On Thu, 2013-08-08 at 22:54 +0100, chris.ha...@proporta.com wrote: > On Thu, 08 Aug 2013 22:28:46 +0100, chris.ha...@proporta.com wrote: > > Hi, > > > > My Samba 3.6.6 file server isn't setting the security.NTACL extended > > attribute. It can set the user.DOSATTRIB without any issue. This > > appears to be an LXC container issue, as outside the container I can > > set this using the setfattr command without issue, whereas I can't do > > this inside. > > > > Despite this not being a Samba issue, I was wondering whether anybody > > has any encountered problems like this; and whether anyone could > > offer > > me their experience or advice? > > This can be worked around by allowing CAP_SYS_ADMIN; see the > lxc.cap.drop declarations in your container configuration. Not > necessarily a good idea, though as it appears to decrease the degree of > container isolation from the host system. > > I don't believe there's any way to request that Samba use a different > namespace, though. The only other option would be to not use the > filesystem at all. > > Does anyone know how NTACLs in XATTR compare to using 'vfs objects = > xattr_tdb' or any other options that I'm unaware of?
Using the TDB backend is a very poor second choice, because if something other than Samba adds/deletes files, the inode-related entry may be either be left dangling, or may suddenly apply to a different file. We saw this in 'make test' where we have to use this, and it isn't pretty. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba