Docker compose instruction help for Primary AD DC and Secondary DC domain Join

[atlury]

For my primary DC this compose file works good.

version: '3'
services:
  samba-ad-dc:
    image: diegogslomp/samba-ad-dc
    container_name: dc1
    hostname: dc1.name.com
    privileged: true
    network_mode: host
    restart: unless-stopped
    environment:
      REALM: 'NAME.COM'
      DOMAIN: 'NAME'
      ADMIN_PASS: 'Passw0rd'
      DNS_FORWARDER: '8.8.8.8'
    volumes:
      - samba-data:/usr/local/samba
      - samba-krb5:/etc/krb5.conf.d
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
volumes:
  samba-data:
  samba-krb5:

Can I use the similar docker compose file without downloading from github to setup secondary dc and join it to primary.

Will it take dns:, extra_hosts: and command: bash -c "samba-domain-join DC1 && samba -F" options?

Assuming I use the image from diegogslomp/samba-ad-dc

Thanking you

[diegogslomp]

Hello You can use something like:

  dc2:
    image: diegogslomp/samba-ad-dc
    restart: unless-stopped
    container_name: dc2
    hostname: DC2
    privileged: true
    network_mode: host
    environment:
      REALM: NAME.COM
      DOMAIN: NAME
      ADMIN_PASS: Passw0rd
      DNS_FORWARDER: 8.8.8.8
    dns_search: name.com
    dns:
      - 172.16.238.20
      - 172.16.238.10
    extra_hosts:
      - "DC1 DC1.name.com:172.16.238.10"
      - "DC2 DC2.name.com:172.16.238.20"
    command: bash -c "samba-domain-join DC1 && samba -F"
    volumes:
      - samba-data:/usr/local/samba
      - samba-krb5:/etc/krb5.conf.d
volumes:
  samba-data:
  samba-krb5:

Any trouble let me know

[atlury]

this works. thank you. I am gonna try out now fileshare (domain join as a member) and squid. Ofcourse there is still the rsync script that needs to sync /usr/local/samba/sysvol/ and /usr/local/samba/private/idmap.ldb

[diegogslomp]

You can add a cron job in the dc2 for sysvol replication:

*/5 * * * *   root    /usr/bin/rsync -XAav --delete-after root@dc1:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/

If you can please share the steps for the fileshare that you did/will do. Any trouble let me know.

[atlury]

Thanks I will try the fileshare VM also tonight, get it working and share the config here so that its useful for others.

[atlury]

This is how I add a FileServer to my docker based DC1. And it works!! Some notes.

Since our primary goal is to set up a Samba file server that joins an existing Samba Active Directory Domain Controller (AD DC) and we are only using it for SMB/CIFS file sharing. We DONT need to configure PAM modules specifically for Samba. And thus we DONT need SSSD which integrates with PAM and NSS to provide local system authentication and identity services, and this is separate from Samba's SMB/CIFS file sharing authentication.

Samba interacts directly with the AD for SMB/CIFS authentication.

Samba Active Directory Domain Controller (AD DC) setup uses RFC2307, you should configure the idmap settings in your Samba file server to use ad backend instead of rid. The ad backend is used specifically for environments where user and group ID mapping is managed via RFC2307 attributes in the in the main Samba AD DC1.

You could do "docker exec -it dc1 /bin/bash" and run the command "testparm" you will notice among the things it has idmap_ldb:use rfc2307 = yes in the Samba AD DC1

In a Samba environment, member servers with specific roles like printer shares or file sharing servers (Seperate VMs) do not require the idmap_ldb:use rfc2307 = yes setting. This setting is specific to the configuration of a Samba Active Directory Domain Controller (AD DC) and is not typically used or needed on member servers.

For member servers, like file sharing servers or print servers, the ID mapping is usually configured using idmap config directives in their smb.conf files. This mapping can be based on the rid or ad backend, depending on whether RFC2307 attributes are used in your environment.

Install debian and do the following (on baremetal or a vm).

Ofcourse make sure the file server vm itself has the correct static ip in /etc/network/interfaces, has correct /etc/hosts and /etc/hostname file as well as /etc/resolv.conf (making it immutable). Have a NTP server or using your main DC as ntp. These are the first things to do.

Remove sssd and install other packages for Samba:

apt purge sssd
apt-get install winbind libnss-winbind libpam-winbind libpam-krb5 samba
apt-get install cifs-utils krb5-user

mv /etc/samba/smb.conf /etc/samba/smb.conf.backup

Edit or create new /etc/samba/smb.conf:

[global]
    workgroup = NAME
    security = ADS
    realm = NAME.COM
    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    idmap config * : backend = autorid
    idmap config * : range = 10000-24999999
    template shell = /bin/bash
    template homedir = /home/%U
    client max protocol = SMB3

[shared]
    path = /srv/samba/shared
    public = no
    writable = yes
    guest ok = no
    #valid users = user1,user2,administrator
    #valid users = @HOME\domainusers
    create mask = 0770
    directory mask = 0770
    read only = no
    browseable = yes
    inherit permissions = Yes
    inherit acls = Yes
    inherit owner = Yes

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S
   writable = yes
   path = /home/%S

The configuration line "idmap config * : backend = autorid" in a Samba member server smb.conf file specifies the use of the autorid backend for ID mapping. This is an alternative to other ID mapping backends like rid or ad.

Ensure that client max protocol is not set to a value lower than SMB3, as modern Windows clients use newer SMB protocols.

Consider adding vfs objects = acl_xattr under the [global] section for better ACL handling.

Verify the settings for template homedir and template shell for correct home directory and shell for domain users.

Edit /etc/krb5.conf:

[libdefaults]
        default_realm = NAME.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

Setting Up File Shares. Create the shared directory:

sudo mkdir -p /srv/samba/shared

Before setting permissions ensure you have compat and winbind added to passwd and group along with others. Edit /etc/nsswitch.conf and add winbind lines to the end of passwd and group:

passwd:         files systemd compat winbind
group:          files systemd compat winbind

Reboot

Addition note:

User-Specific Access (%S): Restricts access to individual users based 
on their username matching the share name. 
Commonly used for personal user shares.

Group-Based Access (@DOMAIN\domainusers): Allows access to all members 
of a specific group, useful for shares that are intended for broader access
within an organization or a specific set of users.

Obtain a Kerberos ticket:

kinit administrator@HOME.COM

Join the Samba server to the AD domain:

sudo net ads join -U administrator

Restart Samba to apply the changes:

sudo systemctl restart smbd nmbd winbind

Verify Domain Membership:

wbinfo -u
net ads info

Set the appropriate permissions. Here, we'll give read/write access to the domain users. Adjust the permissions as needed for your scenario:

sudo chown -R root:"Domain Users" /srv/samba/shared
#sudo chown root:HOME\domainusers /srv/samba/shared
sudo chmod -R 0770 /srv/samba/shared

Testing File Share Access. From a Windows client in the AD domain, try accessing the shared folder:

\\samba-server-ip\shared

Replace samba-server-ip with the actual IP address of your Samba server. This should work on non joined windows clients also. For username and password try in the format below.

home.com\administrator
Passw0rd

[atlury]

Will now get transparent squid working with DC1 docker.

[killmasta93]

hi @atlury quick question the samba server for file server is a VM or docker container?

[atlury]

Its a seperate VM in debian 12. We can containerize it though. Havent had the time.

[atlury]

Btw squid also is working.

[killmasta93]

hi @atlury Awesome, Let me know if you able to containerize been trying for a while but i can seem to only connect it though VM

[atlury]

Do not use Alpine Linux. It will never work especially when trying to connect or communicate to another samba AD DC since glibc is not available. I think they are communication protocols missing. Debian or ubuntu docker will work.

[killmasta93]

hi @atlury so i got finally working in an lxc container proxmox but cant seem to wrap my head how i can deply it on docker container

I was maybe thinking like this but just a theory the docker file

# Use Ubuntu 23 as the base image
FROM ubuntu:23

# Install necessary packages
RUN apt-get update && \
    apt-get install -y winbind libnss-winbind libpam-winbind libpam-krb5 samba cifs-utils krb5-user && \
    rm -rf /var/lib/apt/lists/*

# Copy Samba and Kerberos configuration files into the container
COPY smb.conf /etc/samba/smb.conf
COPY krb5.conf /etc/krb5.conf
COPY nsswitch.conf /etc/nsswitch.conf
COPY entrypoint.sh /usr/local/bin/entrypoint.sh

# Create necessary directories
RUN mkdir -p /srv/samba/shared

# Set permissions for the shared directory
RUN chown -R root:"Domain Users" /srv/samba/shared && \
    chmod -R 0770 /srv/samba/shared

# Expose Samba ports
EXPOSE 137/udp 138/udp 139 445

# Set entrypoint to start Samba services
ENTRYPOINT ["smbd", "--foreground", "--log-stdout"]

the docker compose

version: '3.8'

services:
  samba:
    build: .
    container_name: samba-container
    environment:
      SAMBA_ADMIN_USER: administrator
      SAMBA_ADMIN_PASSWORD: ${SAMBA_ADMIN_PASSWORD}    
    volumes:
      - ./smb.conf:/etc/samba/smb.conf
      - ./krb5.conf:/etc/krb5.conf
      - samba-data:/srv/samba/shared
    ports:
      - "137:137/udp"
      - "138:138/udp"
      - "139:139"
      - "445:445"

volumes:
  samba-data:

i would use the same smb.conf from the above ex and krb5.conf also with nsswitch.conf

but would create a entry point script

#!/bin/bash

# Join the domain
if [ -n "$SAMBA_ADMIN_USER" ] && [ -n "$SAMBA_ADMIN_PASSWORD" ]; then
    echo "$SAMBA_ADMIN_PASSWORD" | kinit "$SAMBA_ADMIN_USER"
    net ads join -U "$SAMBA_ADMIN_USER"%"$SAMBA_ADMIN_PASSWORD"
fi

# Start Samba
exec smbd --foreground --log-stdout

then would run this

export SAMBA_ADMIN_PASSWORD=yourpassword
docker-compose up -d

still havent tried it just a theory going to try it this week to see

[atlury]

Hmmm, you could try it and let me know. It would be good to have everything dokerized.

[farzadha2]

hi @atlury quick question after running the steps i got it working but when i try to edit on windows does not let me edit the permissions?

[atlury]

It works on windows, I am able to edit/create new users. Did you login with administrator? Is it in time sync?

[farzadha2]

so weird what i did was move a folder in the shared folder

[atlury]

For shared folders use another VM or a another physical machine. That "another" vm can be connected to this primary ADC. I will try to dig in why it doesnt work.

[farzadha2]

@atlury i think i might found the issue i got it working on another ubuntu but the issue i have is with a debian with Samba version 4.5.16-Debian trying to figureout how to update it

[atlury]

Here is the dump of a working samba file server

apt install vim vim-nox
apt install openssh-server
vi /etc/ssh/sshd_config

---------------------------------

root@fileserver:~# more /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

auto ens192
iface ens192 inet static
        address 10.1.3.93/24
        subnet  255.255.255.0
        gateway 10.1.3.1

---------------------------------

root@fileserver:~# more /etc/hosts
127.0.0.1       localhost
#127.0.1.1      fileserver

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.1.3.93       fileserver.mocosoft.com fileserver

---------------------------------

root@fileserver:~# more /etc/hostname
fileserver.mocosoft.com

---------------------------------

root@fileserver:~# more /etc/resolv.conf
search mocosoft.com
nameserver 10.1.3.9
nameserver 10.1.3.10
nameserver 8.8.8.8

chattr +i /etc/resolv.conf
---------------------------------
apt install chrony
apt install chrony ntpdate -y
ntpdate -bu pool.ntp.org
systemctl restart chrony
systemctl enable chrony

---------------------------------
apt purge sssd
apt-get install winbind libnss-winbind libpam-winbind libpam-krb5 samba
apt-get install cifs-utils krb5-user
mv /etc/samba/smb.conf /etc/samba/smb.conf.backup

---------------------------------
root@fileserver:~# more /etc/samba/smb.conf
[global]
    workgroup = MOCOSOFT
    security = ADS
    realm = MOCOSOFT.COM
    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    idmap config * : backend = autorid
    idmap config * : range = 10000-24999999
    template shell = /bin/bash
    template homedir = /home/%U
    client max protocol = SMB3

[shared]
    path = /srv/samba/shared
    public = no
    writable = yes
    guest ok = no
    valid users = @ITG  # Restrict access to members of the ITG group
    #valid users = user1,user2,administrator
    #valid users = @HOME\domainusers
    create mask = 0770
    directory mask = 0770
    read only = no
    browseable = yes
    inherit permissions = Yes
    inherit acls = Yes
    inherit owner = Yes

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S
   writable = yes
   path = /home/%S

---------------------------------
mkdir -p /srv/samba/shared
chmod -R 0770 /srv/samba/shared

---------------------------------
root@fileserver:~# more /etc/krb5.conf
[libdefaults]
        default_realm = MOCOSOFT.COM

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        rdns = false

        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

---------------------------------
vi /etc/nsswitch.conf

# passwd:         files systemd compat winbind
# group:          files systemd compat winbind 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files systemd
gshadow:        files systemd

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-------------------------------- 
#systemctl restart smbd nmbd winbind
kinit administrator@MOCOSOFT.COM
klist
-------------------------------- 
net ads join -U administrator
systemctl restart smbd nmbd winbind
wbinfo -u
net ads info
--------------------------------- 
reboot
chown -R root:"Domain Users" /srv/samba/shared
systemctl restart smbd nmbd winbind

[farzadha2]

finally got it working it seems that it only works on ubuntu with samba 4.17 on debian cant seem to get it working thank you so much