Mandi! Stoiko Ivanov In chel di` si favelave... > AFAICU one robust (although not very performant way) to run a AD DC with > NTACLs on a unprivileged container would be to use the xattr_tdb module > (not actively tested though): > https://wiki.samba.org/index.php/Using_the_xattr_tdb_VFS_Module
Specifically asked in samba ML; xattr_tdb i a test module, broken, that HAVE NOT to be used in production. The only ''supported'' way to run Samba AD DC is via filesystem XATTR. Also, seems the same 'troubles' hit BSD Jails: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220844 https://bugzilla.samba.org/show_bug.cgi?id=12912 see: https://lists.samba.org/archive/samba/2020-February/228653.html > They are independent - a good explanation of what nesting does can be > found in our source: > https://git.proxmox.com/?p=pve-container.git;a=blob;f=src/PVE/LXC.pm;h=34ca2a357294f63e8b49d965bd54c24905642e17;hb=HEAD#l581 > (it allows among other things to mount /proc, and /sys, which is > problematic for privileged containers > > The issue with apache('s systemd-unit) in the privileged container, is > that the mount is denied by apparmor (the apparmor rules are stricter for > privileged containers, than for unprivileged, because if someone breaks > out of an unprivileged container they are only a regular user on the host) > > I hope this explains it. Ahem, no. ;-) But indeed is my fault that i know very little about systemd, apparmor and all those new wizardry... ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) _______________________________________________ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user