Extended "system" attributes within jailed environment dont work
Dewayne Geraghty
dewayne.geraghty at heuristicsystems.com.au
Fri Jul 14 03:55:21 UTC 2017
Can someone advise how I can enable extended attributes in a "system"
namespace within a jailed (or bhyve) environment? There was no guidance
in "man jail" nor "man jail.conf".
Simple test
>From the host or base system:
# touch /a ; setextattr user t1 first /a ; getextattr user t1 /a
/a first
# touch /a ; setextattr system t2 second /a ; getextattr system t2 /a
/a second
Within a jail:
# touch /a ; setextattr user t1 first /a ; getextattr user t1 /a
/a first
# touch /a ; setextattr system t2 second /a ; getextattr system t2 /a
setextattr: /a: failed: Operation not permitted
getextattr: /a: failed: Operation not permitted
The impact of this is that SAMBA after 4.3 uses "system" namespace
extended attributes; hence can not provision an Active Directory within
a jailed environment. (For the inclined, this affects sysvol, and
interestingly "rsync -x" is unable to copy extended attributes, so
having consistent sysvols across a SAMBA domain may be a challenge)
Regards, Dewayne.
More information about the freebsd-stable
mailing list