Podman samba always error NT_STATUS_ACCESS_DENIED

Fedora SB 41
I wish to create a podman container to run the samba server from this image; but I am always getting the error NT_STATUS_ACCESS_DENIED for write operations, working fine for read operations.
This is how I start it:

podman run
topolini@fc40sb:~/Samba$ cat samba-start.bash 
#!/usr/bin/bash

WORKDIR="$(pwd)/workdir"
echo "WORKDIR=$WORKDIR"

podman run \
  --userns=keep-id:uid=1000,gid=1000 \
  --rm \
  --name smbd \
  --publish 4450:445 \
  -v "${WORKDIR}/config":/usr/local/etc \
  -v "${WORKDIR}/share":/share:z \
  -e SAMBACC_CONFIG="/usr/local/etc/config.json" \
  quay.io/samba.org/samba-server:latest \
  run smbd

# smbclient -U 'SAMBA\sambauser%samba' //localhost/share
topolini@fc40sb:~/Samba$ vi samba-start.bash 
topolini@fc40sb:~/Samba$ ./samba-start.bash 
WORKDIR=/var/home/ltosolini/Samba/workdir
smbd version 4.21.2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2024

And this is the error I get from client:

smbclient
fc40sb:~/Samba$ smbclient --debug-stdout --debuglevel=3 --port 4450 -U 'SAMBA\sambauser%samba' //localhost/share
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Can't find include file /etc/samba/usershares.conf
added interface ens160 ip=192.168.255.13 bcast=192.168.255.255 netmask=255.255.255.0
Client started (version 4.21.2).
tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/lock/gencache.tdb: Permission denied
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 4450
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
gensec_gse_client_start: Not using kerberos to cifs/localhost as SAMBA\sambauser: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Try "help" to get a list of possible commands.
smb: \> 
smb: \> 
smb: \> dir
dos_clean_name [\*]
unix_clean_name [\*]
  .                                   D        0  Sat Dec 21 18:52:47 2024
  ..                                  D        0  Sat Dec 21 18:52:47 2024
  luca.txt                            N       14  Fri Dec 20 18:18:42 2024
  pippo                               N       29  Sat Dec 21 18:52:47 2024

                51377152 blocks of size 1024. 23683432 blocks available
Total bytes listed: 43
smb: \> mkdir ciao
dos_clean_name [\ciao]
unix_clean_name [\ciao]
NT_STATUS_ACCESS_DENIED making remote directory \ciao

And this is the config, pretty straightforward:

Summary
topolini@fc40sb:~/Samba$ cat workdir/config/config.json 
{
  "samba-container-config": "v0",
  "configs": {
    "demo": {
      "shares": [
        "share"
      ],
      "globals": [
        "default"
      ],
      "instance_name": "SAMBA"
    }
  },
  "shares": {
    "share": {
      "options": {
        "path": "/share",
        "valid users": "sambauser"
      }
    }
  },
  "globals": {
    "default": {
      "options": {
        "security": "user",
        "server min protocol": "SMB2",
        "load printers": "no",
        "printing": "bsd",
        "printcap name": "/dev/null",
        "disable spoolss": "yes",
        "guest ok": "no"
      }
    }
  },
  "users": {
    "all_entries": [
      {
        "name": "sambauser",
        "password": "samba"
      }
    ]
  },
  "_footer": 1
}

got it to work by adding the ‘force user’ and ‘force group’:

  "shares": {
    "share": {
      "options": {
        "path": "/share",
        "force user": "root",
        "force group": "root",
        "writable": "yes",
        "valid users": "sambauser"
      }
    }
  },

maybe you can create a user to own the directories and force to that user to avoid forcing to root. I assume that forcing to root will allow you to overwrite files in the container and break it?