Date

Hosting a Samba Server on LXC

Setting up an SMB server in a Proxmox LXC can be a little tricky if you want to do it the “safe” way in a non-privileged container. I put together some notes on how I set up my instance.

on proxmox gui

create an unprivileged container for your samba.

On proxmox host

groupadd the groups that you want exposed to the samba server. take note of their GIDs. In my case I wanted to have gid 2000 and gid 2001

groupadd -g 2000 samba-group-A
groupadd -g 2001 samba-group-B

add the following into the lxc configuration for your samba container

# map: from container id range 0 to (0 + 2000 -1) get mapped to host ids starting at 100000
lxc.idmap:  0 100000 2000
# map: from container id range 2000 to (2000 + 2 -1) get mapped to host ids starting at 2000
lxc.idmap:  2000 2000 2
# map: from container id range 2002 to (2002 + 63534 -1) (i.e. 65535) get mapped to host ids starting at 102002
lxc.idmap:  2002 102002 63534

lxc.idmap: 0 100000 65535 # shift all users up 100k without mapping anything special

If you already folders on the host, assign a user to your samba groups usermod -aG samba-group-A samba-user

and then set your files to that user/group chown samba-user:samba-group-A my_files or chgrp -R samba-group-A my_files and set the directory to default to that group chmod g+s -R my_files and remove directory permissions for non group people chmod o-rwx -R my_files

also add the following into your lxc config to bind mount

mp1: /tank/share,mp=/media/share
mp2: /tank/share2,mp=/media/share2

edit the /etc/subgid file on host root:2000:2

on the samba container, as container root

use the same commands as before to create the same groups with same gid

create some users that are members of those groups (-M ensures a home directory isn’t created)

useradd -M -G samba-group-A,samba-group-B roberto
useradd -M -G samba-group-A,samba-group-B diana
useradd -M -G samba-group-A smb-share-user

now you should be able to view files using sudo -u roberto ls /media/share/

setting up samba on container

apt-get install samba

edit /etc/samba/smb.conf to your liking

[Global]
server role = standalone server
create mask = 664
directory mask = 0775
server min protocol = SMB2
client min protocol = SMB3
min protocol = SMB2
ea support = yes
vfs objects = fruit streams_xattr
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 
read raw = yes
write raw = yes
max xmit = 65535
dead time = 15
getwd cache = yes
fruit:metadata = stream
fruit:model = MacSamba
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:nfs_aces = no
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
fruit:zero_file_id = yes

[Share A]
comment = main share
browseable = yes
path = /media/share
guest ok = no
read only = no
valid users = @samba-group-A

[Share B]
comment = alternate share
available = yes
browseable = yes
path = /media/share2
guest ok = no
read only = no
valid users = @samba-group-B 
spotlight backend = elasticsearch

run systemctl enable samba systemctl start samba

add users to samba:

smbpasswd -a roberto
smbpasswd -a diana
smbpasswd -a smb-share-user

start ufw and allow samba:

ufw enable
ufw allow Samba
ufw status

how to mount to this samba server

example fstab to connect to this samba server

//samba.server.url/share /media/share cifs vers=3.0,credentials=/root/share-credentials,uid=1002,gid=2000 0 0

note that the uid of the user (smb-share-user in this case) matches what it would be in the samba container, and the group matches the samba-group-A group.