search

diegogslomp / samba-ad-dc

🐳 Docker image of Samba domain controller compiled from source
https://hub.docker.com/r/diegogslomp/samba-ad-dc
GNU General Public License v3.0
46 stars 18 forks source link

Issue on moving data to another Host #15

Closed killmasta93 closed 1 year ago

killmasta93 commented 1 year ago

HI Currently trying to migrate my dc1 container to another host but for some reason its not working, not sure what i missed this were the steps i took first

sent the container image to the other host

docker save samba:ubuntu | bzip2 | ssh root@192.168.7.249 docker load then copy the files in/var/lib/docker/volumes/samba-ad-dc_dc1-local-samba/_data to the host then edit the docker compose

version: "3.1"

services:
  dc1:
    image: samba:ubuntu
    restart: unless-stopped
    networks:
      macvlan_net:
        ipv4_address: 192.168.7.206
    build:
      context: .
      dockerfile: dockerfiles/almalinux
      args:
        SMB_VERSION: "${SMB_VERSION:-latest}"
    container_name: dc1
    hostname: DC1
    privileged: true
    environment:
      REALM: SMD.LOCAL
      DOMAIN: SMD
      ADMIN_PASS: Passw0rd
      DNS_FORWARDER: 8.8.8.8
      BIND_NETWORK_INTERFACES: false
    ports:
      - "53:53"
      - "445:445"
    volumes:
      - dc1-local-samba:/usr/local/samba
      - smd:/data2/

volumes:
  dc1-local-samba:
   driver: local-persist
   driver_opts:
     mountpoint: /smd/_data
  smd:
   driver: local-persist
   driver_opts:
     mountpoint: /smd

networks:
 macvlan_net:
   name: macvlan_net
   driver: macvlan
   driver_opts:
      parent: ens18
   ipam:
      config:
        - subnet: "192.168.7.0/24"
          ip_range: "192.168.7.0/24"
          gateway: "192.168.7.254"

i tried checking the logs but cant seem to find the logs to see what would be the issue

Thanks

diegogslomp commented 1 year ago

Hello

Check if you have the same files in all the sides, I don't know if copy the _data from one host to another is the right way to do it. I'll take a look, let me know if you have progress.

~/repos/samba-ad-dc (master) docker exec -it dc1 bash

[root@DC1 sbin]# cat /etc/krb5.conf
[libdefaults]
default_realm = DGS.NET
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
DGS.NET = {
default_domain = dgs.net
}

[domain_realm]
DC1 = DGS.NET

[root@DC1 sbin]# ls /usr/local/samba/
bin  bind-dns  etc  include  lib  lib64  libexec  private  sbin  share  var

[root@DC1 sbin]# ls /usr/local/sbin/
samba-domain-demote  samba-domain-join  samba-domain-provision  samba-tests  update-etc-files

[root@DC1 sbin]# ls /usr/local/samba/private/
dns_update_cache  encrypted_secrets.key  idmap.ldb  ldap_priv  msg.sock                privilege.ldb  sam.ldb.d           secrets.keytab  secrets.tdb  smbd.tmp         tls
dns_update_list   hklm.ldb               krb5.conf  ldapi      netlogon_creds_cli.tdb  sam.ldb        schannel_store.tdb  secrets.ldb     share.ldb    spn_update_list
killmasta93 commented 1 year ago

Thanks for the reply, so it seems i have this

root@DC1:/usr/local/sbin# cat /etc/krb5.conf
[libdefaults]
    default_realm = SMD.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
SMD.LOCAL = {
    default_domain = smd.local
}

[domain_realm]
    DC1 = SMD.LOCAL


root@DC1:/usr/local/sbin# ls /usr/local/samba/
bin  bind-dns  etc  include  lib  libexec  private  sbin  share  var

root@DC1:/usr/local/sbin# ls /usr/local/sbin/
samba-domain-demote  samba-domain-join  samba-domain-provision  samba-tests  unminimize  update-etc-files

root@DC1:/usr/local/sbin# ls /usr/local/samba/private/
dns_update_cache  encrypted_secrets.key  idmap.ldb  ldap_priv  msg.sock                privilege.ldb  sam.ldb.d           secrets.keytab  secrets.tdb  smbd.tmp         tls
dns_update_list   hklm.ldb               krb5.conf  ldapi      netlogon_creds_cli.tdb  sam.ldb        schannel_store.tdb  secrets.ldb     share.ldb    spn_update_list

Thank you

diegogslomp commented 1 year ago

Try creating a new fresh dc using the same steps that you did in the old host, after tests bring it down, rsync the volume data from the old to the new and run it again. Let me know if you have any trouble.

killmasta93 commented 1 year ago

Thanks for the reply, so tried the following but the same issue, i try to open the AD and shows the issue about connection, So to test it what happened. 1) Created the container from zero then checked if i can telnet to port 53 and it works 2) then docker-compose down 3) rsync -rvah --stats --progress _data/ /var/lib/docker/volumes/samba-ad-dc_dc1-local-samba/_data --log-file=/root/rsync.log 4) docker-compose up -d

after that i tried to telnet port 53 shows offline, the issue is that i cant see the logs because it does not show when i try to see it

not sure what else i can look for?

Thank you

diegogslomp commented 1 year ago

Hello!

After the domain provisioning no logs are generated by the samba, only a "silent" samba -F is executed before that, but even if no logs are shown, the docker ps show the running container, please try to run the samba tests before and after the rsync. Bellow my tests:

# Remove container and volume
docker compose down -v
docker compose up -d
docker compose logs -f
docker compose exec dc1 samba-tests
docker compose down

# Backup
rsync -rvah --stats --progress /var/lib/docker/volumes/samba-ad-dc_dc1-local-samba/_data/ _data/ --log-file=/root/rsync.log

# Remove container and volume
docker compose down -v
docker compose up -d
docker compose logs -f
docker compose exec dc1 samba-tests
docker compose down

# Restore
rsync -rvah --stats --progress  _data/ /var/lib/docker/volumes/samba-ad-dc_dc1-local-samba/_data/ --log-file=/root/rsync.log

docker compose up -d
docker compose exec dc1 samba-tests
killmasta93 commented 1 year ago

Hi there, thank you so much for the reply, so these were the steps i did 


root@dc:/smd/samba-ad-dc# docker-compose logs -f
dc1  | INFO 2023-08-03 03:22:15,351 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses
dc1  | INFO 2023-08-03 03:22:15,352 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses
dc1  | WARNING 2023-08-03 03:22:15,353 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned
dc1  | INFO 2023-08-03 03:22:15,782 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2274: Setting up share.ldb
dc1  | INFO 2023-08-03 03:22:15,797 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb
dc1  | INFO 2023-08-03 03:22:15,810 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2283: Setting up the registry
dc1  | INFO 2023-08-03 03:22:15,846 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2286: Setting up the privileges database
dc1  | INFO 2023-08-03 03:22:16,126 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2289: Setting up idmap db
dc1  | INFO 2023-08-03 03:22:16,160 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2296: Setting up SAM db
dc1  | INFO 2023-08-03 03:22:16,362 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings
dc1  | INFO 2023-08-03 03:22:16,365 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE
dc1  | INFO 2023-08-03 03:22:16,375 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema
dc1  | Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
dc1  |
dc1  | INFO 2023-08-03 03:22:16,438 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1383: Adding DomainDN: DC=smd,DC=local
dc1  | INFO 2023-08-03 03:22:16,469 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1415: Adding configuration container
dc1  | INFO 2023-08-03 03:22:16,517 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1430: Setting up sam.ldb schema
dc1  | INFO 2023-08-03 03:22:22,223 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1448: Setting up sam.ldb configuration data
dc1  | INFO 2023-08-03 03:22:22,527 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1489: Setting up display specifiers
dc1  | INFO 2023-08-03 03:22:26,244 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1497: Modifying display specifiers and extended rights
dc1  | INFO 2023-08-03 03:22:26,314 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1504: Adding users container
dc1  | INFO 2023-08-03 03:22:26,316 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1510: Modifying users container
dc1  | INFO 2023-08-03 03:22:26,318 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1513: Adding computers container
dc1  | INFO 2023-08-03 03:22:26,320 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1519: Modifying computers container
dc1  | INFO 2023-08-03 03:22:26,321 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1523: Setting up sam.ldb data
dc1  | INFO 2023-08-03 03:22:26,577 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1553: Setting up well known security principals
dc1  | INFO 2023-08-03 03:22:26,662 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1567: Setting up sam.ldb users and groups
dc1  | INFO 2023-08-03 03:22:27,142 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #1575: Setting up self join
dc1  | Repacking database from v1 to v2 format (first record CN=ms-DS-cloudExtensionAttribute20,CN=Schema,CN=Configuration,DC=smd,DC=local)
dc1  | Repack: re-packed 10000 records so far
dc1  | Repacking database from v1 to v2 format (first record CN=container-Display,CN=816,CN=DisplaySpecifiers,CN=Configuration,DC=smd,DC=local)
dc1  | Repacking database from v1 to v2 format (first record CN=c88227bc-fcca-4b58-8d8a-cd3d64528a02,CN=Operations,CN=DomainUpdates,CN=System,DC=smd,DC=local)
dc1  | INFO 2023-08-03 03:22:30,216 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/sambadns.py #1198: Adding DNS accounts
dc1  | INFO 2023-08-03 03:22:30,235 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/sambadns.py #1232: Creating CN=MicrosoftDNS,CN=System,DC=smd,DC=local
dc1  | INFO 2023-08-03 03:22:30,265 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/sambadns.py #1245: Creating DomainDnsZones and ForestDnsZones partitions
dc1  | INFO 2023-08-03 03:22:30,326 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/sambadns.py #1250: Populating DomainDnsZones and ForestDnsZones partitions
dc1  | Repacking database from v1 to v2 format (first record DC=_ldap._tcp,DC=smd.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=smd,DC=local)
dc1  | Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.dc,DC=_msdcs.smd.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=smd,DC=local)
dc1  | INFO 2023-08-03 03:22:30,784 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2012: Setting up sam.ldb rootDSE marking as synchronized
dc1  | INFO 2023-08-03 03:22:30,789 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2017: Fixing provision GUIDs
dc1  | INFO 2023-08-03 03:22:33,459 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2348: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
dc1  | INFO 2023-08-03 03:22:33,460 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
dc1  | INFO 2023-08-03 03:22:33,680 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #2082: Setting up fake yp server settings
dc1  | INFO 2023-08-03 03:22:33,802 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #487: Once the above files are installed, your Samba AD server will be ready to use
dc1  | INFO 2023-08-03 03:22:33,802 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #492: Server Role:           active directory domain controller
dc1  | INFO 2023-08-03 03:22:33,802 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #493: Hostname:              DC1
dc1  | INFO 2023-08-03 03:22:33,802 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #494: NetBIOS Domain:        SMD
dc1  | INFO 2023-08-03 03:22:33,802 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #495: DNS Domain:            smd.local
dc1  | INFO 2023-08-03 03:22:33,802 pid:9 /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py #496: DOMAIN SID:            S-1-5-21-4154742268-4027994234-2601868088


root@dc:/smd/samba-ad-dc# docker compose exec dc1 samba-tests
# DC1: samba --version
Version 4.18.1
# DC1: testparm
Load smb config files from /usr/local/samba/etc/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions
# Global parameters
[global]
    dns forwarder = 8.8.8.8
    ldap server require strong auth = No
    passdb backend = samba_dsdb
    realm = SMD.LOCAL
    server role = active directory domain controller
    workgroup = SMD
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    winbindd:use external pipes = true
    idmap_ldb:use rfc2307 = yes
    idmap config * : backend = tdb
    map archive = No
    vfs objects = dfs_samba4 acl_xattr

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/smd.local/scripts
    read only = No
# DC1: smbclient -L localhost -U%

    Sharename       Type      Comment
    ---------       ----      -------
    sysvol          Disk
    netlogon        Disk
    IPC$            IPC       IPC Service (Samba 4.18.1)
SMB1 disabled -- no workgroup available
# DC1: smbclient //localhost/netlogon -UAdministrator -c "ls"
Password for [SMD\Administrator]:
  .                                   D        0  Thu Aug  3 03:22:16 2023
  ..                                  D        0  Thu Aug  3 03:22:27 2023

        131067940 blocks of size 1024. 117190772 blocks available
# DC1: nslookup "DC1.smd.local"
Server:     192.168.7.206
Address:    192.168.7.206#53

Name:   DC1.smd.local
Address: 192.168.7.206

# DC1: host -t SRV "_ldap._tcp.smd.local"
_ldap._tcp.smd.local has SRV record 0 100 389 dc1.smd.local.
# DC1: kinit administrator
Password for administrator@SMD.LOCAL:
Warning: Your password will expire in 41 days on Thu Sep 14 03:22:27 2023
# DC1: klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SMD.LOCAL

Valid starting     Expires            Service principal
08/03/23 03:22:56  08/03/23 13:22:56  krbtgt/SMD.LOCAL@SMD.LOCAL
    renew until 08/04/23 03:22:56
# DC1: wbinfo -u
SMD\administrator
SMD\guest
SMD\krbtgt
# DC1: ldapsearch -xLLL -s base namingContexts
dn:
namingContexts: DC=smd,DC=local
namingContexts: CN=Configuration,DC=smd,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=smd,DC=local
namingContexts: DC=DomainDnsZones,DC=smd,DC=local
namingContexts: DC=ForestDnsZones,DC=smd,DC=local

# DC1: ldapsearch -xLLL -b "cn=administrator,cn=users,dc=smd,dc=local" -D "cn=administrator,cn=users,dc=smd,dc=local"
dn: CN=Administrator,CN=Users,DC=smd,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20230803032226.0Z
uSNCreated: 3853
name: Administrator
objectGUID:: TT2BsvTblEiUpW3Onda2wg==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 133355065466762830
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA/FWk93pQFvA4WxWb9AEAAA==
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=smd,DC=local
isCriticalSystemObject: TRUE
memberOf: CN=Domain Admins,CN=Users,DC=smd,DC=local
memberOf: CN=Schema Admins,CN=Users,DC=smd,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=smd,DC=local
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=smd,DC=local
memberOf: CN=Administrators,CN=Builtin,DC=smd,DC=local
lastLogonTimestamp: 133355065761497250
whenChanged: 20230803032256.0Z
uSNChanged: 4074
lastLogon: 133355065763285490
logonCount: 2
distinguishedName: CN=Administrator,CN=Users,DC=smd,DC=local

as i already had a backup from my other host i ran the restore

rsync -rvah --stats --progress _data/ /var/lib/docker/volumes/samba-ad-dc_dc1-local-samba/_data/ --log-file=/root/rsync.log

then docker compose up -d 

root@dc:/smd/samba-ad-dc# docker compose exec dc1 samba-tests
# DC1: samba --version
Version 4.18.1
# DC1: testparm
Load smb config files from /usr/local/samba/etc/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions
# Global parameters
[global]
    bind interfaces only = Yes
    dns forwarder = 8.8.8.8
    interfaces = lo ens18
    ldap server require strong auth = No
    passdb backend = samba_dsdb
    realm = SMD.LOCAL
    server role = active directory domain controller
    workgroup = SMD
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    winbindd:use external pipes = true
    idmap_ldb:use rfc2307 = yes
    idmap config * : backend = tdb
    map archive = No
    vfs objects = dfs_samba4 acl_xattr

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/smd.local/scripts
    read only = No
# DC1: smbclient -L localhost -U%

    Sharename       Type      Comment
    ---------       ----      -------
    sysvol          Disk
    netlogon        Disk
    IPC$            IPC       IPC Service (Samba 4.18.1)
SMB1 disabled -- no workgroup available
# DC1: smbclient //localhost/netlogon -UAdministrator -c "ls"
Password for [SMD\Administrator]:
  .                                   D        0  Wed Apr 12 18:54:18 2023
  ..                                  D        0  Wed Apr 12 18:54:34 2023

        131067940 blocks of size 1024. 117190176 blocks available
# DC1: nslookup "DC1.smd.local"
;; communications error to 192.168.7.206#53: connection refused
;; communications error to 192.168.7.206#53: connection refused
;; communications error to 192.168.7.206#53: connection refused
;; no servers could be reached

it seems that might be the issue, im not sure if its because on my previous host the docker compose was this , while im trying to move this container to another host using macvlan


version: "3.1"

services:
  dc1:
    image: samba:ubuntu
    restart: unless-stopped
    network_mode: host
    build:
      context: .
      dockerfile: dockerfiles/almalinux
      args:
        SMB_VERSION: "${SMB_VERSION:-latest}"
    container_name: dc1
    hostname: DC1
    privileged: true
    environment:
      REALM: SMD.LOCAL
      DOMAIN: SMD
      ADMIN_PASS: Passw0rd
      DNS_FORWARDER: 8.8.8.8
    volumes:
      - dc1-local-samba:/usr/local/samba

volumes:
  dc1-local-samba:

but when i bash into the container it shows the correct ip 


root@dc:/smd/samba-ad-dc# docker exec -it dc1 bash
root@DC1:/usr/local/sbin# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
24: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:c0:a8:07:ce brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.7.206/24 brd 192.168.7.255 scope global eth0
       valid_lft forever preferred_lft forever

thank you

diegogslomp commented 1 year ago

Change the ens18 interface to eth0 or eth0@if2 in /usr/local/samba/etc/smb.conf of the new DC.

killmasta93 commented 1 year ago

Thank you so much that was the issue that fixed it thanks again