<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html><head><meta name="qrichtext" content="1" /><style type="text/css">
p, li { white-space: pre-wrap; }
</style></head><body style=" font-family:'Noto Sans'; font-size:10pt; font-weight:400; font-style:normal;">
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Hi,</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">im trying to setup a Samba4 AD in a unprivileged container:</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">My OS is a ubuntu 17.10 server an my container is a ubuntu 17.10.</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">My lxd version is:</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span style=" font-family:'monospace'; color:#000000; background-color:#ffffff;">  Package: lxd </span><span style=" font-family:'monospace';"><br />  Version: 2.18-0ubuntu6<br /><br /></span>First, I have a working setup as a "privileged container".</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">But I want to secure my installation and transfer samba4 in an unprivileged container.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">I get the lower error message when I do the setup with samba-tool domain provision.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span style=" font-family:'monospace'; color:#000000; background-color:#ffffff;">[...]</span></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span style=" font-family:'monospace'; color:#000000; background-color:#ffffff;">Setting up self join </span><span style=" font-family:'monospace';"><br />Security context active token stack underflow! <br />PANIC (pid 4027): Security context active token stack underflow! <br />BACKTRACE: 40 stack frames: <br />#0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f711a9e159f] <br />#1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f711a9e1670] <br />#2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f712de6fe8f] <br />#3 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(sec_ctx_active_token+0x83) [0x7f711732bd73] <br />#4 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(try_chown+0x79) [0x7f7117337809] <br />#5 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(set_nt_acl+0x1ae) [0x7f7117337a3e] <br />#6 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x25f9) [0x7f71081ae5f9] <br />#7 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x53a6) [0x7f71081b13a6] <br />#8 /usr/lib/python2.7/dist-packages/samba/samba3/smbd.x86_64-linux-gnu.so(+0x2760) [0x7f7117762760] <br />#9 /usr/bin/python2.7(PyEval_EvalFrameEx+0x92be) [0x56226130b44e] <br />#10 /usr/bin/python2.7(PyEval_EvalCodeEx+0x35a) [0x5622612ffb3a] <br />#11 /usr/bin/python2.7(PyEval_EvalFrameEx+0x569e) [0x56226130782e] <br />#12 /usr/bin/python2.7(PyEval_EvalFrameEx+0x52d2) [0x562261307462] <br />#13 /usr/bin/python2.7(PyEval_EvalCodeEx+0x35a) [0x5622612ffb3a] <br />#14 /usr/bin/python2.7(PyEval_EvalFrameEx+0x569e) [0x56226130782e] <br />#15 /usr/bin/python2.7(PyEval_EvalCodeEx+0x35a) [0x5622612ffb3a] <br />#16 /usr/bin/python2.7(PyEval_EvalFrameEx+0x569e) [0x56226130782e] <br />#17 /usr/bin/python2.7(PyEval_EvalCodeEx+0x35a) [0x5622612ffb3a] <br />#18 /usr/bin/python2.7(+0x10d9d5) [0x56226131b9d5] <br />#19 /usr/bin/python2.7(PyObject_Call+0x3e) [0x5622612eb90e] <br />#20 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2c09) [0x562261304d99] <br />#21 /usr/bin/python2.7(PyEval_EvalCodeEx+0x35a) [0x5622612ffb3a] <br />#22 /usr/bin/python2.7(+0x10d809) [0x56226131b809] <br />#23 /usr/bin/python2.7(PyObject_Call+0x3e) [0x5622612eb90e] <br />#24 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2c09) [0x562261304d99] <br />#25 /usr/bin/python2.7(PyEval_EvalCodeEx+0x35a) [0x5622612ffb3a] <br />#26 /usr/bin/python2.7(+0x10d809) [0x56226131b809] <br />#27 /usr/bin/python2.7(PyObject_Call+0x3e) [0x5622612eb90e] <br />#28 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2c09) [0x562261304d99] <br />#29 /usr/bin/python2.7(PyEval_EvalCodeEx+0x35a) [0x5622612ffb3a] <br />#30 /usr/bin/python2.7(+0x10d809) [0x56226131b809] <br />#31 /usr/bin/python2.7(PyObject_Call+0x3e) [0x5622612eb90e] <br />#32 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2c09) [0x562261304d99] <br />#33 /usr/bin/python2.7(PyEval_EvalCodeEx+0x35a) [0x5622612ffb3a] <br />#34 /usr/bin/python2.7(+0x12250f) [0x56226133050f] <br />#35 /usr/bin/python2.7(PyRun_FileExFlags+0x82) [0x56226132b202] <br />#36 /usr/bin/python2.7(PyRun_SimpleFileExFlags+0x18d) [0x56226132acad] <br />#37 /usr/bin/python2.7(Py_Main+0x68b) [0x5622612d9d7b] <br />#38 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0x7f712f02e1c1] <br />#39 /usr/bin/python2.7(_start+0x2a) [0x5622612d95fa] <br />Can not dump core: corepath not set up <br />)    = ? ERESTART_RESTARTBLOCK (Interrupted by signal) <br />--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4027, si_uid=0, si_status=1, si_utime=2419, si_stime=29} --- <br />write(5, "\21", 1)                      = 1 <br />rt_sigreturn({mask=[]})                 = -1 EINTR (Interrupted system call) <br />poll([{fd=4, events=POLLIN}], 1, -1)    = 1 ([{fd=4, revents=POLLIN}]) <br />read(4, "\21", 1)                       = 1 <br />wait4(4027, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], WNOHANG|WSTOPPED, NULL) = 4027 <br />getuid()                                = 0 <br />openat(AT_FDCWD, "/etc/login.defs", O_RDONLY) = 7 <br />fstat(7, {st_mode=S_IFREG|0644, st_size=10551, ...}) = 0 <br />read(7, "#\n# /etc/login.defs - Configurat"..., 4096) = 4096 <br />read(7, " issuing \n# the \"mesg y\" command"..., 4096) = 4096 <br />read(7, " algorithm compatible with the o"..., 4096) = 2359 <br />close(7)                                = 0 <br />sendto(10, "<86>Jan 20 14:36:11 sudo: pam_un"..., 78, MSG_NOSIGNAL, NULL, 0) = 78 <br />openat(AT_FDCWD, "/etc/security/pam_winbind.conf", O_RDONLY) = -1 ENOENT (No such file or directory) <br />socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT) = 7 <br />fcntl(7, F_SETFD, FD_CLOEXEC)           = 0 <br />sendto(7, {{len=112, type=0x452 /* NLMSG_??? */, flags=NLM_F_REQUEST|NLM_F_ACK, seq=4, pid=0}, "op=PAM:session_close acct=\"root\""...}, 112, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 112 <br />poll([{fd=7, events=POLLIN}], 1, 500)   = 1 ([{fd=7, revents=POLLIN}]) <br />recvfrom(7, {{len=132, type=NLMSG_ERROR, flags=0, seq=4, pid=3979833685}, "\221\377\377\377p\0\0\0R\4\5\0\4\0\0\0\0\0\0\0op=PAM:sessi"...}, 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, [12]) = 132 <br />recvfrom(7, {{len=132, type=NLMSG_ERROR, flags=0, seq=4, pid=3979833685}, "\221\377\377\377p\0\0\0R\4\5\0\4\0\0\0\0\0\0\0op=PAM:sessi"...}, 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, [12]) = 132 <br />close(7)                                = 0 <br />socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT) = 7 <br />fcntl(7, F_SETFD, FD_CLOEXEC)           = 0 <br />sendto(7, {{len=104, type=0x450 /* NLMSG_??? */, flags=NLM_F_REQUEST|NLM_F_ACK, seq=5, pid=0}, "op=PAM:setcred acct=\"root\" exe=\""...}, 104, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 104 <br />poll([{fd=7, events=POLLIN}], 1, 500)   = 1 ([{fd=7, revents=POLLIN}]) <br />recvfrom(7, {{len=124, type=NLMSG_ERROR, flags=0, seq=5, pid=3060481213}, "\221\377\377\377h\0\0\0P\4\5\0\5\0\0\0\0\0\0\0op=PAM:setcr"...}, 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, [12]) = 124 <br />recvfrom(7, {{len=124, type=NLMSG_ERROR, flags=0, seq=5, pid=3060481213}, "\221\377\377\377h\0\0\0P\4\5\0\5\0\0\0\0\0\0\0op=PAM:setcr"...}, 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, [12]) = 124 <br />close(7)                                = 0 <br />munmap(0x7f64ac9fc000, 2109672)         = 0 <br />munmap(0x7f64ac7e1000, 2204640)         = 0 <br />munmap(0x7f64ac5a9000, 2322944)         = 0 <br />munmap(0x7f64ac39d000, 2142240)         = 0 <br />munmap(0x7f64ac18f000, 2153416)         = 0 <br />munmap(0x7f64abf7a000, 2179152)         = 0 <br />munmap(0x7f64abd66000, 2175040)         = 0 <br />munmap(0x7f64abb62000, 2109464)         = 0 <br />munmap(0x7f64ab758000, 2101288)         = 0 <br />munmap(0x7f64ab556000, 2101312)         = 0 <br />munmap(0x7f64ab353000, 2105360)         = 0 <br />munmap(0x7f64ab14d000, 2117976)         = 0 <br />munmap(0x7f64aaf4a000, 2105576)         = 0 <br />munmap(0x7f64aad09000, 2363368)         = 0 <br />munmap(0x7f64aab05000, 2109744)         = 0 <br />exit_group(1)                           = ? <br />+++ exited with 1 +++</span></p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span style=" font-family:'monospace';">_My question_</span></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span style=" font-family:'monospace';">Have anyone a working Samba4 DC installation in an unprivileged container?</span></p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span style=" font-family:'monospace';">Thanks Frank</span></p></body></html>