Closed atlury closed 9 months ago
Hello You can use something like:
dc2:
image: diegogslomp/samba-ad-dc
restart: unless-stopped
container_name: dc2
hostname: DC2
privileged: true
network_mode: host
environment:
REALM: NAME.COM
DOMAIN: NAME
ADMIN_PASS: Passw0rd
DNS_FORWARDER: 8.8.8.8
dns_search: name.com
dns:
- 172.16.238.20
- 172.16.238.10
extra_hosts:
- "DC1 DC1.name.com:172.16.238.10"
- "DC2 DC2.name.com:172.16.238.20"
command: bash -c "samba-domain-join DC1 && samba -F"
volumes:
- samba-data:/usr/local/samba
- samba-krb5:/etc/krb5.conf.d
volumes:
samba-data:
samba-krb5:
Any trouble let me know
this works. thank you. I am gonna try out now fileshare (domain join as a member) and squid. Ofcourse there is still the rsync script that needs to sync /usr/local/samba/sysvol/ and /usr/local/samba/private/idmap.ldb
You can add a cron job in the dc2 for sysvol replication:
*/5 * * * * root /usr/bin/rsync -XAav --delete-after root@dc1:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/
If you can please share the steps for the fileshare that you did/will do. Any trouble let me know.
Thanks I will try the fileshare VM also tonight, get it working and share the config here so that its useful for others.
This is how I add a FileServer to my docker based DC1. And it works!! Some notes.
Since our primary goal is to set up a Samba file server that joins an existing Samba Active Directory Domain Controller (AD DC) and we are only using it for SMB/CIFS file sharing. We DONT need to configure PAM modules specifically for Samba. And thus we DONT need SSSD which integrates with PAM and NSS to provide local system authentication and identity services, and this is separate from Samba's SMB/CIFS file sharing authentication.
Samba interacts directly with the AD for SMB/CIFS authentication.
Samba Active Directory Domain Controller (AD DC) setup uses RFC2307, you should configure the idmap settings in your Samba file server to use ad backend instead of rid. The ad backend is used specifically for environments where user and group ID mapping is managed via RFC2307 attributes in the in the main Samba AD DC1.
You could do "docker exec -it dc1 /bin/bash" and run the command "testparm" you will notice among the things it has idmap_ldb:use rfc2307 = yes in the Samba AD DC1
In a Samba environment, member servers with specific roles like printer shares or file sharing servers (Seperate VMs) do not require the idmap_ldb:use rfc2307 = yes setting. This setting is specific to the configuration of a Samba Active Directory Domain Controller (AD DC) and is not typically used or needed on member servers.
For member servers, like file sharing servers or print servers, the ID mapping is usually configured using idmap config directives in their smb.conf files. This mapping can be based on the rid or ad backend, depending on whether RFC2307 attributes are used in your environment.
Install debian and do the following (on baremetal or a vm).
Ofcourse make sure the file server vm itself has the correct static ip in /etc/network/interfaces, has correct /etc/hosts and /etc/hostname file as well as /etc/resolv.conf (making it immutable). Have a NTP server or using your main DC as ntp. These are the first things to do.
Remove sssd and install other packages for Samba:
apt purge sssd
apt-get install winbind libnss-winbind libpam-winbind libpam-krb5 samba
apt-get install cifs-utils krb5-user
mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
Edit or create new /etc/samba/smb.conf:
[global]
workgroup = NAME
security = ADS
realm = NAME.COM
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = autorid
idmap config * : range = 10000-24999999
template shell = /bin/bash
template homedir = /home/%U
client max protocol = SMB3
[shared]
path = /srv/samba/shared
public = no
writable = yes
guest ok = no
#valid users = user1,user2,administrator
#valid users = @HOME\domainusers
create mask = 0770
directory mask = 0770
read only = no
browseable = yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
writable = yes
path = /home/%S
The configuration line "idmap config * : backend = autorid" in a Samba member server smb.conf file specifies the use of the autorid backend for ID mapping. This is an alternative to other ID mapping backends like rid or ad.
Ensure that client max protocol is not set to a value lower than SMB3, as modern Windows clients use newer SMB protocols.
Consider adding vfs objects = acl_xattr under the [global] section for better ACL handling.
Verify the settings for template homedir and template shell for correct home directory and shell for domain users.
Edit /etc/krb5.conf:
[libdefaults]
default_realm = NAME.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
Setting Up File Shares. Create the shared directory:
sudo mkdir -p /srv/samba/shared
Before setting permissions ensure you have compat and winbind added to passwd and group along with others. Edit /etc/nsswitch.conf and add winbind lines to the end of passwd and group:
passwd: files systemd compat winbind
group: files systemd compat winbind
Reboot
Addition note:
User-Specific Access (%S): Restricts access to individual users based
on their username matching the share name.
Commonly used for personal user shares.
Group-Based Access (@DOMAIN\domainusers): Allows access to all members
of a specific group, useful for shares that are intended for broader access
within an organization or a specific set of users.
Obtain a Kerberos ticket:
kinit administrator@HOME.COM
Join the Samba server to the AD domain:
sudo net ads join -U administrator
Restart Samba to apply the changes:
sudo systemctl restart smbd nmbd winbind
Verify Domain Membership:
wbinfo -u
net ads info
Set the appropriate permissions. Here, we'll give read/write access to the domain users. Adjust the permissions as needed for your scenario:
sudo chown -R root:"Domain Users" /srv/samba/shared
#sudo chown root:HOME\domainusers /srv/samba/shared
sudo chmod -R 0770 /srv/samba/shared
Testing File Share Access. From a Windows client in the AD domain, try accessing the shared folder:
\\samba-server-ip\shared
Replace samba-server-ip with the actual IP address of your Samba server. This should work on non joined windows clients also. For username and password try in the format below.
home.com\administrator
Passw0rd
Will now get transparent squid working with DC1 docker.
hi @atlury quick question the samba server for file server is a VM or docker container?
Its a seperate VM in debian 12. We can containerize it though. Havent had the time.
Btw squid also is working.
hi @atlury Awesome, Let me know if you able to containerize been trying for a while but i can seem to only connect it though VM
Do not use Alpine Linux. It will never work especially when trying to connect or communicate to another samba AD DC since glibc is not available. I think they are communication protocols missing. Debian or ubuntu docker will work.
hi @atlury so i got finally working in an lxc container proxmox but cant seem to wrap my head how i can deply it on docker container
I was maybe thinking like this but just a theory the docker file
# Use Ubuntu 23 as the base image
FROM ubuntu:23
# Install necessary packages
RUN apt-get update && \
apt-get install -y winbind libnss-winbind libpam-winbind libpam-krb5 samba cifs-utils krb5-user && \
rm -rf /var/lib/apt/lists/*
# Copy Samba and Kerberos configuration files into the container
COPY smb.conf /etc/samba/smb.conf
COPY krb5.conf /etc/krb5.conf
COPY nsswitch.conf /etc/nsswitch.conf
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
# Create necessary directories
RUN mkdir -p /srv/samba/shared
# Set permissions for the shared directory
RUN chown -R root:"Domain Users" /srv/samba/shared && \
chmod -R 0770 /srv/samba/shared
# Expose Samba ports
EXPOSE 137/udp 138/udp 139 445
# Set entrypoint to start Samba services
ENTRYPOINT ["smbd", "--foreground", "--log-stdout"]
the docker compose
version: '3.8'
services:
samba:
build: .
container_name: samba-container
environment:
SAMBA_ADMIN_USER: administrator
SAMBA_ADMIN_PASSWORD: ${SAMBA_ADMIN_PASSWORD}
volumes:
- ./smb.conf:/etc/samba/smb.conf
- ./krb5.conf:/etc/krb5.conf
- samba-data:/srv/samba/shared
ports:
- "137:137/udp"
- "138:138/udp"
- "139:139"
- "445:445"
volumes:
samba-data:
i would use the same smb.conf from the above ex and krb5.conf also with nsswitch.conf
but would create a entry point script
#!/bin/bash
# Join the domain
if [ -n "$SAMBA_ADMIN_USER" ] && [ -n "$SAMBA_ADMIN_PASSWORD" ]; then
echo "$SAMBA_ADMIN_PASSWORD" | kinit "$SAMBA_ADMIN_USER"
net ads join -U "$SAMBA_ADMIN_USER"%"$SAMBA_ADMIN_PASSWORD"
fi
# Start Samba
exec smbd --foreground --log-stdout
then would run this
export SAMBA_ADMIN_PASSWORD=yourpassword
docker-compose up -d
still havent tried it just a theory going to try it this week to see
Hmmm, you could try it and let me know. It would be good to have everything dokerized.
hi @atlury quick question after running the steps i got it working but when i try to edit on windows does not let me edit the permissions?
It works on windows, I am able to edit/create new users. Did you login with administrator? Is it in time sync?
so weird what i did was move a folder in the shared folder
For shared folders use another VM or a another physical machine. That "another" vm can be connected to this primary ADC. I will try to dig in why it doesnt work.
@atlury i think i might found the issue i got it working on another ubuntu but the issue i have is with a debian with Samba version 4.5.16-Debian trying to figureout how to update it
Here is the dump of a working samba file server
apt install vim vim-nox
apt install openssh-server
vi /etc/ssh/sshd_config
---------------------------------
root@fileserver:~# more /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
auto ens192
iface ens192 inet static
address 10.1.3.93/24
subnet 255.255.255.0
gateway 10.1.3.1
---------------------------------
root@fileserver:~# more /etc/hosts
127.0.0.1 localhost
#127.0.1.1 fileserver
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.1.3.93 fileserver.mocosoft.com fileserver
---------------------------------
root@fileserver:~# more /etc/hostname
fileserver.mocosoft.com
---------------------------------
root@fileserver:~# more /etc/resolv.conf
search mocosoft.com
nameserver 10.1.3.9
nameserver 10.1.3.10
nameserver 8.8.8.8
chattr +i /etc/resolv.conf
---------------------------------
apt install chrony
apt install chrony ntpdate -y
ntpdate -bu pool.ntp.org
systemctl restart chrony
systemctl enable chrony
---------------------------------
apt purge sssd
apt-get install winbind libnss-winbind libpam-winbind libpam-krb5 samba
apt-get install cifs-utils krb5-user
mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
---------------------------------
root@fileserver:~# more /etc/samba/smb.conf
[global]
workgroup = MOCOSOFT
security = ADS
realm = MOCOSOFT.COM
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = autorid
idmap config * : range = 10000-24999999
template shell = /bin/bash
template homedir = /home/%U
client max protocol = SMB3
[shared]
path = /srv/samba/shared
public = no
writable = yes
guest ok = no
valid users = @ITG # Restrict access to members of the ITG group
#valid users = user1,user2,administrator
#valid users = @HOME\domainusers
create mask = 0770
directory mask = 0770
read only = no
browseable = yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
writable = yes
path = /home/%S
---------------------------------
mkdir -p /srv/samba/shared
chmod -R 0770 /srv/samba/shared
---------------------------------
root@fileserver:~# more /etc/krb5.conf
[libdefaults]
default_realm = MOCOSOFT.COM
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
---------------------------------
vi /etc/nsswitch.conf
# passwd: files systemd compat winbind
# group: files systemd compat winbind
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files systemd
gshadow: files systemd
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
--------------------------------
#systemctl restart smbd nmbd winbind
kinit administrator@MOCOSOFT.COM
klist
--------------------------------
net ads join -U administrator
systemctl restart smbd nmbd winbind
wbinfo -u
net ads info
---------------------------------
reboot
chown -R root:"Domain Users" /srv/samba/shared
systemctl restart smbd nmbd winbind
finally got it working it seems that it only works on ubuntu with samba 4.17 on debian cant seem to get it working thank you so much
For my primary DC this compose file works good.
Can I use the similar docker compose file without downloading from github to setup secondary dc and join it to primary.
Will it take dns:, extra_hosts: and command: bash -c "samba-domain-join DC1 && samba -F" options?
Assuming I use the image from diegogslomp/samba-ad-dc
Thanking you