sysbox icon indicating copy to clipboard operation
sysbox copied to clipboard
verified publisher icon nestybox

Running samba domain provisioning inside sysbox makes it panic

Open betelgeuse opened this issue 1 year ago • 4 comments

Steps to reproduce:

docker run --runtime=sysbox-runc -it --rm --init alpine:latest sh

apk add --no-cache samba-dc

rm /etc/samba/smb.conf

samba-tool domain provision \
  --server-role=dc \
  --dns-backend NONE \
  --realm EXAMPLE.COM \
  --domain example \
  --adminpass FooBARTEST123

Makes samba crash

Security context active token stack underflow!
===============================================================
INTERNAL ERROR: Security context active token stack underflow! in  () () pid 69 (4.20.6)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 69): Security context active token stack underflow! in 4.20.6
unable to produce a stack trace on this platform
Can not dump core: corepath not set up

Filing here per:

https://github.com/nestybox/sysbox/blob/46ba726e8e894aa22e20465a32d22dfa2863ec12/docs/user-guide/limitations.md#L38-L39

betelgeuse avatar Feb 06 '25 12:02 betelgeuse

I encountered the same problem using an unprivileged LXC on Proxmox, so it's basically the same principle (user namespacing). The fix was to set NT ACLs to "user" like so:

# /etc/samba/smb.conf
[global]
  acl_xattr:security_acl_name = user.NTACL

That should be the only contents of smb.conf before privisioning the domain. Could you please check if that helps? I'm curious :D

thetredev avatar Dec 02 '25 10:12 thetredev

That should be the only contents of smb.conf before privisioning the domain. Could you please check if that helps? I'm curious :D

That's a workaround — not a fix.

betelgeuse avatar Dec 03 '25 11:12 betelgeuse

That should be the only contents of smb.conf before privisioning the domain. Could you please check if that helps? I'm curious :D

That's a workaround — not a fix.

True, but it's a fix in the context of namespacing. The issue itself is fully Samba-specific, because Samba doesn't handle namespacing correctly. Not sure what LXC/Sysbox/etc. can do about that.

thetredev avatar Dec 09 '25 15:12 thetredev

The issue itself is fully Samba-specific, because Samba doesn't handle namespacing correctly.

Have you filed this with Samba or have a link?

betelgeuse avatar Dec 09 '25 16:12 betelgeuse