Hi all,

I’m fairly new to Docker and face a rather complex issue to which I could not find a solution on the internet:

I have a Proxmox server running. On that, I have a Ubuntu server VM (not LXC). The ubuntu server already has 3 docker container up and running which I transfered from my Raspberry Pi successfully.

Attached to the proxmox host is a USB drive with 500gb storage.

I have forwarded the USB drive to the Ubuntu VM in proxmox, and the drive is showing in Ubuntu and is mounted properly.

$ lsblk -f | grep sdb
sdb
└─sdb1                    ext4        1.0            63fe27d9-39dc-47d2-85ed-281ae688b4c3    869.2G     0% /mnt/usb-drive

$ mount | grep sdb
/dev/sdb1 on /mnt/usb-drive type ext4 (rw,relatime)

$ l usb-drive
total 40K
drwxrwxr-x 7 docker docker 4.0K Jan  6 11:43 .
drwxr-xr-x 5 root   root   4.0K Jan  5 15:30 ..
drwxrwxr-x 2 docker docker 4.0K Jan  6 15:11 achim
drwxrwxr-x 2 docker docker 4.0K Jan  3 18:39 backups
drwxrwxr-x 2 docker docker 4.0K Jan  3 19:49 cameras
drwxrwxr-x 2 docker docker  16K Jan  3 15:21 lost+found
drwxrwxr-x 2 docker docker 4.0K Jan  3 19:39 spiele
-rwxrwxr-x 1 docker docker    0 Jan  3 15:23 test

The samba server is running and exposing shares:

$ docker exec -it samba-server-samba-1 smbclient -L 127.0.0.1 -U achim
Password for [WORKGROUP\achim]:

        Sharename       Type      Comment
        ---------       ----      -------
        achim           Disk
        spiele          Disk
        test            Disk
        cameras         Disk
        backups         Disk
        IPC$            IPC       IPC Service (Samba Server)
SMB1 disabled -- no workgroup available

I can also attach to the test share from my windows device:

cmd > net use w: \\192.168.0.44\test /user:192.168.0.44\spiele mypasswordhere
The command was executed successfully. (translated)

The docker compose file looks like this:

# cat docker-compose.yaml
services:
  samba:
    image: ghcr.io/servercontainers/samba:smbd-only-latest
    privileged: true
    restart: unless-stopped
    volumes:
      - /mnt/usb-drive/achim:/shares/achim
      - /mnt/usb-drive/spiele:/shares/spiele
      - /home/docker/docker/samba-server/test:/shares/test
      - /mnt/usb-drive/backups:/shares/backups
      - /mnt/usb-drive/cameras:/shares/cameras
      #- ../paperless/data/consume:/shares/consume
    ports:
      - 139:139
      - 445:445
    environment:
      TZ: Europe/Berlin
      WSDD2_DISABLE: 1
      AVAHI_DISABLE: 1
      NETBIOS_DISABLE: 1

      ACCOUNT_achim: mypasswordhere
      UID_achim: 1000
      GID_achim: 1000
      ACCOUNT_spiele: mypasswordhere
      ACCOUNT_backup: mypasswordhere
      ACCOUNT_cameras: mypasswordhere
      UID_cameras: 1000
      GID_cameras: 1000

      SAMBA_VOLUME_CONFIG_achim: "[achim]; path=/shares/achim; valid users = achim; guest ok = no; read only = no; browseable = yes; create mask = 0644; force user = achim; force group = achim"

      SAMBA_VOLUME_CONFIG_test: "[test]; path=/shares/test; valid users = spiele; guest ok = no; read only = no; browseable = yes; create mask = 0644; force user = spiele; force group = spiele"

      SAMBA_VOLUME_CONFIG_spiele: "[spiele]; path=/shares/spiele; valid users = achim; guest ok = no; read only = no; browseable = yes; create mask = 0644; force user = achim; force group = achim"

      SAMBA_VOLUME_CONFIG_backups: "[backups]; path=/shares/backups; valid users = achim, backup; guest ok = no; read only = no; browseable = yes; create mask = 0644; force user = achim; force group = achim"

      SAMBA_VOLUME_CONFIG_cameras: "[cameras]; path=/shares/cameras; valid users = cameras; guest ok = no; read only = no; browseable = yes; create mask = 0644; force user = cameras; force group = cameras"

Yet, when I try to attach to a share that resides on the USB drive, this fails in Windows:

PS C:\Users\Achim> net use w: \\192.168.0.44\spiele /user:192.168.0.44\spiele mypasswordhere
System error 5

Access denied (translated)

I have tried a few things, especially turning off Windows security features for cleartext credentials and guest login. That did not help, and I don’t think that is the root cause as it works with the test share on the local disk, but fails for the USB drive.

I might have mis-configured the permissions on the drive, so I’m totally up for suggestions what permissions might be required or who should be the owner of the drive, or how the USB drive should be mounted to begin with.

I wonder if anybody can help me with this <3 Thanks a lot in advance in any case!

First step would be to go inside the container and check if the files are present inside and if they are readable.

First step would be to go inside the container and check if the files are present inside and if they are readable.

That works, this one for backups:

╭─[17:35] [docker@docker] ~/docker/samba-server
$ docker exec -it samba-server-samba-1 touch /shares/backups/test-write.txt
╭─[17:35] [docker@docker] ~/docker/samba-server
$ docker exec -it samba-server-samba-1 ls -la /shares/backups/
total 8
drwxrwxr-x    2 spiele   spiele        4096 Jan  6 18:35 .
drwxr-xr-x    7 root     root          4096 Jan  6 15:59 ..
-rwxrwxr-x    1 spiele   spiele           0 Jan  3 19:39 backups.txt
-rw-r--r--    1 root     root             0 Jan  6 18:35 test-write.txt

Works as well for cameras:

╭─[17:35] [docker@docker] ~/docker/samba-server
$ docker exec -it samba-server-samba-1 touch /shares/cameras/test-write.txt
╭─[17:37] [docker@docker] ~/docker/samba-server
$ docker exec -it samba-server-samba-1 ls -la /shares/cameras
total 8
drwxrwxr-x    2 spiele   spiele        4096 Jan  6 18:37 .
drwxr-xr-x    7 root     root          4096 Jan  6 15:59 ..
-rw-r--r--    1 root     root             0 Jan  6 18:37 test-write.txt

I haven’t posted the overview of running dockers, but here it is (no idea why the container’s name is samba-server-samba-1):

$ docker ps | grep samba
2740ba1a459f   ghcr.io/servercontainers/samba:smbd-only-latest   "/container/scripts/…"   3 hours ago    Up 3 hours (healthy)   0.0.0.0:139->139/tcp, [::]:139->139/tcp, 137/udp, 0.0.0.0:445->445/tcp, [::]:445->445/tcp   samba-server-samba-1

In case you are wondering how it looks like outside the docker container:

╭─[17:42] [docker@docker] /mnt/usb-drive/backups
$ l
total 8.0K
drwxrwxr-x 2 docker docker 4.0K Jan  6 17:35 .
drwxrwxr-x 7 docker docker 4.0K Jan  6 11:43 ..
-rwxrwxr-x 1 docker docker    0 Jan  3 18:39 backups.txt
-rw-r--r-- 1 root   root      0 Jan  6 17:35 test-write.txt

╭─[17:42] [docker@docker] /mnt/usb-drive/cameras
$ l
total 8.0K
drwxrwxr-x 2 docker docker 4.0K Jan  6 17:37 .
drwxrwxr-x 7 docker docker 4.0K Jan  6 11:43 ..
-rw-r--r-- 1 root   root      0 Jan  6 17:37 test-write.txt

I can not imagine that it really works if two accounts have the same user and group id. What do the container logs say about it?

yoink. That’s it. I think I made another mistake as well where I tested to access a share with an accout that had no permission to do so.

Any idea why my user cameras cannot write in the cameras share?

PS C:\Users\Achim> net use e: \\192.168.0.44\cameras /user:192.168.0.44\cameras 
mypasswordhere

The command was executed successfully. (translated)

Yet I receive this error:

grafik726×432 22.1 KB

“You need permission to execute this task”
“Access to target folder denied”

Permission is just the same as for the others:

╭─[19:20] [docker@docker] /mnt/usb-drive
$ l
total 40K
drwxrwxr-x 7 docker docker 4.0K Jan  6 11:43 .
drwxr-xr-x 5 root   root   4.0K Jan  5 15:30 ..
drwxrwxr-x 2 docker docker 4.0K Jan  6 15:11 achim
drwxrwxr-x 2 docker docker 4.0K Jan  6 17:35 backups
drwxrwxr-x 2 docker docker 4.0K Jan  6 17:37 cameras
drwxrwxr-x 2 docker docker  16K Jan  3 15:21 lost+found
drwxrwxr-x 2 docker docker 4.0K Jan  6 19:14 spiele
-rwxrwxr-x 1 docker docker    0 Jan  3 15:23 test

Is there something wrong with the GID or anything?

Try ls -ln to see what uid:gid owns the folders. You need to make sure that every user is in a group that matches uid:gid of the folders.

It now boils down to simple unix file permissions. Your folders allow the owner and group to read,write and execute in the folder, but others can only read and execute.

What you need to configure depends on what you want.