged container it seems there are no issues
@stgraber
Owner

stgraber commented Jul 1, 2017

Hmm, so those subuid and subgid value should be enough to avoid that particular issue.
Can you post "lxc config show --expanded zentyal"?
@stgraber
Owner

stgraber commented Jul 1, 2017

And the content of /var/log/lxd/lxd.log would be useful too, just to make sure your subuid/subgid was parsed properly.
@laralar

laralar commented Jul 3, 2017
Edited 1 time

Ok.. maybe I posted some misleading information. I am not getting the UID/GID issue anymore.

I am restoring a snapshot, then executing
zfs set xattr=sa vol0/lxd/containers/zentyal
zfs set acltype=posixacl vol0/lxd/containers/zentyal

strace samba-tool domain provision --domain='aibl' --realm='AIBL.NET' --dns-backend=BIND9_DLZ --use-xattrs=yes --use-rfc2307 --function-level=2003 --server-role='dc' --host-name='zentyal' --host-ip='10.30.60.250' --adminpass=am.acl.!0T 2>&1 | tee strace-samba.log

What I am getting is this:

open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 31
lseek(31, 0, SEEK_CUR)                  = 0
fstat(31, {st_mode=S_IFREG|0644, st_size=1886, ...}) = 0
mmap(NULL, 1886, PROT_READ, MAP_SHARED, 31, 0) = 0x7fc43bdc9000
lseek(31, 1886, SEEK_SET)               = 1886
fstat(31, {st_mode=S_IFREG|0644, st_size=1886, ...}) = 0
munmap(0x7fc43bdc9000, 1886)            = 0
close(31)                               = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 31
lseek(31, 0, SEEK_CUR)                  = 0
fstat(31, {st_mode=S_IFREG|0644, st_size=1886, ...}) = 0
mmap(NULL, 1886, PROT_READ, MAP_SHARED, 31, 0) = 0x7fc43bdc9000
lseek(31, 1886, SEEK_SET)               = 1886
fstat(31, {st_mode=S_IFREG|0644, st_size=1886, ...}) = 0
munmap(0x7fc43bdc9000, 1886)            = 0
close(31)                               = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 31
lseek(31, 0, SEEK_CUR)                  = 0
fstat(31, {st_mode=S_IFREG|0644, st_size=1886, ...}) = 0
mmap(NULL, 1886, PROT_READ, MAP_SHARED, 31, 0) = 0x7fc43bdc9000
lseek(31, 1886, SEEK_SET)               = 1886
fstat(31, {st_mode=S_IFREG|0644, st_size=1886, ...}) = 0
munmap(0x7fc43bdc9000, 1886)            = 0
close(31)                               = 0
setxattr("/var/lib/samba/sysvol", "system.posix_acl_access", "\2\0\0\0\1\0\7\0\377\377\377\377\2\0\7\0\0\0\0\0\2\0\7\0\300\306-\0\4\0\7\0\377\377\377\377\10\0\7\0\300\306-\0\10\0\5\0\301\306-\0\10\0\7\0\302\306-\0\10\0\5\0\303\306-\0\20\0\7\0\377\377\377\377 \0\0\0\377\377\377\377", 84, 0) = 0
removexattr("/var/lib/samba/sysvol", "security.NTACL") = -1 EPERM (Operation not permitted)
stat("/var/lib/samba/sysvol", {st_mode=S_IFDIR|0770, st_size=3, ...}) = 0
setxattr("/var/lib/samba/sysvol", "system.posix_acl_default", "\2\0\0\0\1\0\7\0\377\377\377\377\2\0\7\0\0\0\0\0\2\0\7\0\300\306-\0\4\0\0\0\377\377\377\377\10\0\7\0\300\306-\0\10\0\5\0\301\306-\0\10\0\7\0\302\306-\0\10\0\5\0\303\306-\0\20\0\7\0\377\377\377\377 \0\0\0\377\377\377\377", 84, 0) = 0
removexattr("/var/lib/samba/sysvol", "security.NTACL") = -1 EPERM (Operation not permitted)
fstat(28, {st_mode=S_IFDIR|0770, st_size=3, ...}) = 0
stat("/var/lib/samba/sysvol", {st_mode=S_IFDIR|0770, st_size=3, ...}) = 0
getxattr("/var/lib/samba/sysvol", "system.posix_acl_access", "\2\0\0\0\1\0\7\0\377\377\377\377\2\0\7\0\0\0\0\0\2\0\7\0\300\306-\0\4\0\7\0\377\377\377\377\10\0\7\0\300\306-\0\10\0\5\0\301\306-\0\10\0\7\0\302\306-\0\10\0\5\0\303\306-\0\20\0\7\0\377\377\377\377 \0\0\0\377\377\377\377", 132) = 84
getxattr("/var/lib/samba/sysvol", "system.posix_acl_default", "\2\0\0\0\1\0\7\0\377\377\377\377\2\0\7\0\0\0\0\0\2\0\7\0\300\306-\0\4\0\0\0\377\377\377\377\10\0\7\0\300\306-\0\10\0\5\0\301\306-\0\10\0\7\0\302\306-\0\10\0\5\0\303\306-\0\20\0\7\0\377\377\377\377 \0\0\0\377\377\377\377", 132) = 84
getxattr("/var/lib/samba/sysvol", "system.posix_acl_access", "\2\0\0\0\1\0\7\0\377\377\377\377\2\0\7\0\0\0\0\0\2\0\7\0\300\306-\0\4\0\7\0\377\377\377\377\10\0\7\0\300\306-\0\10\0\5\0\301\306-\0\10\0\7\0\302\306-\0\10\0\5\0\303\306-\0\20\0\7\0\377\377\377\377 \0\0\0\377\377\377\377", 132) = 84
stat("/var/lib/samba/sysvol", {st_mode=S_IFDIR|0770, st_size=3, ...}) = 0
getxattr("/var/lib/samba/sysvol", "system.posix_acl_default", "\2\0\0\0\1\0\7\0\377\377\377\377\2\0\7\0\0\0\0\0\2\0\7\0\300\306-\0\4\0\0\0\377\377\377\377\10\0\7\0\300\306-\0\10\0\5\0\301\306-\0\10\0\7\0\302\306-\0\10\0\5\0\303\306-\0\20\0\7\0\377\377\377\377 \0\0\0\377\377\377\377", 132) = 84
fsetxattr(28, "security.NTACL", "\4\0\4\0\0\0\2\0\4\0\2\0\1\0\7>\331\273\302\347_\17+\215!\266\242\304\"\330\300'1\261\326{\255i\313e\32\315\374\1\336\226\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0posix_acl\0\254\263Fe\302\363\322\1\364.~\30\33'.\217\10:\313_z\20\277y\255\10\312R\202\17\342R\314\n\246\360\372\vd`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\24\220\264\0\0\0\320\0\0\0\0\0\0\0\340\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\213?\37Z<T\302\337Q&\3\266\364\1\0\0\1\2\0\0\0\0\0\5 \0\0\0 \2\0\0\4\0`\0\4\0\0\0\0\3\30\0\377\1\37\0\1\2\0\0\0\0\0\5 \0\0\0 \2\0\0\0\3\30\0\251\0\22\0\1\2\0\0\0\0\0\5 \0\0\0%\2\0\0\0\3\24\0\377\1\37\0\1\1\0\0\0\0\0\5\22\0\0\0\0\3\24\0\251\0\22\0\1\1\0\0\0\0\0\5\v\0\0", 320, 0) = -1 EPERM (Operation not permitted)
write(2, "set_nt_acl_no_snum: fset_nt_acl "..., 66set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED.
) = 66
close(28)                               = 0
close(27)                               = 0
umask(022)                              = 0
fcntl(11, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=168, l_len=0}) = 0
fcntl(11, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=8, l_len=1}) = 0
fcntl(8, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=168, l_len=0}) = 0
fcntl(8, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=8, l_len=1}) = 0
write(2, "ERROR(runtime): uncaught excepti"..., 68ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
) = 68
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc415906000
write(2, "  File \"/usr/lib/python2.7/dist-"..., 86  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
) = 86
stat("/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", {st_mode=S_IFREG|0644, st_size=8061, ...}) = 0
open("/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0644, st_size=8061, ...}) = 0
fstat(27, {st_mode=S_IFREG|0644, st_size=8061, ...}) = 0
read(27, "# Unix SMB/CIFS implementation.\n"..., 8192) = 8061
read(27, "", 8192)                      = 0
close(27)                               = 0
write(2, "    return self.run(*args, **kwa"..., 37    return self.run(*args, **kwargs)
) = 37
write(2, "  File \"/usr/lib/python2.7/dist-"..., 83  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 462, in run
) = 83
stat("/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", {st_mode=S_IFREG|0644, st_size=178289, ...}) = 0
open("/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0644, st_size=178289, ...}) = 0
fstat(27, {st_mode=S_IFREG|0644, st_size=178289, ...}) = 0
read(27, "# domain management\n#\n# Copyrigh"..., 131072) = 131072
read(27, "edDomainInfoByName(INFO_EX) fail"..., 131072) = 47217
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc4158c6000
read(27, "", 131072)                    = 0
close(27)                               = 0
write(2, "    nosync=ldap_backend_nosync, "..., 67    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
) = 67
write(2, "  File \"/usr/lib/python2.7/dist-"..., 95  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 2175, in provision
) = 95
stat("/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", {st_mode=S_IFREG|0644, st_size=92303, ...}) = 0
open("/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0644, st_size=92303, ...}) = 0
fstat(27, {st_mode=S_IFREG|0644, st_size=92303, ...}) = 0
read(27, "# Unix SMB/CIFS implementation.\n"..., 92672) = 92303
read(27, "", 92672)                     = 0
close(27)                               = 0
write(2, "    skip_sysvolacl=skip_sysvolac"..., 35    skip_sysvolacl=skip_sysvolacl)
) = 35
write(2, "  File \"/usr/lib/python2.7/dist-"..., 100  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1806, in provision_fill
) = 100
stat("/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", {st_mode=S_IFREG|0644, st_size=92303, ...}) = 0
write(2, "    names.domaindn, lp, use_ntvf"..., 35    names.domaindn, lp, use_ntvfs)
) = 35
write(2, "  File \"/usr/lib/python2.7/dist-"..., 98  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1593, in setsysvolacl
) = 98
stat("/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", {st_mode=S_IFREG|0644, st_size=92303, ...}) = 0
write(2, "    service=SYSVOL_SERVICE)\n", 28    service=SYSVOL_SERVICE)
) = 28
write(2, "  File \"/usr/lib/python2.7/dist-"..., 81  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
) = 81
stat("/usr/lib/python2.7/dist-packages/samba/ntacls.py", {st_mode=S_IFREG|0644, st_size=10652, ...}) = 0
open("/usr/lib/python2.7/dist-packages/samba/ntacls.py", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0644, st_size=10652, ...}) = 0
fstat(27, {st_mode=S_IFREG|0644, st_size=10652, ...}) = 0
read(27, "# Unix SMB/CIFS implementation.\n"..., 10752) = 10652
read(27, "", 10752)                     = 0
close(27)                               = 0
write(2, "    smbd.set_nt_acl(file, securi"..., 144    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
) = 144
close(26)                               = 0
close(5)                                = 0
munmap(0x7fc41718e000, 942080)          = 0
munmap(0x7fc417054000, 1286144)         = 0
close(8)                                = 0
close(10)                               = 0
close(14)                               = 0
close(17)                               = 0
rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x7fc43ba68390}, {SIG_DFL, [], SA_RESTORER, 0x7fc43ba68390}, 8) = 0
munmap(0x7fc415906000, 262144)          = 0
munmap(0x7fc4158c6000, 262144)          = 0
close(6)                                = 0
exit_group(-1)                          = ?
+++ exited with 255 +++
root@zentyal:/var/log/zentyal#

I have executed
@laralar

laralar commented Jul 3, 2017
Edited 1 time

root@node17:~# lxc config show --expanded zentyal
description: ""
architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 16.04 LTS amd64 (release) (20170619.1)
  image.label: release
  image.os: ubuntu
  image.release: xenial
  image.serial: "20170619.1"
  image.version: "16.04"
  volatile.base_image: 7a7ff654cbd8f5f09bec03aa19d8d7d92649127d18659036a963b1ea63f90d25
  volatile.eth0.hwaddr: 00:16:3e:6d:cf:77
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
devices:
  eth0:
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
stateful: false
root@node17:~#
@stgraber
Owner

stgraber commented Jul 3, 2017

Hi,

Good, so the strace does show the problem is caused by an attempt to write to "security.NTACL".

My understanding of the xattr kernel code is that the "security" namespace is restricted to real root and therefore cannot be used by unprivileged containers.

That namespace is usually used for data that the kernel itself sets or parses, such as filesystem capabilities, IMA checksums, ...

It's unclear to me why samba is using that namespace for the Windows ACLs since as far as I know, there's no kernel interaction with those.

I'm afraid that if samba requires the ability to write custom xattrs in the "security" namespace, then the only way to have things work will be to run the container as real root (privileged). That's assuming there's no way for you to tell zentyal to configure samba in a way where it doesn't use those custom xattrs.

@hallyn does that make sense to you?
@laralar

laralar commented Jul 3, 2017

why is this configuration of samba using this "feature"? you said you had samba running on unprivileged containers, right? because I don't see anything special in zentyal smb.cnf

root@zentyal:~# cat /etc/samba/smb.conf
[global]
workgroup = aibl
realm = AIBL.NET
netbios name = zentyal
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200

idmap_ldb:use rfc2307 = yes

winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U

interfaces = lo,eth0
bind interfaces only = yes

map to guest = Bad User

log level = 3
log file = /var/log/samba/samba.log
max log size = 100000


include = /etc/samba/shares.conf

[netlogon]
path = /var/lib/samba/sysvol/aibl.net/scripts
browseable = no
read only = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = no
@laralar

laralar commented Jul 3, 2017
Edited 1 time

and shares.conf . #maybe the line in bold?..

Nop, I commented that line and the error is still there

[homes]
comment = Home Directories
path = /home/%S
read only = no
browseable = no
create mask = 0611
directory mask = 0711
vfs objects = acl_xattr full_audit
full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
@stgraber
Owner

stgraber commented Jul 3, 2017

Earlier in this issue you showed your samba-tool command as spawned by Zentyal, that included "--use-xattrs=yes" which I suspect is what's causing most of the problem.

I am using samba4 in containers as a domain controller, not as a file server so I may also be avoiding a number of xattr related issues because of that.
@brauner
Member

brauner commented Jul 4, 2017

@stgraber, samba requires that the security.* namespace be implemented on the filesystem the share is created on. Currently only real root is allowed to write security.* xattrs that's correct.
@stgraber
Owner

stgraber commented Jul 5, 2017

Ok, so closing this then as there's nothing LXD can really do about this.
I suspect the best way to fix this would be to have samba use something other than the security namespace to store those ACLs or possibly store the ACLs outside of xattrs when running in an unprivileged container.

@stgraber stgraber closed this Jul 5, 2017

@JLKreider

JLKreider commented Sep 28, 2017

@stgraber, can you confirm that the DC that you are running in unprivileged containers are NT DCs and not AD DCs? I found this thread while trying to get both Samba AD DCs and Samba file servers to run in unprivileged containers AND use NT ACLs. My understanding is that AD DCs require the NT ACLs which in turn seem to require access to the security.ntacl namespace. If you are running AD DCs in unprivileged containers, then I need to go back and try again.
@stgraber
Owner

stgraber commented Sep 28, 2017

I'm running an AD DC, but that's a DC only (it does offer netlogon$ but that's about it).

For serving files I have another unprivileged container running samba3.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment