Enable unprivileged containers #57
Conversation
This includes two features that make it possible to run unprivileged. 1. Setting the XID range with `IDLOWER` and `IDUPPER` (in order to fit within a container-remapped UID range of 0-65535) and 2. Setting `ACLSTORAGE` to `userns` which provides some options to the storage modules to record ACL data in a namespace where an unprivileged container can get at it. See changes in README.md for more info.
|
Some notes: This change may "conflict" with my previous PRs but the resolution is straightforward. The I have a few other changes in my current version that are not included here because I think they are out of scope, but could be relevant. The Samba Wiki actually states (in multiple places) that you should "Remove all idmap config parameters in the smb.conf file on DCs." Trying to understand this issue more throughly was difficult and gets into the complexities of Samba's idmap schemes... also version differences matter and it's possible the "bug" described there has since been resolved. However, it at least seems from my research that adding |
|
#20 was the ticket I was thinking of that touched on unprivileged use in Kubernetes. |
| @@ -12,6 +12,9 @@ A well documented, tried and tested Samba Active Directory Domain Controller tha | |||
| * `INSECURELDAP` defaults to `false`. When set to true, it removes the secure LDAP requirement. While this is not recommended for production it is required for some LDAP tools. You can remove it later from the smb.conf file stored in the config directory. | |||
| * `MULTISITE` defaults to `false` and tells the container to connect to an OpenVPN site via an ovpn file with no password. For instance, if you have two locations where you run your domain controllers, they need to be able to interact. The VPN allows them to do that. | |||
| * `NOCOMPLEXITY` defaults to `false`. When set to `true` it removes password complexity requirements including `complexity, history-length, min-pwd-age, max-pwd-age` | |||
| * `IDLOWER` The minimum ID to use for user and group IDs within the DC ("XID"s). Defaults to 3000000. | |||
| * `IDUPPER` The maximum ID to use for user and group IDs within the DC ("XID"s). Defaults to 3000000. | |||
There was a problem hiding this comment.
| * `IDUPPER` The maximum ID to use for user and group IDs within the DC ("XID"s). Defaults to 3000000. | |
| * `IDUPPER` The maximum ID to use for user and group IDs within the DC ("XID"s). Defaults to 4000000. |
|
I tried running Samba as a Domain Controller with these patches and it just works - at least the pod spins up successfully. Further configuration and testing pending, I'm just getting started learning Samba and Active Directory. |
This includes two features that make it possible to run unprivileged. 1. Setting the XID range with
IDLOWERandIDUPPER(in order to fit within a container-remapped UID range of 0-65535) and 2. SettingACLSTORAGEtousernswhich provides some options to the storage modules to record ACL data in a namespace where an unprivileged container can get at it. See changes in README.md for more info.These changes are based on a significant amount of research and tinkering and may not be 100% correct but they seem to work in the home-lab environment I've tested with so far, feedback welcome.