Choose a Free UID on the Proxmox Host & LXC

Check if your desired UID is free (let’s use 5000 as an example)

getent passwd 5000

• If it returns nothing, the UID is free. If it returns a user, try another number (e.g., 5001, 5002, etc.)

Execute the Plan Using Your Chosen UID

Once you have confirmed that your chosen UID (e.g., 5000) is free on both the host and the container, execute the commands.

On the Proxmox Host:

1. Create your dedicated user on the host with the chosen UID

useradd --uid 5000 --gid 1000 --shell /usr/sbin/nologin --no-create-home lxcshare

• –/usr/sbin/nologin: cannot log in, for security
• –no-create-home: Prevents creating a home directory

2. Change ownership of the share to the new user/group

chown -R 5000:1000 /srv/lxcshare/

3. Set the correct permissions

find /srv/lxcshare/ -type d -exec chmod 2775 {} \;
find /srv/lxcshare/ -type f -exec chmod 664 {} \;

Inside the LXC Container:

1. Change the UID of the debian-transmission user to your chosen number

usermod -u 5000 debian-transmission

2. (Optional) Verify the changes took effect

id debian-transmission

• This should now show ‘uid=5000(debian-transmission)’

3. The files in /mnt/hostshared should now show ‘debian-transmission’ as the owner correctly.

ls -la /mnt/hostshared/

if error shows like following:

usermod: user debian-transmission is currently used by process 147

Solution: Stop the Service, Change UID, Restart Service

1. Stop the Transmission service

systemctl stop transmission-daemon

2. Verify the process has stopped (should show no results)

pgrep -u debian-transmission

3. NOW change the user ID

usermod -u 5000 debian-transmission

4. (Optional but good) Change the group ID for consistency if needed

groupmod -g 5000 debian-transmission

5. Start the Transmission service again

systemctl start transmission-daemon

6. Verify the change was successful

id debian-transmission

• This should now show: uid=5000(debian-transmission) gid=5000(debian-transmission) …

if shows the following error after restarting transmission

~# systemctl start transmission-daemon
Job for transmission-daemon.service failed because the control process exited with error code.

Step-by-Step Fix:

• Run these commands inside the LXC container:

1. Stop the service (if it’s trying to restart)

systemctl stop transmission-daemon

2. Change ownership of Transmission’s data and config directories to the new UID/GID

chown -R debian-transmission:debian-transmission /var/lib/transmission-daemon/
chown -R debian-transmission:debian-transmission /etc/transmission-daemon/

3. Also check the download directory (if it’s inside the container)

• If your downloads go to /mnt/hostshared, you DON’T need to change this as it’s already set
• But if there’s a local directory, change its ownership too

4. Check for any other directories Transmission might use

• Look in /etc/transmission-daemon/settings.json for “download-dir”, “incomplete-dir”, etc.

5. Start the service again

systemctl start transmission-daemon

6. Check the status to see if it worked

systemctl status transmission-daemon

Find Transmission’s user & group

ps aux | grep transmission #show the owner

debian-+     144  0.0  0.4 262028 18656 ?        Ssl  05:55   0:35 /usr/bin/transmission-daemon -f --log-error
root        9199  0.0  0.0   3328  1636 pts/3    S+   06:12   0:00 grep transmission #owner is debian-transmission

for example /data is the share directory

ls -ld /data #check the ownership

(If /data is owned by root:root, we need to change it.)

Set up a shared group

Create a new shared group (if not already done)

groupadd sharedfiles  

Add both Transmission and Samba (nobody) to this group

usermod -aG sharedfiles debian-transmission  
usermod -aG sharedfiles nobody  

Change /data ownership to the shared group

chown -R :sharedfiles /data  
chmod -R 2775 /data  # SGID ensures new files inherit the group  

Update Samba Config (/etc/samba/smb.conf)

[share]
   path = /data
   browseable = yes
   guest ok = yes
   writable = yes
   force group = sharedfiles  # Forces all files to appear as owned by 'sharedfiles'
   create mask = 0664        # Files created will have rw-rw-r--  
   directory mask = 0775      # Directories will have rwxrwxr-x  

Restart Services

service smbd restart  
service transmission-daemon restart  

Summurize

1. 0664 for Files (create mask = 0664)
   Breakdown:

6 (Owner: rw-) → Read + Write

6 (Group: rw-) → Read + Write

4 (Others: r–) → Read only

Why Not 777?

777 would allow anyone (including guest users) to modify/delete files, which is a security risk.

With 664, only the owner (debian-transmission) and group (sharedfiles) can edit files, while others can only read.

Why 6 for Group?

Since debian-transmission (Transmission) and nobody (Samba) are in the same group (sharedfiles), rw- ensures both can edit files.

2. 0775 for Directories (directory mask = 0775)
   Breakdown:

7 (Owner: rwx) → Read + Write + Execute

7 (Group: rwx) → Read + Write + Execute

5 (Others: r-x) → Read + Execute (but no write)

Why 775 Instead of 777?

Directories need execute (x) permission to allow cd and ls.

775 lets the owner/group create/delete files, while others can only list contents (no accidental deletions).

777 would let anyone delete/create files in the directory—dangerous for shared folders.

Why 7 for Group?

Ensures both Transmission and Samba users (sharedfiles group) can freely manage files.

3. Why Avoid 777?
   Security Risk:

777 means any user on the system (or malware) could delete/modify files.

Especially risky for guest-accessible Samba shares.

Unnecessary:

If the owner/group has full access (7/6), there’s no need to give everyone (others) write access.

4. How This Fits Your Setup
   Transmission creates files as debian-transmission:sharedfiles.

Samba (as nobody) is in sharedfiles, so it gets rw- (from 664/775).

Guests (others) can only read files (r–/r-x), preventing chaos.

Key Takeaways

1. 664/775 are safer than 777 → Prevents random users from messing with files.

2. Group permissions (6/7) are key → Allows Transmission + Samba to collaborate.

3. Execute (x) on directories is mandatory → Without it, users can’t cd or ls.
   By using these permissions, you’ve made the share functional for both services while keeping it secure.

solve the AD DC problem

Disable the unnecessary AD DC service

systemctl disable samba-ad-dc
systemctl mask samba-ad-dc

Enable and start the file sharing services

systemctl enable smbd nmbd
systemctl start smbd nmbd

Verify they’re running

systemctl status smbd nmbd