Upgrade image to Ubuntu Bionic

[bdabelow]

Hi, thanks for this useful image. Using it for testing AD authentication in other applications.

I would love to see the image being upgraded to use Bionic Beaver, which is the latest LTS version from Ubuntu.

Specifically I need support for LDAP_MATCHING_RULE_IN_CHAIN, see https://bugzilla.samba.org/show_bug.cgi?id=10493

On my forked version this is working flawlessly with just updating the FROM clause. Would be happy to provide PR.

Note: The same question, for the same reason, is also asked by @zacaway in a comment here: https://github.com/Fmstrat/samba-domain/issues/3#issuecomment-394988307

Thanks, Ben

[Fmstrat]

Fixed in develop https://github.com/Fmstrat/samba-domain/commit/4e1d07d3a0cf9490b52a54af3fcd4844bc661089

@bdabelow Would you be willing to test before I merge?

[xiaoyuwz1234]

Report an error in build process： chmod: cannot access '/init.sh': No such file or directory

In the Dockerfile ‘COPY init.sh /init.sh’ after RUN chmod 755 /init.sh

[saas2813]

The restructured Docker file is trying to chmod init.sh in the command starting at line 7 before it is copied in place by the command at line 21.

Also, don't know if this is useful for others than me but anyway.

To be able to use samba-tool user edit inside the docker we need an editor installed. I got a minimal vi with this line:

RUN apt-get install -y busybox && ln -s /bin/busybox /bin/vi

I also required a more reacent Samba than was included in Ubuntu 18. I got Samba 4.11 by referring to these two sites: https://lists.samba.org/archive/samba/2019-October/226538.html http://apt.van-belle.nl/

The below can probably be more efficient but worked for me: Added these lines before the big install line (7) in the dockerfile:

RUN apt-get update
RUN apt-get install -y wget apt-transport-https gnupg
RUN wget -qO - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
RUN echo "# AptVanBelle repo for samba." | tee /etc/apt/sources.list.d/van-belle.list
RUN echo "deb http://apt.van-belle.nl/debian bionic-samba411 main contrib non-free" | tee -a /etc/apt/sources.list.d/van-belle.list

[Fmstrat]

Thanks for your help! Was there a reason you needed a newer version of Samba? Also, with 20.04 around the corner I wonder what version ships with.

Good catch on samba-tool, I never actually use the edit function. I've considered actually making a web front-end in this container that would call Samba tool to allow for administration.

[saas2813]

Always nice to be able to contribute :-) Regarding the newer version of Samba I mostly need it to be able to follow HowTos since I'm not very experienced in either Samba or AD. I'm setting up SambaAD because I need a centralized password store for Samba, linux-machines and ldap-authenticated applications, and reacent Samba do not seem to support an external ldap-backend so SambaAD seemed like the only solution. Besides with a Samba AD I can (hopefully) get Windows login centralized also. I just need to get my hed around how everything works...

[systemofapwne]

UPDATE! UPDATE! UPDATE! Disregard this comment regarding DNS issues

Upgrading the baseimage also might fix issues with resolving DNS, which also updates the samba build (samba 4.3.11). I had some trouble in the past week when I tried to resolve domains, which have not been resolved earlier by the samba domain controller (with dns forwardning enabled).

The symptoms were that DNS request to samba return "Server failure" for a few seconds (3-5 seconds or so). At some point, querying once more returned the correct IP but some DNS fields like value for a CNAME were mangled in RaNDoM uppercase and lowercase characters. Querying one more time after that fixed the random uppercase and lowercase letters.

Here is an except of a wireshark log

|       time |        Source |   Destination | Protocol | Length | Info                                                                                              |
| 128.161486 | 192.168.0.100 |   192.168.0.5 | DNS      |     81 | Standard query 0xac38 A nas.daggeringcats.com                                                     |
| 128.233216 |   192.168.0.5 | 192.168.0.100 | DNS      |     81 | Standard query response 0xac38 Server failure A nas.daggeringcats.com                             |
| 133.382687 |   192.168.0.5 | 192.168.0.100 | DNS      |    139 | Standard query response 0x3b02 A nas.daggeringcats.com CNAME DAGgErinGCaTs.cOm A 77.20.215.38 OPT |

I fixed it by building the image from Ubuntu:latest which now uses samba 4.11.6. But I'm unaware, if bionic beaver already features a samba release, which fixes this bug, since I do not know, when this issue has been fixed in the past.

Edit Apparently, I can not join any windows client to the domain anymore (only tried Windows 10 1909 Education), once I upgraded the container to Ubuntu:latest (20.04). There seems to be some strange behaviour with samba 4.11.6 and above. The past few hours, I was unable to find the root cause. It seems like, that some fundamental changes in samba are the root cause. Whenever I try to join a Windows 10 client, the domain controller spits errors like

/usr/sbin/winbindd: sids_to_xids
/usr/sbin/smbd: Unable to convert first SID (XXXXXXXXREDACTEDXXXXXXXXX) in user token to a UID.  Conversion was returned as type 0, full token:
.....
/usr/sbin/smbd: smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_SID] || at ../../source3/smbd/smb2_sesssetup.c:149

and the windows client returns simply a NetJoin 1337 error (The security ID structure is invalid.). This is rather annoying and I couldn't find a solution so far.

[systemofapwne]

I just rechecked it: Also with samba 4.7.6 (samba version for bionic beaver), I can not join a Windows 10 client to the domain. It seems like, that changes between Samba 4.3.11 (original image) and 4.7.6 (bionic beaver image) might be the cause. I have to further investigate this, but right now, I call it a day (or rather night). This whole situation is so unsatisfactory. Why the heck is samba suddenly not compatible to windows10 as an active directory domain controller for almost as many years as windows 10 is around (minus 1 year)?

[systemofapwne]

Addition to my previous comments: The issues I had with DNS resolution breaking were due to my DNS server, the requests have been forwarded to: It returned NXDOMAIN randomly and that might have been cached by the domain controllers DNS server for some time. Nothing wrong on that side though.

Yet, I would like to see the samba domain controller to run on a "as latest + stable version of samba as possible" due to security concerns. But in that case, updating to a more recent version of samba still breaks AD capability (see my previous post). Not sure, what goes wrong but I will start to investigate in it.

[mvthul]

@systemofapwne did you find any way to run samba 4.7 + on docker with the functionality of joining windows 10 decives yet?

[systemofapwne]

I sort of temporarily gave up on using samba as a DC but I will probably work on that project in a few weeks/months again.

[mvthul]

Awhh that’s too bad ... samba dc on docker supporting forest level 2012 would be the best in my situation 😔 wish I could help but I’m more Windows certified as Unix 🧐😁

[cfoellmann]

lets jump to ubuntu:focal and close this

[Fmstrat]

Closed with latest release.