'{Access Denied} A process has requested access to an object but has not been granted those access rights.')

[tardich]

Trying to run it through Kubernetes. Everything boots smoothly 'til "set_nt_acl_no_snum" where it fails with this error:

'{Access Denied} A process has requested access to an object but has not been granted those access rights.')

Any clue?

[DylanDonkersgoed]

EDIT: I had an idea after posting my docker-compose.yml. Was able to work around it by adding privileged: true under the samba service. I don't know how that'd translate to Kubernetes.

---

I have the same error running via docker-compose. Here's my docker-compose.yml if it helps:

version: "3.1"

services:
  samba:
    image: instantlinux/samba-dc:latest
    restart: always
    network_mode: host
    hostname: dc.dgd.pw
    environment:
      INTERFACES: eno1
      REALM: dc.dgd.pw
      TZ: America/Toronto
      WORKGROUP: WORKGROUP
    volumes:
      - etc:/etc/samba
      - lib:/var/lib/samba
    ports:
      - 53:53
      - 53:53/udp
      - 88:88
      - 88:88/udp
      - 135:135
      - 137-138:137-138/udp
      - 139:139
      - 389:389
      - 389:389/udp
      - 445:445
      - 464:464
      - 464:464/udp
      - 636:636
      - 3268-3269:3268-3269
      - 49152-65535
    secrets:
      - samba-admin-password

volumes:
  etc:
  lib:
secrets:
  # Must manually create file with secret at this location
  samba-admin-password:
    file: /opt/samba/samba-admin-password

[Fmstrat]

You need --privileged on the compose file.

[systemofapwne]

Why is privileged exactly necessary? I really do not want to grant this flag to any of my containers and would like to work around it (to only give access to what is actually needed rather than granting literally root on the host)

[systemofapwne]

I did some research. Apparently, the priviliged flag is necessary, to work with UID > 65534 within a docker container, which is using uid/gid namespacing. xattr will fail in this situation otherwise. Since I run all my containers via usernamespaces, priviliged will not work and thus causes the container to crash if run it withouth priviliged. According to https://github.com/lxc/lxc/issues/2708#issuecomment-473466062, you can force samba to restrict the UID range as you please, e.g. 655 - 65534. This will grant you at least 64879 unique UIDs which should be way more than you need for a small business. Keep in mind to not only update idmap_init.ldif but also your smb.conf with the correct range.

[MohammedNoureldin]

@systemofapwne giving the container SYS_ADMIN privilege is enough to be able to use Samba in it. I have just tried it.

[systemofapwne]

@systemofapwne giving the container SYS_ADMIN privilege is enough to be able to use Samba in it. I have just tried it.

Thanks. TBH, I gave up on this container and rather settled on a VM with Univention Corporate Server for managing my domain. The reason: This container is not maintained anymore and crucial security fixes are not getting applied. Also a lot of headaches with this container.

[MohammedNoureldin]

@systemofapwne well if you have enough resources to have a dedicated VM for that then it is fine. I know it takes sometime to prepare it to be fully functional and secure, but asa you get it, you can celebrate (once and never touch it if not needed :D). For me I feel comfortable to configure containers and securing them using IPTables rules (of course that took me weeks to get to this point). As said, it is a bit tricky in the beginning, but then asa you get used to it, it is not that problematic anymore.

[burnbabyburn]

@systemofapwne well if you have enough resources to have a dedicated VM for that then it is fine. I know it takes sometime to prepare it to be fully functional and secure, but asa you get it, you can celebrate (once and never touch it if not needed :D). For me I feel comfortable to configure containers and securing them using IPTables rules (of course that took me weeks to get to this point). As said, it is a bit tricky in the beginning, but then asa you get used to it, it is not that problematic anymore.

if you use this container u could have also gone the traefik/RProxy way. Works fine here