Coder Social home page Coder Social logo

samba-domain's Introduction

Samba Active Directory Domain Controller for Docker

Latest documentation available at: https://nowsci.com/#/samba-domain/?id=samba-active-directory-domain-controller-for-docker

A well documented, tried and tested Samba Active Directory Domain Controller that works with the standard Windows management tools; built from scratch using internal DNS and kerberos and not based on existing containers.

Environment variables for quick start

  • DOMAIN defaults to CORP.EXAMPLE.COM and should be set to your domain
  • DOMAINPASS should be set to your administrator password, be it existing or new. This can be removed from the environment after the first setup run.
  • HOSTIP can be set to the IP you want to advertise.
  • JOIN defaults to false and means the container will provision a new domain. Set this to true to join an existing domain.
  • JOINSITE is optional and can be set to a site name when joining a domain, otherwise the default site will be used.
  • DNSFORWARDER is optional and if an IP such as 192.168.0.1 is supplied will forward all DNS requests samba can't resolve to that DNS server
  • INSECURELDAP defaults to false. When set to true, it removes the secure LDAP requirement. While this is not recommended for production it is required for some LDAP tools. You can remove it later from the smb.conf file stored in the config directory.
  • MULTISITE defaults to false and tells the container to connect to an OpenVPN site via an ovpn file with no password. For instance, if you have two locations where you run your domain controllers, they need to be able to interact. The VPN allows them to do that.
  • NOCOMPLEXITY defaults to false. When set to true it removes password complexity requirements including complexity, history-length, min-pwd-age, max-pwd-age

Volumes for quick start

  • /etc/localtime:/etc/localtime:ro - Sets the timezone to match the host
  • /data/docker/containers/samba/data/:/var/lib/samba - Stores samba data so the container can be moved to another host if required.
  • /data/docker/containers/samba/config/samba:/etc/samba/external - Stores the smb.conf so the container can be mored or updates can be easily made.
  • /data/docker/containers/samba/config/openvpn/docker.ovpn:/docker.ovpn - Optional for connecting to another site via openvpn.
  • /data/docker/containers/samba/config/openvpn/credentials:/credentials - Optional for connecting to another site via openvpn that requires a username/password. The format for this file should be two lines, with the username on the first, and the password on the second. Also, make sure your ovpn file contains auth-user-pass /credentials

Downloading and building

mkdir -p /data/docker/builds
cd /data/docker/builds
git clone https://github.com/Fmstrat/samba-domain.git
cd samba-domain
docker build -t samba-domain .

Or just use the HUB:

docker pull nowsci/samba-domain

Setting things up for the container

To set things up you will first want a new IP on your host machine so that ports don't conflict. A domain controller needs a lot of ports, and will likely conflict with things like dnsmasq. The below commands will do this, and set up some required folders.

ifconfig eno1:1 192.168.3.222 netmask 255.255.255.0 up
mkdir -p /data/docker/containers/samba/data
mkdir -p /data/docker/containers/samba/config/samba

If you plan on using a multi-site VPN, also run:

mkdir -p /data/docker/containers/samba/config/openvpn
cp /path/to/my/ovpn/MYSITE.ovpn /data/docker/containers/samba/config/openvpn/docker.ovpn

Things to keep in mind

  • In some cases on Windows clients, you would join with the domain of CORP, but when entering the computer domain you must enter CORP.EXAMPLE.COM. This seems to be the case when using most any samba based DC.
  • Make sure your client's DNS is using the DC, or that your mail DNS is relaying for the domain
  • Ensure client's are using corp.example.com as the search suffix
  • If you're using a VPN, pay close attention to routes. You don't want to force all traffic through the VPN

Enabling file sharing

While the Samba team does not recommend using a DC as a file server, it's understandable that some may wish to. Once the container is up and running and your /data/docker/containers/samba/config/samba/smb.conf file is set up after the first run, you can enable shares by shutting down the container, and making the following changes to the smb.conf file.

In the [global] section, add:

        security = user
        passdb backend = ldapsam:ldap://localhost
        ldap suffix = dc=corp,dc=example,dc=com
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=Administrator,cn=Users,dc=corp,dc=example,dc=com
        ldap ssl = off
        ldap passwd sync = no
        server string = MYSERVERHOSTNAME
        wins support = yes
        preserve case = yes
        short preserve case = yes
        default case = lower
        case sensitive = auto
        preferred master = yes
        unix extensions = yes
        follow symlinks = yes
        client ntlmv2 auth = yes
        client lanman auth = yes
        mangled names = no

Then add a share to the end based on how you mount the volume:

[storage]
        comment = storage
        path = /storage
        public = no
        read only = no
        writable = yes
        write list = @root NOWSCI\myuser
        force user = root
        force group = root
        guest ok = yes
        valid users = NOWSCI\myuser

Check the samba documentation for how to allow groups/etc.

Examples with docker run

Keep in mind, for all examples replace nowsci/samba-domain with samba-domain if you build your own from GitHub.

Start a new domain, and forward non-resolvable queries to the main DNS server

  • Local site is 192.168.3.0
  • Local DC (this one) hostname is EXAMPLEDC using the host IP of 192.168.3.222
  • Local main DNS is running on 192.168.3.1
docker run -t -i \
    -e "DOMAIN=CORP.EXAMPLE.COM" \
    -e "DOMAIN_DC=dc=corp,dc=example,dc=com" \
    -e "DOMAIN_EMAIL=example.com" \
    -e "DOMAINPASS=ThisIsMyAdminPassword^123" \
    -e "DNSFORWARDER=192.168.3.1" \
    -e "HOSTIP=192.168.3.222" \
    -p 192.168.3.222:53:53 \
    -p 192.168.3.222:53:53/udp \
    -p 192.168.3.222:88:88 \
    -p 192.168.3.222:88:88/udp \
    -p 192.168.3.222:123:123 \
    -p 192.168.3.222:123:123/udp \
    -p 192.168.3.222:135:135 \
    -p 192.168.3.222:137-138:137-138/udp \
    -p 192.168.3.222:139:139 \
    -p 192.168.3.222:389:389 \
    -p 192.168.3.222:389:389/udp \
    -p 192.168.3.222:445:445 \
    -p 192.168.3.222:464:464 \
    -p 192.168.3.222:464:464/udp \
    -p 192.168.3.222:636:636 \
    -p 192.168.3.222:3268-3269:3268-3269 \
    -p 192.168.3.222:49152-49172:49152-49172 \
    -v /etc/localtime:/etc/localtime:ro \
    -v /data/docker/containers/samba/data/:/var/lib/samba \
    -v /data/docker/containers/samba/config/samba:/etc/samba/external \
    --dns-search corp.example.com \
    --dns 192.168.3.222 \
    --dns 192.168.3.1 \
    --add-host exampledc.corp.example.com:192.168.3.222 \
    -h exampledc \
    --name samba \
    --privileged \
    nowsci/samba-domain

Join an existing domain, and forward non-resolvable queries to the main DNS server

  • Local site is 192.168.3.0
  • Local DC (this one) hostname is EXAMPLEDC using the host IP of 192.168.3.222
  • Local existing DC is running DNS and has IP of 192.168.3.201
  • Local main DNS is running on 192.168.3.1
docker run -t -i \
    -e "DOMAIN=CORP.EXAMPLE.COM" \
    -e "DOMAIN_DC=dc=corp,dc=example,dc=com" \
    -e "DOMAIN_EMAIL=example.com" \
    -e "DOMAINPASS=ThisIsMyAdminPassword^123" \
    -e "JOIN=true" \
    -e "DNSFORWARDER=192.168.3.1" \
    -e "HOSTIP=192.168.3.222" \
    -p 192.168.3.222:53:53 \
    -p 192.168.3.222:53:53/udp \
    -p 192.168.3.222:88:88 \
    -p 192.168.3.222:88:88/udp \
    -p 192.168.3.222:123:123 \
    -p 192.168.3.222:123:123/udp \
    -p 192.168.3.222:135:135 \
    -p 192.168.3.222:137-138:137-138/udp \
    -p 192.168.3.222:139:139 \
    -p 192.168.3.222:389:389 \
    -p 192.168.3.222:389:389/udp \
    -p 192.168.3.222:445:445 \
    -p 192.168.3.222:464:464 \
    -p 192.168.3.222:464:464/udp \
    -p 192.168.3.222:636:636 \
    -p 192.168.3.222:3268-3269:3268-3269 \
    -p 192.168.3.222:49152-49172:49152-49172 \
    -v /etc/localtime:/etc/localtime:ro \
    -v /data/docker/containers/samba/data/:/var/lib/samba \
    -v /data/docker/containers/samba/config/samba:/etc/samba/external \
    --dns-search corp.example.com \
    --dns 192.168.3.222 \
    --dns 192.168.3.1 \
    --dns 192.168.3.201 \
    --add-host exampledc.corp.example.com:192.168.3.222 \
    -h exampledc \
    --name samba \
    --privileged \
    nowsci/samba-domain

Join an existing domain, forward DNS, remove security features, and connect to a remote site via openvpn

  • Local site is 192.168.3.0
  • Local DC (this one) hostname is EXAMPLEDC using the host IP of 192.168.3.222
  • Local existing DC is running DNS and has IP of 192.168.3.201
  • Local main DNS is running on 192.168.3.1
  • Remote site is 192.168.6.0
  • Remote DC hostname is REMOTEDC with IP of 192.168.6.222 (notice the DNS and host entries)
docker run -t -i \
    -e "DOMAIN=CORP.EXAMPLE.COM" \
    -e "DOMAIN_DC=dc=corp,dc=example,dc=com" \
    -e "DOMAIN_EMAIL=example.com" \
    -e "DOMAINPASS=ThisIsMyAdminPassword^123" \
    -e "JOIN=true" \
    -e "DNSFORWARDER=192.168.3.1" \
    -e "MULTISITE=true" \
    -e "NOCOMPLEXITY=true" \
    -e "INSECURELDAP=true" \
    -e "HOSTIP=192.168.3.222" \
    -p 192.168.3.222:53:53 \
    -p 192.168.3.222:53:53/udp \
    -p 192.168.3.222:88:88 \
    -p 192.168.3.222:88:88/udp \
    -p 192.168.3.222:123:123 \
    -p 192.168.3.222:123:123/udp \
    -p 192.168.3.222:135:135 \
    -p 192.168.3.222:137-138:137-138/udp \
    -p 192.168.3.222:139:139 \
    -p 192.168.3.222:389:389 \
    -p 192.168.3.222:389:389/udp \
    -p 192.168.3.222:445:445 \
    -p 192.168.3.222:464:464 \
    -p 192.168.3.222:464:464/udp \
    -p 192.168.3.222:636:636 \
    -p 192.168.3.222:3268-3269:3268-3269 \
    -p 192.168.3.222:49152-49172:49152-49172 \
    -v /etc/localtime:/etc/localtime:ro \
    -v /data/docker/containers/samba/data/:/var/lib/samba \
    -v /data/docker/containers/samba/config/samba:/etc/samba/external \
    -v /data/docker/containers/samba/config/openvpn/docker.ovpn:/docker.ovpn \
    -v /data/docker/containers/samba/config/openvpn/credentials:/credentials \
    --dns-search corp.example.com \
    --dns 192.168.3.222 \
    --dns 192.168.3.1 \
    --dns 192.168.6.222 \
    --dns 192.168.3.201 \
    --add-host exampledc.corp.example.com:192.168.3.222 \
    --add-host remotedc.corp.example.com:192.168.6.222 \
    --add-host remotedc:192.168.6.222 \
    -h exampledc \
    --name samba \
    --privileged \
    --cap-add=NET_ADMIN \
    --cap-add=SYS_NICE \
    --cap-add=SYS_TIME \
    --device /dev/net/tun \
    nowsci/samba-domain

Examples with docker compose

Keep in mind for all examples DOMAINPASS can be removed after the first run.

Start a new domain, and forward non-resolvable queries to the main DNS server

  • Local site is 192.168.3.0
  • Local DC (this one) hostname is EXAMPLEDC using the host IP of 192.168.3.222
  • Local main DNS is running on 192.168.3.1
version: '2'

services:

# ----------- samba begin ----------- #

  samba:
    image: nowsci/samba-domain
    container_name: samba
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /data/docker/containers/samba/data/:/var/lib/samba
      - /data/docker/containers/samba/config/samba:/etc/samba/external
    environment:
      - DOMAIN=CORP.EXAMPLE.COM
      - DOMAIN_DC=dc=corp,dc=example,dc=com
      - DOMAIN_EMAIL=example.com
      - DOMAINPASS=ThisIsMyAdminPassword^123
      - DNSFORWARDER=192.168.3.1
      - HOSTIP=192.168.3.222
    ports:
      - 192.168.3.222:53:53
      - 192.168.3.222:53:53/udp
      - 192.168.3.222:88:88
      - 192.168.3.222:88:88/udp
      - 192.168.3.222:123:123
      - 192.168.3.222:123:123/udp
      - 192.168.3.222:135:135
      - 192.168.3.222:137-138:137-138/udp
      - 192.168.3.222:139:139
      - 192.168.3.222:389:389
      - 192.168.3.222:389:389/udp
      - 192.168.3.222:445:445
      - 192.168.3.222:464:464
      - 192.168.3.222:464:464/udp
      - 192.168.3.222:636:636
      - 192.168.3.222:3268-3269:3268-3269
      - 192.168.3.222:49152-49172:49152-49172
    dns_search:
      - corp.example.com
    dns:
      - 192.168.3.222
      - 192.168.3.1
    extra_hosts:
      - exampledc.corp.example.com:192.168.3.222
    hostname: exampledc
    cap_add:
      - NET_ADMIN
      - SYS_NICE
      - SYS_TIME
    devices:
      - /dev/net/tun
    privileged: true
    restart: always

# ----------- samba end ----------- #

Join an existing domain, and forward non-resolvable queries to the main DNS server

  • Local site is 192.168.3.0
  • Local DC (this one) hostname is EXAMPLEDC using the host IP of 192.168.3.222
  • Local existing DC is running DNS and has IP of 192.168.3.201
  • Local main DNS is running on 192.168.3.1
version: '2'

services:

# ----------- samba begin ----------- #

  samba:
    image: nowsci/samba-domain
    container_name: samba
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /data/docker/containers/samba/data/:/var/lib/samba
      - /data/docker/containers/samba/config/samba:/etc/samba/external
    environment:
      - DOMAIN=CORP.EXAMPLE.COM
      - DOMAIN_DC=dc=corp,dc=example,dc=com
      - DOMAIN_EMAIL=example.com
      - DOMAINPASS=ThisIsMyAdminPassword^123
      - JOIN=true
      - DNSFORWARDER=192.168.3.1
      - HOSTIP=192.168.3.222
    ports:
      - 192.168.3.222:53:53
      - 192.168.3.222:53:53/udp
      - 192.168.3.222:88:88
      - 192.168.3.222:88:88/udp
      - 192.168.3.222:123:123
      - 192.168.3.222:123:123/udp
      - 192.168.3.222:135:135
      - 192.168.3.222:137-138:137-138/udp
      - 192.168.3.222:139:139
      - 192.168.3.222:389:389
      - 192.168.3.222:389:389/udp
      - 192.168.3.222:445:445
      - 192.168.3.222:464:464
      - 192.168.3.222:464:464/udp
      - 192.168.3.222:636:636
      - 192.168.3.222:3268-3269:3268-3269
      - 192.168.3.222:49152-49172:49152-49172
    dns_search:
      - corp.example.com
    dns:
      - 192.168.3.222
      - 192.168.3.1
      - 192.168.3.201
    extra_hosts:
      - exampledc.corp.example.com:192.168.3.222
    hostname: exampledc
    cap_add:
      - NET_ADMIN
      - SYS_NICE
      - SYS_TIME
    devices:
      - /dev/net/tun
    privileged: true
    restart: always

# ----------- samba end ----------- #

Join an existing domain, forward DNS, remove security features, and connect to a remote site via openvpn

  • Local site is 192.168.3.0
  • Local DC (this one) hostname is EXAMPLEDC using the host IP of 192.168.3.222
  • Local existing DC is running DNS and has IP of 192.168.3.201
  • Local main DNS is running on 192.168.3.1
  • Remote site is 192.168.6.0
  • Remote DC hostname is REMOTEDC with IP of 192.168.6.222 (notice the DNS and host entries)
version: '2'

services:

# ----------- samba begin ----------- #

  samba:
    image: nowsci/samba-domain
    container_name: samba
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /data/docker/containers/samba/data/:/var/lib/samba
      - /data/docker/containers/samba/config/samba:/etc/samba/external
      - /data/docker/containers/samba/config/openvpn/docker.ovpn:/docker.ovpn
      - /data/docker/containers/samba/config/openvpn/credentials:/credentials
    environment:
      - DOMAIN=CORP.EXAMPLE.COM
      - DOMAIN_DC=dc=corp,dc=example,dc=com
      - DOMAIN_EMAIL=example.com
      - DOMAINPASS=ThisIsMyAdminPassword^123
      - JOIN=true
      - DNSFORWARDER=192.168.3.1
      - MULTISITE=true
      - NOCOMPLEXITY=true
      - INSECURELDAP=true
      - HOSTIP=192.168.3.222
    ports:
      - 192.168.3.222:53:53
      - 192.168.3.222:53:53/udp
      - 192.168.3.222:88:88
      - 192.168.3.222:88:88/udp
      - 192.168.3.222:123:123
      - 192.168.3.222:123:123/udp
      - 192.168.3.222:135:135
      - 192.168.3.222:137-138:137-138/udp
      - 192.168.3.222:139:139
      - 192.168.3.222:389:389
      - 192.168.3.222:389:389/udp
      - 192.168.3.222:445:445
      - 192.168.3.222:464:464
      - 192.168.3.222:464:464/udp
      - 192.168.3.222:636:636
      - 192.168.3.222:3268-3269:3268-3269
      - 192.168.3.222:49152-49172:49152-49172
    dns_search:
      - corp.example.com
    dns:
      - 192.168.3.222
      - 192.168.3.1
      - 192.168.6.222
      - 192.168.3.201
    extra_hosts:
      - exampledc.corp.example.com:192.168.3.222
      - remotedc.corp.example.com:192.168.6.222
      - remotedc:192.168.6.222
    hostname: exampledc
    cap_add:
      - NET_ADMIN
      - SYS_NICE
      - SYS_TIME
    devices:
      - /dev/net/tun
    privileged: true
    restart: always

# ----------- samba end ----------- #

Using the domain.sh script

The domain.sh script is a helper tool for managing your Samba4 domain from the CLI. To use it:

$ alias domain='docker exec -ti <container-name> /domain.sh'
$ domain

Usage:
	domain info
	domain ldapinfo
	domain groups
	domain group <group>
	domain users
	domain user <user>
	domain create-group <group>
	domain delete-group <group>
	domain create-user <user>
	domain delete-user <user>
	domain change-password <user>
	domain edit <user or group>
	domain set-user-ssh-key <user> <pubkey>
	domain add-user-to-group <user> <group>
	domain remove-user-from-group <user> <group>
	domain update-ip <domain> <controller> <oldip> <newip>
	domain flush-cache
	domain reload-config
	domain db-check-and-fix

Joining the domain with Ubuntu

For joining the domain with any client, everything should work just as you would expect if the active directory server was Windows based. For Ubuntu, there are many guides availble for joining, but to make things easier you can find an easily configurable script for joining your domain here: https://raw.githubusercontent.com/Fmstrat/samba-domain/master/ubuntu-join-domain.sh

Troubleshooting

The most common issue is when running multi-site and seeing the below DNS replication error when checking replication with docker exec samba samba-tool drs showrepl

CN=Schema,CN=Configuration,DC=corp,DC=example,DC=local
        Default-First-Site-Name\REMOTEDC via RPC
                DSA object GUID: faf297a8-6cd3-4162-b204-1945e4ed5569
                Last attempt @ Thu Jun 29 10:49:45 2017 EDT failed, result 2 (WERR_BADFILE)
                4 consecutive failure(s).
                Last success @ NTTIME(0)

This has nothing to do with docker, but does happen in samba setups. The key is to put the GUID host entry into the start script for docker, and restart the container. For instance, if you saw the above error, Add this to you docker command:

--add-host faf297a8-6cd3-4162-b204-1945e4ed5569._msdcs.corp.example.com:192.168.6.222 \

Where 192.168.6.222 is the IP of REMOTEDC. You could also do this in extra_hosts in docker-compose.

samba-domain's People

Contributors

firemonk3y avatar fmstrat avatar infeeeee avatar jkellerer avatar mattymo avatar skuizy avatar zegalpl avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

prnda mattymo tivomaker zanyants zokradonh shaqman danielhamelberg rthilton stikves ziplex lachnerd paulprime akshaydhane hdeadman adamxiao 0xerick vincentbitter mrzottel nsynkde dgkm bdabelow jol64 blacs30 seanmollet r900 gpmeenen everyonce tied pakomp cboehme raydijannil lsoft48 zegalpl lostboy4480 celso-alexandre samueladewole jeremybusk qhuy199 timarenz antonydevanchi 0x4161726f6e hung135 adphi jobl burnbabyburn carolosf ipenguin alexislaurier rkoeppl srobin2020s marcxm wolfspyre eduardoaw mrasskazov shekesh tburschka phlgr mpfz0r torkalis netmarine ezarnosky geoffsmith82 lucrito mzros bowseruk piyapsri fogdrew jcarloslimaufc ittp jkellerer ykhemani mamh-mixed dany-eudes kagee sschoen wus-technik francescozanti lourranio fahidsh thieryl kebinuchiousu delmobispo paqti blemko cbrucks bmaggard erickod kshinoapp an-ky firemonk3y phxsecio infeeeee thelinuxtrainer skuizy ttldev aczwink dungtran91 dark-age sphtkr dumaresq

samba-domain's Issues

NOCOMPLEXITY not working

Hi,
I'm just trying this container and I am struggling with NOCOMPLEXITY. In the start up I've tried setting-e "NOCOMPLEXITY=true" \ but each time the container exits. The logs show:

Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - 0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!
File "/usr/lib/python2.7/dist-packages/samba/netcmd/init.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 442, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File "/usr/lib/python2.7/dist-packages/samba/provision/init.py", line 2172, in provision
skip_sysvolacl=skip_sysvolacl)
File "/usr/lib/python2.7/dist-packages/samba/provision/init.py", line 1795, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File "/usr/lib/python2.7/dist-packages/samba/provision/init.py", line 1453, in fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "/usr/lib/python2.7/dist-packages/samba/provision/common.py", line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File "/usr/lib/python2.7/dist-packages/samba/init.py", line 225, in add_ldif
self.add(msg, controls)

I've had a look at your init.sh script and I'm wondering if the domain provisioning should happen after the complexity check but I'm too new to this to be able to check it out. Or have I set the flag incorrectly?

TIA,
Nick

Unable to create files on samba share from linux AD client

Hi,
I am enjoying your samba AD container and figuring out stuff as I go. One thing is giving me a headache though and I can't get and handle on the problem.

What I have so far is this samba AD container running on my ubuntu server (22.04). I can join clients (one win11 professional client, and a couple of linux clients).

The default generated "sysvol" share can be accessed from all clients. From windows, I can read/write/create. But from the linux AD clients, I can only view the share, but writing/creating is not possible (permission denied).

I mount the share through fstab as follows:

//192.168.1.100/sysvol                  /media/sysvol                   cifs  credentials=/home/[email protected]/creds/ad.credentials,vers=2.0 0  0

When I ls -l in the share, all files belong to root

[email protected]@bas-hp:~$ ls -l /media/sysvol/
total 0
drwxr-xr-x 2 root root 0 apr  6 20:49 sb.lan

But even when i sudo the file creation I keep getting permission denied.

I am kind of stuck, tried so many different possible solutions from the internet but nothing gives. Would you recognize this problem and can give me some pointers how to solve it?

I assume the problems are all linux client side related, since I have no issues at all from the windows client.

Any help is greatly appreciated!

Windows clients not registering in DNS

I have 2 systems, Windows 2019 server and Windows 10 that I was able to successfully join to the ad domain with no issues. Everything appears to be working properly, group policies, DNS resolution, etc. I can manage the DNS server via Windows DNS, but when I try a ipconfig /registerdns, I get a failure in the event log. I also noticed they weren't added when they were joined to the domain. They are static IP's, with just the samba DC as DNS, domain and register in DNS is checked. Is this supported? Just want to make sure before I spend hours trying to sift through logs, etc.

Fail to start after host machine reboot

I am successful to run the container and joint new Win10 into domain.
Container works even I stop and start it again.
However, when I reboot the docker host machine, samba keep exit by error.

/usr/lib/python2.7/dist-packages/supervisor/options.py:297: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
  'Supervisord is running as root and it is searching '
2019-10-07 16:10:42,355 CRIT Supervisor running as root (no user in config file)
2019-10-07 16:10:42,356 WARN Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
Unlinking stale socket /var/run/supervisor.sock
2019-10-07 16:10:42,666 INFO RPC interface 'supervisor' initialized
2019-10-07 16:10:42,667 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2019-10-07 16:10:42,667 INFO supervisord started with pid 7
2019-10-07 16:10:43,669 INFO spawned: 'samba' with pid 10
2019-10-07 16:10:43,696 INFO exited: samba (terminated by SIGABRT; not expected)
2019-10-07 16:10:44,699 INFO spawned: 'samba' with pid 11
2019-10-07 16:10:44,723 INFO exited: samba (terminated by SIGABRT; not expected)
2019-10-07 16:10:46,729 INFO spawned: 'samba' with pid 12
2019-10-07 16:10:46,753 INFO exited: samba (terminated by SIGABRT; not expected)
2019-10-07 16:10:49,761 INFO spawned: 'samba' with pid 13
2019-10-07 16:10:49,784 INFO exited: samba (terminated by SIGABRT; not expected)
2019-10-07 16:10:50,788 INFO gave up: samba entered FATAL state, too many start retries too quickly

Bug: Supervisord Error and Warning

Summary

An error (CRIT) and warning (UserWarning) occur and the following message is output.

==> /var/log/supervisor/supervisor.log <==
  self.warnings.warn(
2024-04-03 21:42:44,820 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
2024-04-03 21:42:44,820 INFO Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
2024-04-03 21:42:44,822 INFO RPC interface 'supervisor' initialized
2024-04-03 21:42:44,822 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2024-04-03 21:42:44,822 INFO supervisord started with pid 17
2024-04-03 21:42:45,825 INFO spawned: 'ntpd' with pid 19
2024-04-03 21:42:45,826 INFO spawned: 'samba' with pid 20
2024-04-03 21:42:47,113 INFO success: ntpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-04-03 21:42:47,113 INFO success: samba entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

and

==> /var/log/supervisor/supervisor.log <==
/usr/lib/python3/dist-packages/supervisor/options.py:473: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
  self.warnings.warn(
2024-04-03 22:00:47,771 INFO Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
2024-04-03 22:00:47,771 INFO Set uid to user 0 succeeded
2024-04-03 22:00:47,775 INFO RPC interface 'supervisor' initialized
2024-04-03 22:00:47,775 INFO supervisord started with pid 16
2024-04-03 22:00:48,777 INFO spawned: 'ntpd' with pid 18
2024-04-03 22:00:48,778 INFO spawned: 'samba' with pid 19
2024-04-03 22:00:50,645 INFO success: ntpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-04-03 22:00:50,645 INFO success: samba entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

Steps to reproduce

$ mkdir -p /data/docker/containers/samba/data /data/docker/containers/samba/config/samba
$ docker pull nowsci/samba-domain
$ docker run -t -i \
    -e "DOMAIN=CORP.EXAMPLE.COM" \
    -e "DOMAIN_DC=dc=corp,dc=example,dc=com" \
    -e "DOMAIN_EMAIL=example.com" \
    -e "DOMAINPASS=ThisIsMyAdminPassword^123" \
    -e "DNSFORWARDER=192.168.0.15" \
    -e "HOSTIP=192.168.0.127" \
    -p 192.168.0.127:53:53 \
    -p 192.168.0.127:53:53/udp \
    -p 192.168.0.127:88:88 \
    -p 192.168.0.127:88:88/udp \
    -p 192.168.0.127:123:123 \
    -p 192.168.0.127:123:123/udp \
    -p 192.168.0.127:135:135 \
    -p 192.168.0.127:137-138:137-138/udp \
    -p 192.168.0.127:139:139 \
    -p 192.168.0.127:389:389 \
    -p 192.168.0.127:389:389/udp \
    -p 192.168.0.127:445:445 \
    -p 192.168.0.127:464:464 \
    -p 192.168.0.127:464:464/udp \
    -p 192.168.0.127:636:636 \
    -p 192.168.0.127:1024-1044:1024-1044 \
    -p 192.168.0.127:3268-3269:3268-3269 \
    -v /etc/localtime:/etc/localtime:ro \
    -v /data/docker/containers/samba/data/:/var/lib/samba \
    -v /data/docker/containers/samba/config/samba:/etc/samba/external \
    --dns-search corp.example.com \
    --dns 192.168.0.127 \
    --dns 192.168.0.15 \
    --add-host exampledc.corp.example.com:192.168.0.127 \
    -h exampledc \
    --name samba \
    --privileged \
    nowsci/samba-domain

Expected behavior

2024-04-03 22:06:21,285 INFO Set uid to user 0 succeeded
2024-04-03 22:06:21,287 INFO supervisord started with pid 17
2024-04-03 22:06:22,290 INFO spawned: 'ntpd' with pid 19
2024-04-03 22:06:22,291 INFO spawned: 'samba' with pid 20
2024-04-03 22:06:23,540 INFO success: ntpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-04-03 22:06:23,540 INFO success: samba entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

DNSFORWARDER issue

  1. I used docker startup this image with DNSFORWARDER=10.193.10.1,
  2. set /etc/resolv.conf content with nameserver 10.193.10.204 (docker host ip) on other client.
  3. but I can not ping www.bing.com
    error:
    [root@localhost god]# ping www.bing.com
    ping: www.bing.com: Name or service not known
  4. using nslookup checking.
    [root@localhost god]# nslookup www.bing.com 10.193.10.1
    Server: 10.193.10.1
    Address: 10.193.10.1#53

Non-authoritative answer:
www.bing.com canonical name = a-0001.a-afdentry.net.trafficmanager.net.
a-0001.a-afdentry.net.trafficmanager.net canonical name = cn.cn-0001.cn-msedge.net.
cn.cn-0001.cn-msedge.net canonical name = cn-0001.cn-msedge.net.
Name: cn-0001.cn-msedge.net
Address: 202.89.233.100
Name: cn-0001.cn-msedge.net
Address: 202.89.233.101

it seemed it is not working with DNSFORWARDER=10.193.10.1. how can I do?

Any specific reason why "extnet" is present in the docker-compose examples but not in normal docker examples?

This is more a question than an issue.

The general docker examples do not add the container to a dedicated external network.
But the docker-compose examples feature an "extnet". I figured, that the container also works properly without that additional bridge. Is this just for the sake of "what can be done" or is it actually required? I rather think it's the first one.

Feature
I would rather drop that option entirely to reduce confusion or at least mark it as optional via a comment in the docker-compose file.

Beginners question - getting started

Hi,
If this is completely the wrong place to ask questions, I would greatly appreciate if you could tell me which forum best to use.

In my home situation we have a bunch of laptops and desktops connected to a LAN. Most are running ubuntu, some are running dual boot (windows/ubuntu).

I am trying for some time to make a bunch of things simpler by adding a domain controller, and experiment with some user profiles. Mostly for self education, but in the end it would be nice if I actually achieved something :).

So I am trying to wrap my head around containerizing samba / domain controller. After some attempts, I have a docker-compose yml that brings up a container hosting your docker container.

My setup at home:

  • a router from our ISP which server as DHCP server and DNS to get online.
  • all IP address are DHCP (192.168.1.x) where the router is on 192.168.1.1
  • 3 laptops, 2 PCs, a NAS, and one server (192.168.1.100).

For testing purposes, I am bringing the container up on my laptop (ubuntu 23.10, ip 192.168.1.113), which I gave an additional IP as suggested in the documentation (192.168.3.222).

Now I am trying to discover the domain controller., using this command:
sudo realm -v discover dev.null.com

bp@bas-hp:samba (master) % sudo realm -v discover dev.null.com

  • Resolving: _ldap._tcp.dev.null.com
  • Resolving: dev.null.com
  • Performing LDAP DSE lookup on: 185.199.110.153
  • Performing LDAP DSE lookup on: 185.199.111.153
  • Performing LDAP DSE lookup on: 185.199.109.153
    ! Can't contact LDAP server
    ! Can't contact LDAP server
    ! Can't contact LDAP server
  • Performing LDAP DSE lookup on: 185.199.108.153
  • Performing LDAP DSE lookup on: 2606:50c0:8003::153
  • Performing LDAP DSE lookup on: 2606:50c0:8001::153
  • Performing LDAP DSE lookup on: 2606:50c0:8002::153
  • Performing LDAP DSE lookup on: 2606:50c0:8000::153
    ! Can't contact LDAP server
    ! Can't contact LDAP server
    ! Can't contact LDAP server
    ! Can't contact LDAP server
    ! Can't contact LDAP server
    realm: No such realm found: dev.null.com

When I change the hostname to the extra IP address, it does find the domain controller.

bp@bas-hp:samba (master) % sudo realm -v discover 192.168.3.222

  • Performing LDAP DSE lookup on: 192.168.3.222
  • Successfully discovered: dev.null.com
    dev.null.com
    type: kerberos
    realm-name: DEV.NULL.COM
    domain-name: dev.null.com
    configured: no
    server-software: active-directory
    client-software: sssd
    required-package: sssd-tools
    required-package: sssd
    required-package: libnss-sss
    required-package: libpam-sss
    required-package: adcli
    required-package: samba-common-bin

The docker-compose.yml I am using:

version: '3.8'

services:

# ----------- samba begin ----------- #

  samba:
    image: nowsci/samba-domain
    container_name: samba
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /data/docker/containers/samba/data/:/var/lib/samba
      - /data/docker/containers/samba/config/samba:/etc/samba/external
    environment:
      - DOMAIN=DEV.NULL.COM
      - DOMAINPASS=supersecurepassword
      - JOIN=false
      - HOSTIP=192.168.3.222
    network_mode: host
    ports:
      - 192.168.3.222:53:53
      - 192.168.3.222:53:53/udp
      - 192.168.3.222:88:88
      - 192.168.3.222:88:88/udp
      - 192.168.3.222:135:135
      - 192.168.3.222:137-138:137-138/udp
      - 192.168.3.222:139:139
      - 192.168.3.222:389:389
      - 192.168.3.222:389:389/udp
      - 192.168.3.222:445:445
      - 192.168.3.222:464:464
      - 192.168.3.222:464:464/udp
      - 192.168.3.222:636:636
      - 192.168.3.222:1024-1044:1024-1044
      - 192.168.3.222:3268-3269:3268-3269
    dns_search:
      - dev.null.com
    dns:
      - 192.168.3.222
      - 192.168.3.1
      - 192.168.6.222
      - 192.168.3.201
    extra_hosts:
      - dc.dev.null.com:192.168.3.222
    hostname: dc
    cap_add:
      - NET_ADMIN
      - SYS_NICE
      - SYS_RESOURCE
      - SYS_TIME
    devices:
      - /dev/net/tun
    privileged: true
    restart: always

I have many questions, but the first one would be: should it be possible to discover the domain controller by name? Or do I need another DNS server that knows the name "dev.null.com"?

I don't have my own DNS server (and I was hoping I don't need one, and that I can simply rely on this samba docker container). So how should I best configure this docker-compose.yml?

Some pointers and general information would be greatly appreciated. Again, if this is completely the wrong place for these kind of (beginner) questions, my apologies!

Stopped working after update to latest image version

Hi I might need some help.
I updated the docker image to the latest version yesterday and everything stopped working, both shares and domain controller.
I'll paste the log, hope that someone can help me.

samba          | ==> /var/log/supervisor/ntpd-stdout---supervisor-c9hrx55p.log <==
samba          | 13 May 08:08:26 ntpd[13]: switching logging to file /var/log/ntp
samba          | 13 May 08:08:26 ntpd[13]: Listen and drop on 0 v6wildcard [::]:123
samba          | 13 May 08:08:26 ntpd[13]: Listen and drop on 1 v4wildcard 0.0.0.0:123
samba          | 13 May 08:08:26 ntpd[13]: Listen normally on 2 lo 127.0.0.1:123
samba          | 13 May 08:08:26 ntpd[13]: Listen normally on 3 eth0 172.18.0.3:123
samba          | 13 May 08:08:26 ntpd[13]: Listening on routing socket on fd #20 for interface updates
samba          | 13 May 08:08:26 ntpd[13]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
samba          | 13 May 08:08:26 ntpd[13]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
samba          |
samba          | ==> /var/log/supervisor/samba-stderr---supervisor-yfa9c7md.log <==
samba          | /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
samba          | /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 297, in check_dns_name
samba          | /usr/sbin/samba_dnsupdate:     ans = check_one_dns_name(normalised_name, d.type, d)
samba          | /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 274, in check_one_dns_name
samba          | /usr/sbin/samba_dnsupdate:     return resolver.resolve(name, name_type)
samba          | /usr/sbin/samba_dnsupdate:   File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1176, in resolve
samba          | /usr/sbin/samba_dnsupdate:     timeout = self._compute_timeout(start, lifetime)
samba          | /usr/sbin/samba_dnsupdate:   File "/usr/lib/python3/dist-packages/dns/resolver.py", line 997, in _compute_timeout
samba          | /usr/sbin/samba_dnsupdate:     raise Timeout(timeout=duration)
samba          | /usr/sbin/samba_dnsupdate: dns.exception.Timeout: The DNS operation timed out after 17.00490975379944 seconds
samba          | /usr/sbin/samba_dnsupdate:
samba          | /usr/sbin/samba_dnsupdate: During handling of the above exception, another exception occurred:
samba          | /usr/sbin/samba_dnsupdate:
samba          | /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
samba          | /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 842, in <module>
samba          | /usr/sbin/samba_dnsupdate:     elif not check_dns_name(d):
samba          | /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 299, in check_dns_name
samba          | /usr/sbin/samba_dnsupdate:     raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
samba          | /usr/sbin/samba_dnsupdate: Exception: Timeout while waiting to contact a working DNS server while looking for A srv.mydomain.lan 172.18.0.3 as srv.mydomain.lan.
samba          | dnsupdate_nameupdate_done: Failed DNS update with exit code 1

I don't know where the problem came from and I don't know how to fix it. I hope someone can help me.
Thanks, Totten98

DNS forwarder failure

Hi. I would like to use DNS forwarder, but so far no success. I would greatly appreciate it if you would help.

Here is my hypothetical environment.

external DNS server: 123.123.123.123
proxy server:123.123.124.111:666
my ip: 123.123.125.125
FQDN: myserver.department.corp.com

Since I need to use the proxy server, I modifed Dockefile as the following. Basically, it accepts the proxy settings as --build-arg. Note that before CMD /init.sh setup, my docker image can access to the internet.

# Dockerfile
FROM ubuntu:xenial
MAINTAINER Fmstrat <[email protected]>

# this Dockerfile is saved in ./samba-domain/

# supress warnings
ENV DEBIAN_FRONTEND noninteractive
ENV DEBCONF_NOWARNINGS=yes
# Set environmental variable if needed
ARG http_proxy=""
ARG https_proxy=""
ARG ftp_proxy=""
ARG no_proxy=""

RUN touch /etc/apt/apt.conf.d/01proxy                                                                                                           &&\
    if [ ! -z "${http_proxy}" ];  then echo 'Acquire::http:proxy "' "\b${http_proxy}" '\b";'   >> /etc/apt/apt.conf.d/01proxy; fi               &&\
    if [ ! -z "${https_proxy}" ]; then echo 'Acquire::https:proxy "' "\b${https_proxy}" '\b";' >> /etc/apt/apt.conf.d/01proxy; fi               &&\
    if [ ! -z "${ftp_proxy}" ];   then echo 'Acquire::ftp:proxy "' "\b${ftp_proxy}" '\b";'     >> /etc/apt/apt.conf.d/01proxy; fi               &&\                                                        
    export http_proxy="${http_proxy}"                                                                                                           &&\
    export https_proxy="${http_proxy}"

RUN echo ${http_proxy}

RUN apt-get update && apt-get upgrade -y

# add procy staffs


# Install all apps
# The third line is for multi-site config (ping is for testing later)
RUN apt-get install -y pkg-config
RUN apt-get install -y attr acl samba smbclient ldap-utils winbind libnss-winbind libpam-winbind krb5-user krb5-kdc supervisor
RUN apt-get install -y openvpn inetutils-ping

RUN apt install -y vim
RUN apt install -y net-tools

# Set up script and run
ADD init.sh /init.sh
RUN chmod 755 /init.sh
CMD /init.sh setup

Then, I wrote the docker-compose.yml and .env based on your README fie.

# .env
myip=123.123.125.125
HTTP_PROXY=123.123.124.111:666
mydns=123.123.123.123
NO_PROXY=127.0.0.1,localhost,${myip},department.corp.com
password=iAmV#rysT0r@ngP$ssw0rd

# docker-compose.tml
version: '3'

networks:
  extnet:

services:

# ----------- samba begin ----------- #
  samba-ad:
    build: ./samba-domain/
    container_name: samba-ad
    networks:
      - extnet
    dns:
      - ${myip}
      - ${mydns}
    environment:
        - HTTP_PROXY=${HTTP_PROXY}
        - http_proxy=${HTTP_PROXY}
        - HTTPS_PROXY=${HTTP_PROXY}
        - https_proxy=${HTTP_PROXY}
        - NO_PROXY=${NO_PROXY}
        - no_proxy=${NO_PROXY}
        - DOMAIN=MYAD.LOCAL
        - DOMAINPASS=${password}
        - JOIN=false
        - DNSFORWARDER=${mydns}
        - HOSTIP=${myip}
    ports:
     - ${myip}:53:53
     - ${myip}:53:53/udp
     - ${myip}:88:88
     - ${myip}:88:88/udp
     - ${myip}:135:135
     - ${myip}:137-138:137-138/udp
     - ${myip}:139:139
     - ${myip}:389:389
     - ${myip}:389:389/udp
     - ${myip}:445:445
     - ${myip}:464:464
     - ${myip}:464:464/udp
     - ${myip}:636:636
     - ${myip}:1024-1044:1024-1044
     - ${myip}:3268-3269:3268-3269
    dns_search:
      - myad.local
    volumes:
        - ./data/:/var/lib/samba
        - ./config/samba:/etc/samba/external
    hostname: dc
    extra_hosts:
        - dc.myad.local:${myip}
    cap_add:
        - NET_ADMIN
    devices:
        - /dev/net/tun
    privileged: true
    restart: always
# ----------- samba end ----------- #

Then, I run docker-compose up without any error. From Windows 10, I was able to join the Domain but DNS forwarding did not work.
Inside the docker container, I tried to apt update but it also failed. Hence, I checked the following.

cat /etc/resolv.conf
search myad.local
nameserver 127.0.0.11
options ndots:0

cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
123.123.125.125   dc.myad.local
192.168.224.2   dc # <= this is wierd.

cat /etc/samba/smb.conf
# Global parameters
[global]
        dns forwarder = 123.123.123.123
        idmap_ldb:use rfc2307 = yes
                        wins support = yes
                        template shell = /bin/bash
                        winbind nss info = rfc2307
                        idmap config MYAD: range = 10000-20000
                        idmap config MYAD: backend = ad
        workgroup = MYAD
        realm = MYAD.LOCAL
        netbios name = DC
        server role = active directory domain controller
        dns forwarder = 127.0.0.11 # <- this should not be here?
        idmap_ldb:use rfc2307 = yes #<- tduplicate

[netlogon]
        path = /var/lib/samba/sysvol/myad.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

root@dc:/# host localhost
;; connection timed out; no servers could be reached
root@dc:/# host myad.local
;; connection timed out; no servers could be reached
root@dc:/# host www.google.com
;; connection timed out; no servers could be reached

So, I modifed resolv.conf so that at least myad.local can be resolved.

cat /etc/resolv.conf
search myad.local
nameserver 127.0.0.11:53
options ndots:0

root@dc:/# host myad.local
myad.local has address 123.123.125.125

It would be nice if I can use DNS forwarding. I would greatly appreciate any help. Thanks.

External smb.conf will not be copied to /etc/samba/smb.conf on restart

When changes are made on the external smb.conf (/etc/samba/external/smb.conf), the changes will not be copied over to /etc/samba/smb.conf, when you restart the container. In fact, this should be done or is expected (and probably was intended to work like this).

The culprit lies in init.sh: When the container starts, "init.sh setup" is called - Not only on the first build but on every startup. "setup" checks if /etc/supervisor/conf.d/supervisord.conf is present and if so, does nothing but starting the container regularily without copying over the external smb.conf (if present)

One way to fix it would be to copy the external smb file to /etc/samba in that situation too or rather use a symlink to the external smb.conf file instead.

docker-compose

query,
In the docker compose should not expose the ports?
When running the docker compose everything is generated correctly but the ports are apparently not available, possibly it is a mistake of mine but I am not understanding that it is missing.
Doing the build with docker worked perfectly on the first attempt.
regards
Charles

ERROR(runtime): uncaught exception - DsAddEntry failed 

version: '2'
networks:
  extnet:
    external: true
services:
  samba:
    build: ./
    container_name: samba
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /root/test/storage:/storage
      - /root/test/config:/etc/samba/external
    environment:
      - DOMAIN=B**A.LOCAL
      - DOMAINPASS=********
      - JOIN=true
      - DNSFORWARDER=192.168.0.32
      - HOSTIP=192.168.0.187
    networks:
      - extnet
    ports:
      - 192.168.0.187:53:53
      - 192.168.0.187:53:53/udp
      - 192.168.0.187:88:88
      - 192.168.0.187:88:88/udp
      - 192.168.0.187:135:135
      - 192.168.0.187:137-138:137-138/udp
      - 192.168.0.187:139:139
      - 192.168.0.187:389:389
      - 192.168.0.187:389:389/udp
      - 192.168.0.187:445:445
      - 192.168.0.187:464:464
      - 192.168.0.187:464:464/udp
      - 192.168.0.187:636:636
      - 192.168.0.187:1024-1044:1024-1044
      - 192.168.0.187:3268-3269:3268-3269
    dns_search:
      - B**A.LOCAL
    dns:
      - 192.168.0.187
      - 192.168.0.32
    extra_hosts:
      - localdc.b**a.local:192.168.0.187
      - b**a.local:192.168.0.32
    hostname: localdc
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    privileged: true
    restart: always

image

I'm using another user instead of administrator

Your filesystem or build does not support posix ACLs

Running on FreeNAS via Ubuntu VM

Storage is mounted from FreeNAS to Ubuntu via NFSv4
9 other containers are running smoothly

version: "3"

networks:
  extnet:
    external: true

services:
  samba:
    image: nowsci/samba-domain
    container_name: localdc
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /mnt/docker-configs/samba/data:/var/lib/samba
      - /mnt/docker-configs/samba/config/samba:/etc/samba/external
    environment:
      - DOMAIN=ad.domain.com
      - DOMAINPASS=supersecretsqurel
      - DNSFORWARDER=172.16.0.1
      - HOSTIP=172.16.0.5
    networks:
      - extnet
    ports:
      - 172.16.0.5:53:53
      - 172.16.0.5:53:53/udp
      - 172.16.0.5:88:88
      - 172.16.0.5:88:88/udp
      - 172.16.0.5:135:135
      - 172.16.0.5:137-138:137-138/udp
      - 172.16.0.5:139:139
      - 172.16.0.5:389:389
      - 172.16.0.5:389:389/udp
      - 172.16.0.5:445:445
      - 172.16.0.5:464:464
      - 172.16.0.5:464:464/udp
      - 172.16.0.5:636:636
      - 172.16.0.5:1024-1044:1024-1044
      - 172.16.0.5:3268-3269:3268-3269
    dns_search:
      - ad.domain.com
    dns:
      - 172.16.0.5
      - 172.16.0.1
    extra_hosts:
      - localdc.ad.domain.com:172.16.0.5
    hostname: localdc
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    privileged: true
    restart: always

2020-04-05T22:54:27.482384289Z Looking up IPv6 addresses,
2020-04-05T22:58:08.192924735Z not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.,
2020-04-05T22:58:08.189109151Z You are not root or your system do not support xattr, using tdb backend for attributes. ,
2020-04-05T22:58:04.793532801Z     raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  ",
2020-04-05T22:54:27.482595740Z No IPv6 address will be assigned,
2020-04-05T22:54:27.858521695Z Setting up secrets.ldb,
2020-04-05T22:54:28.825475811Z Setting up the registry,
2020-04-05T22:54:30.495215801Z Setting up the privileges database,
2020-04-05T22:54:32.299744946Z Setting up idmap db,
2020-04-05T22:54:33.367522967Z Setting up SAM db,
2020-04-05T22:54:35.011906880Z Adding DomainDN: DC=ad,DC=scriptdoggy,DC=com,
2020-04-05T22:54:33.797877666Z Pre-loading the Samba 4 and AD schema,
2020-04-05T22:54:33.666377744Z Setting up sam.ldb partitions and settings,
2020-04-05T22:54:33.748136571Z Setting up sam.ldb rootDSE,
2020-04-05T22:54:35.621078722Z Adding configuration container,
2020-04-05T22:54:36.122883246Z Setting up sam.ldb schema,
2020-04-05T22:55:31.455888316Z Setting up sam.ldb configuration data,
2020-04-05T22:55:37.055392749Z Setting up display specifiers,
2020-04-05T22:56:14.052069535Z Modifying display specifiers,
2020-04-05T22:56:14.061273500Z Adding users container,
2020-04-05T22:56:14.082011478Z Modifying users container,
2020-04-05T22:56:14.104634382Z Adding computers container,
2020-04-05T22:56:14.134665358Z Modifying computers container,
2020-04-05T22:56:14.151476144Z Setting up sam.ldb data,
2020-04-05T22:56:18.574161924Z Setting up well known security principals,
2020-04-05T22:56:19.701122122Z Setting up sam.ldb users and groups,
2020-04-05T22:56:20.946305498Z Setting up self join,
2020-04-05T22:57:02.344858206Z load_usershare_service: stat of /var/lib/samba/usershares failed. No such file or directory,
2020-04-05T22:58:04.790231079Z ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.,
2020-04-05T22:58:04.790296706Z   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 442, in run,
2020-04-05T22:58:04.792381481Z     nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode),
2020-04-05T22:58:04.792409172Z   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 2172, in provision,
2020-04-05T22:58:04.793482359Z     skip_sysvolacl=skip_sysvolacl),
2020-04-05T22:58:04.793503140Z   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1806, in provision_fill,
2020-04-05T22:58:04.793513429Z     names.domaindn, lp, use_ntvfs),
2020-04-05T22:58:04.793522968Z   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1558, in setsysvolacl

DNS entries are not being automatically created on clients join

Hi,

First, I must say that this docker image is very robust, really, thanks for sharing it.
I'm having a problem in which dns entries are not being automatically created when windows clients join the domain.

I've run my container to serve as PDC for a new domain.

I've build the image and created the container with the following commands:

`mkdir -p /data/docker/builds
cd /data/docker/builds
git clone https://github.com/Fmstrat/samba-domain.git
cd samba-domain
docker build -t samba-domain .

docker run -t -i
-e "DOMAIN=CORP.LOCAL"
-e "DOMAINPASS=P@ssw0rd"
-e "DNSFORWARDER=8.8.8.8"
-e "HOSTIP=192.168.1.3"
-p 192.168.1.3:53:53
-p 192.168.1.3:53:53/udp
-p 192.168.1.3:88:88
-p 192.168.1.3:88:88/udp
-p 192.168.1.3:135:135
-p 192.168.1.3:137-138:137-138/udp
-p 192.168.1.3:139:139
-p 192.168.1.3:389:389
-p 192.168.1.3:389:389/udp
-p 192.168.1.3:445:445
-p 192.168.1.3:464:464
-p 192.168.1.3:464:464/udp
-p 192.168.1.3:636:636
-p 192.168.1.3:1024-1044:1024-1044
-p 192.168.1.3:3268-3269:3268-3269
-v /etc/localtime:/etc/localtime:ro
-v /docker/samba/var/lib/samba:/var/lib/samba
-v /docker/samba/etc/samba/external:/etc/samba/external
--dns-search corp.local
--dns 192.168.1.3
--add-host samba-dc.corp.local:192.168.1.3
-h samba-dc
--name samba-dc
--privileged
samba-domain`

Is it expected to happen?

is this project still alive?

Hi guys,

i just started exploring setting up a new AD as 100% docker containers.
This container is the one with the most downloads on dockerhub.

When I launched a test container I just realized that the ENV for the NETBIOS name is missing so I look at this repo.
A lot of the issues are valid and should be fixed/merged if working correctly.

I know that maintaining an open project is time consuming and I only need to know if contributing (or trying to) will make a difference or if there is a fork that has merged some/most of these issues.

Appreciate any input from @Fmstrat or anyone else.

Error in init.sh

case "$1" in start) if [[ -f /etc/samba/external/smb.conf ]]; then cp /etc/samba/external/smb.conf /etc/samba/smb.conf appStart else echo "Config file is missing." fi ;;

cp should be set to cp -f so it will always overwrite what is in the local container. Otherwise the admin will edit the smb.conf file outside of Docker (which they should be doing) and then restart the container and the change never gets activated.

Help: docker samba service client

Do you all have a docker of a samba service that would auth using this?

I have a working version of this repo that creates a samba dc but im curious how I would have a docker that could host just samba that hosts a share that would auth against my samba domain.

Feel free to close this if my question is too broad. I just figured I'd ask in case you all had a working example or link to one.

arm support

Can you create a image for arm cpus? I was able to make the image work on the raspberry pi by only modifying the line to "FROM arm32v7/ubuntu:xenial" on the Dockerfile without making any change to your init script.

Log files not created

Hi, I have problem with creating the log files. Here is my configuration.

log file = /var/log/samba.log
log level = 10 auth:5 winbind:5
debug level = 10
syslog = 10

Any help appreciated.

Add ntp server support

Hi,
as windows clients try to get their time from the domain controller and the samba container got no ntp server running, clients won't receive the correct time. So I have to manually set it.
It would be very nice, if you could add a ntp server.

[Question] Where to place domain.sh?

I'm confused on where to place domain.sh file. Presently it resides in the same directory as docker-compose.yml file and when I try to run alias domain='docker exec -ti samba /domain.sh' (followed with domain info command) it throws:

OCI runtime exec failed: exec failed: unable to start container process: exec: "/domain.sh": stat /domain.sh: no such file or directory: unknown

Any help would be greatly appreciated.

DNS sockets exhausting system

Using either this image or @burnbabyburn's image (as mentioned in #36), as soon as the container receives a DNS query, it opens enough listening sockets to overwhelm the system, resulting in any more giving the error message below:

$ dig @192.168.1.250 google.com a
dig: isc_socket_bind: address in use

They all look like this:

$ sudo netstat -nvuap|wc -l
28241
$ sudo netstat -nvuap|head -n 10
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 172.17.0.1:38860        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:47052        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:55244        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:38861        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:47053        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:55245        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:55246        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:38862        172.17.0.2:53           ESTABLISHED 90721/docker-proxy

In the above, 172.17.0.1 is the bridge address (docker0 on the host), 172.17.0.2 is the address of the container.

The server is set up using the command taken from the documentation:

docker volume create samba-data
docker volume create samba-config
docker run -t -i \
    -e "DOMAIN=OFFICE.COMPANY.COM" \
    -e "DOMAINPASS=Password1" \
    -e "DNSFORWARDER=192.168.1.1" \
    -e "HOSTIP=192.168.1.250" \
    -p 192.168.1.250:53:53 \
    -p 192.168.1.250:53:53/udp \
    -p 192.168.1.250:88:88 \
    -p 192.168.1.250:88:88/udp \
    -p 192.168.1.250:135:135 \
    -p 192.168.1.250:137-138:137-138/udp \
    -p 192.168.1.250:139:139 \
    -p 192.168.1.250:389:389 \
    -p 192.168.1.250:389:389/udp \
    -p 192.168.1.250:445:445 \
    -p 192.168.1.250:464:464 \
    -p 192.168.1.250:464:464/udp \
    -p 192.168.1.250:636:636 \
    -p 192.168.1.250:1024-1044:1024-1044 \
    -p 192.168.1.250:3268-3269:3268-3269 \
    -v /etc/localtime:/etc/localtime:ro \
    -v samba-data:/var/lib/samba \
    -v samba-config:/etc/samba/external \
    --dns-search office.company.com \
    --dns 192.168.1.250 \
    --dns 192.168.1.1 \
    --add-host localdc.office.company.com:192.168.1.250 \
    -h localdc \
    --name samba-bbb \
    --privileged \
    --restart unless-stopped \
    samba-domain

Has anyone seen this, or have any idea how to resolve it?

License

Hello,

This looks like a useful project for me (I'm trying to setup a local AD server for testing purposes), but I'm not sure if I am permitted to use it. Would you be kind enough to add a License file please? GitHub guidelines suggest no license means nobody can use it.

Thank you,
Mike

add ENV 'URDOMAIN' to set diverging NETBIOS domain name

I would like to suggest adding the ENV

 environment:
      - DOMAINNETBIOS=CORP

This would set URDOMAIN and otherwise default back to the current schema of {UDOMAIN%%.*}

Example:
Real world example for our network:
Our main domain is abc-company.com and I want the domain to be ad.abc-company.com but with at NETBIOS name of abc.

With the current container init this is not possible to achieve.

default password

Good day.

Was given DOMAINPASSWORD

And how it is possible to be authorized?

cannot build 'develop' branch

in its current state I cannot build the develop branch.

Can we "go back" on the develop branch and use tested PRs to merge working changes?

I just tested going to ubuntu:focal which works great on master

Several errors when running as instructed

I am running the container according to the docker run example.

docker run -t -i \
    -e "DOMAIN=LAB.LOCAL" \
    -e "DOMAIN_DC=dc=lab,dc=local" \
    -e "DOMAIN_EMAIL=lab.local" \
    -e "DOMAINPASS=*********" \
    -e "DNSFORWARDER=1.1.1.1" \
    -e "HOSTIP=172.16.0.2" \
    -p 172.16.0.2:53:53 \
    -p 172.16.0.2:53:53/udp \
    -p 172.16.0.2:88:88 \
    -p 172.16.0.2:88:88/udp \
    -p 172.16.0.2:123:123 \
    -p 172.16.0.2:123:123/udp \
    -p 172.16.0.2:135:135 \
    -p 172.16.0.2:137-138:137-138/udp \
    -p 172.16.0.2:139:139 \
    -p 172.16.0.2:389:389 \
    -p 172.16.0.2:389:389/udp \
    -p 172.16.0.2:445:445 \
    -p 172.16.0.2:464:464 \
    -p 172.16.0.2:464:464/udp \
    -p 172.16.0.2:636:636 \
    -p 172.16.0.2:3268-3269:3268-3269 \
    -p 172.16.0.2:49152-49172:49152-49172 \
    -v /etc/localtime:/etc/localtime:ro \
    -v /data/docker/containers/samba/data/:/var/lib/samba \
    -v /data/docker/containers/samba/config/samba:/etc/samba/external \
    --dns-search lab.local \
    --dns 172.16.0.2 \
    --dns 1.1.1.1 \
    --add-host fakedc.lab.local:172.16.0.2 \
    -h fakedc \
    --name samba4 \
    --privileged \
    nowsci/samba-domain

These are my runtime logs:

Waiting for log files...
==> /var/log/supervisor/ntpd-stderr---supervisor-rrcof1w9.log <==
MS-SNTP signd operations currently block ntpd degrading service to all clients.
restrict default: KOD does nothing without LIMITED.

==> /var/log/supervisor/ntpd-stdout---supervisor-31xyofmh.log <==
13 May 15:04:03 ntpd[13]: ntp-4 is maintained by Network Time Foundation,
13 May 15:04:03 ntpd[13]: Inc. (NTF), a non-profit 501(c)(3) public-benefit
13 May 15:04:03 ntpd[13]: corporation.  Support and training for ntp-4 are
13 May 15:04:03 ntpd[13]: available at https://www.nwtime.org/support
13 May 15:04:03 ntpd[13]: ----------------------------------------------------
13 May 15:04:03 ntpd[13]: proto: precision = 0.103 usec (-23)
13 May 15:04:03 ntpd[13]: basedate set to 2022-02-04
13 May 15:04:03 ntpd[13]: gps base set to 2022-02-06 (week 2196)
13 May 15:04:03 ntpd[13]: MS-SNTP signd operations currently block ntpd degrading service to all clients.
13 May 15:04:03 ntpd[13]: restrict default: KOD does nothing without LIMITED.

==> /var/log/supervisor/samba-stderr---supervisor-jozcmxrl.log <==
samba version 4.15.13-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
binary_smbd_main: samba: using 'prefork' process model
dnsupdate_nameupdate_done: Failed DNS update with exit code 5

==> /var/log/supervisor/samba-stdout---supervisor-alfg08b8.log <==

==> /var/log/supervisor/supervisor.log <==
  self.warnings.warn(
2024-05-13 15:04:01,990 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
2024-05-13 15:04:01,991 INFO Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
2024-05-13 15:04:01,994 INFO RPC interface 'supervisor' initialized
2024-05-13 15:04:01,995 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2024-05-13 15:04:01,995 INFO supervisord started with pid 10
2024-05-13 15:04:03,001 INFO spawned: 'ntpd' with pid 13
2024-05-13 15:04:03,004 INFO spawned: 'samba' with pid 14
2024-05-13 15:04:04,311 INFO success: ntpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-05-13 15:04:04,312 INFO success: samba entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

==> /var/log/supervisor/supervisord.log <==
2024-05-13 15:04:01,990 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
2024-05-13 15:04:01,991 INFO Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
2024-05-13 15:04:01,994 INFO RPC interface 'supervisor' initialized
2024-05-13 15:04:01,995 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2024-05-13 15:04:01,995 INFO supervisord started with pid 10
2024-05-13 15:04:03,001 INFO spawned: 'ntpd' with pid 13
2024-05-13 15:04:03,004 INFO spawned: 'samba' with pid 14
2024-05-13 15:04:04,311 INFO success: ntpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-05-13 15:04:04,312 INFO success: samba entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

==> /var/log/supervisor/ntpd-stderr---supervisor-rrcof1w9.log <==
13 May 15:04:13 ntpd[13]: restrict: ignoring line 13, address/host '1.pool.ntp.org' unusable.
13 May 15:04:13 ntpd[13]: restrict: ignoring line 14, address/host '2.pool.ntp.org' unusable.

==> /var/log/supervisor/ntpd-stdout---supervisor-31xyofmh.log <==
13 May 15:04:13 ntpd[13]: switching logging to file /var/log/ntp
13 May 15:04:13 ntpd[13]: Listen and drop on 0 v6wildcard [::]:123
13 May 15:04:13 ntpd[13]: Listen and drop on 1 v4wildcard 0.0.0.0:123
13 May 15:04:13 ntpd[13]: Listen normally on 2 lo 127.0.0.1:123
13 May 15:04:13 ntpd[13]: Listen normally on 3 eth0 172.17.0.2:123
13 May 15:04:13 ntpd[13]: Listening on routing socket on fd #20 for interface updates
13 May 15:04:13 ntpd[13]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
13 May 15:04:13 ntpd[13]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
13 May 15:10:05 ntpd[13]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized

However, trying to run domain.sh info results in:

failed to call wbcDomainInfo: WBC_ERR_DOMAIN_NOT_FOUND
Could not get domain info

Running domain.sh ldapinfo, with valid credentials results in:

SASL/NTLM authentication started
Please enter your authentication name: administrator
Please enter your password: 
ldap_sasl_interactive_bind: Invalid credentials (49)
        additional info: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1

Any suggestions on how to make this functional?

Thank you!

Restarts forever

Tried to build a minimal setup (privileged: true seems to be necessary, and for restart: always see below. I am on Ubuntu 16.04, docker version is 17.05.0-ce, build 89658be):

ad:
    build: ad
    networks:
        - mpw_network
    ports:
      - "389:389"
    environment:
        - DOMAIN=CORP.ACME.GLOBAL
        - DOMAINPASS=password
        - NOCOMPLEXITY=true
    privileged: true
    restart: always

And test my connection with ApacheDS. I am able to reach the server every once in a while (I am not able to log in though), but most of the time the server is not reachable. dockerd -D shows some kind of infinite loop:

DEBU[0326] ReleaseAddress(LocalDefault/172.18.0.0/16, 172.18.0.3) 
DEBU[0386] container mounted via layerStore: /var/lib/docker/aufs/mnt/0f1e24d27cefe06cdd3969b19f502eeeacb5872637704c8543eda10d1ab8a90e 
DEBU[0386] Assigning addresses for endpoint systemtestenvironment_ad_1's interface on network systemtestenvironment_mpw_network 
DEBU[0386] RequestAddress(LocalDefault/172.18.0.0/16, <nil>, map[]) 
DEBU[0386] Assigning addresses for endpoint systemtestenvironment_ad_1's interface on network systemtestenvironment_mpw_network 
DEBU[0386] (94384d4).addSvcRecords(systemtestenvironment_ad_1, 172.18.0.3, <nil>, true) 
DEBU[0386] (94384d4).addSvcRecords(ad, 172.18.0.3, <nil>, false) 
DEBU[0386] (94384d4).addSvcRecords(de6f22dfb7c1, 172.18.0.3, <nil>, false) 
INFO[0386] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4] 
INFO[0386] IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844] 
DEBU[0386] (94384d4).addSvcRecords(systemtestenvironment_ad_1, 172.18.0.3, <nil>, true) 
DEBU[0386] (94384d4).addSvcRecords(ad, 172.18.0.3, <nil>, false) 
DEBU[0386] (94384d4).addSvcRecords(de6f22dfb7c1, 172.18.0.3, <nil>, false) 
DEBU[0386] Programming external connectivity on endpoint systemtestenvironment_ad_1 (a16644b3bdd32df90c56e65d3148c7aa2b64dbbf4fc50ba7bd9b218b44afebe7) 
DEBU[0386] /sbin/iptables, [--wait -t nat -C DOCKER -p tcp -d 0/0 --dport 389 -j DNAT --to-destination 172.18.0.3:389 ! -i br-94384d47a91a] 
DEBU[0386] /sbin/iptables, [--wait -t nat -A DOCKER -p tcp -d 0/0 --dport 389 -j DNAT --to-destination 172.18.0.3:389 ! -i br-94384d47a91a] 
DEBU[0386] /sbin/iptables, [--wait -t filter -C DOCKER ! -i br-94384d47a91a -o br-94384d47a91a -p tcp -d 172.18.0.3 --dport 389 -j ACCEPT] 
DEBU[0386] /sbin/iptables, [--wait -t filter -A DOCKER ! -i br-94384d47a91a -o br-94384d47a91a -p tcp -d 172.18.0.3 --dport 389 -j ACCEPT] 
DEBU[0386] /sbin/iptables, [--wait -t nat -C POSTROUTING -p tcp -s 172.18.0.3 -d 172.18.0.3 --dport 389 -j MASQUERADE] 
DEBU[0386] /sbin/iptables, [--wait -t nat -A POSTROUTING -p tcp -s 172.18.0.3 -d 172.18.0.3 --dport 389 -j MASQUERADE] 
DEBU[0386] sandbox set key processing took 117.729811ms for container de6f22dfb7c16370eafa4b2af81ccd2e77f239bd89c33f179c3094241299307b 
DEBU[0386] libcontainerd: received containerd event: &types.Event{Type:"start-container", Id:"de6f22dfb7c16370eafa4b2af81ccd2e77f239bd89c33f179c3094241299307b", Status:0x0, Pid:"", Timestamp:(*timestamp.Timestamp)(0xc421018040)} 
DEBU[0386] libcontainerd: event unhandled: type:"start-container" id:"de6f22dfb7c16370eafa4b2af81ccd2e77f239bd89c33f179c3094241299307b" timestamp:<seconds:1561357970 nanos:213637838 >  
DEBU[0389] containerd: process exited                    id=de6f22dfb7c16370eafa4b2af81ccd2e77f239bd89c33f179c3094241299307b pid=init status=255 systemPid=12657
DEBU[0389] libcontainerd: received containerd event: &types.Event{Type:"exit", Id:"de6f22dfb7c16370eafa4b2af81ccd2e77f239bd89c33f179c3094241299307b", Status:0xff, Pid:"init", Timestamp:(*timestamp.Timestamp)(0xc421253160)} 
DEBU[0389] Revoking external connectivity on endpoint systemtestenvironment_ad_1 (a16644b3bdd32df90c56e65d3148c7aa2b64dbbf4fc50ba7bd9b218b44afebe7) 
DEBU[0389] /sbin/iptables, [--wait -t nat -C DOCKER -p tcp -d 0/0 --dport 389 -j DNAT --to-destination 172.18.0.3:389 ! -i br-94384d47a91a] 
DEBU[0389] /sbin/iptables, [--wait -t nat -D DOCKER -p tcp -d 0/0 --dport 389 -j DNAT --to-destination 172.18.0.3:389 ! -i br-94384d47a91a] 
DEBU[0389] /sbin/iptables, [--wait -t filter -C DOCKER ! -i br-94384d47a91a -o br-94384d47a91a -p tcp -d 172.18.0.3 --dport 389 -j ACCEPT] 
DEBU[0389] /sbin/iptables, [--wait -t filter -D DOCKER ! -i br-94384d47a91a -o br-94384d47a91a -p tcp -d 172.18.0.3 --dport 389 -j ACCEPT] 
DEBU[0389] /sbin/iptables, [--wait -t nat -C POSTROUTING -p tcp -s 172.18.0.3 -d 172.18.0.3 --dport 389 -j MASQUERADE] 
DEBU[0389] /sbin/iptables, [--wait -t nat -D POSTROUTING -p tcp -s 172.18.0.3 -d 172.18.0.3 --dport 389 -j MASQUERADE] 
DEBU[0389] DeleteConntrackEntries purged ipv4:0, ipv6:0 
DEBU[0389] (94384d4).deleteSvcRecords(systemtestenvironment_ad_1, 172.18.0.3, <nil>, true) 
DEBU[0389] (94384d4).deleteSvcRecords(ad, 172.18.0.3, <nil>, false) 
DEBU[0389] (94384d4).deleteSvcRecords(de6f22dfb7c1, 172.18.0.3, <nil>, false) 
DEBU[0389] Releasing addresses for endpoint systemtestenvironment_ad_1's interface on network systemtestenvironment_mpw_network 
DEBU[0389] ReleaseAddress(LocalDefault/172.18.0.0/16, 172.18.0.3) 
...

Maybe there's some interference with my network, as IP addresses like 172.18.0.3 looks suspiciously familiar, but what do I do to prevent that? Or is this some internal problem, see event unhandled: type:"start-container"? Or something completely different? Any hint appreciated

Cannot connect using ldapsearch

I have it running using docker-compose up. It says it is running successfully on the ip address and external network I set up as per the instructions.

Yet when I try and connect it won't

ldapsearch -x -b "dc=corp,dc=com" -H ldap://192.168.1.102 -D "cn=admin,dc=corp,dc=com" -W

It returns

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

What am I doing wrong?

The docker-compose file is as per the example with a couple of tweaks of ip addresses such that

samba:
    image: nowsci/samba-domain
    container_name: samba
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /data/docker/containers/samba/data/:/var/lib/samba
      - /data/docker/containers/samba/config/samba:/etc/samba/external
    environment:
      - DOMAIN=CORP.EXAMPLE.COM
      - DOMAINPASS=ThisIsMyAdminPassword!
      - DNSFORWARDER=192.168.1.1
      - HOSTIP=192.168.1.102
    networks:
      - extnet
    ports:
      - 192.168.1.102:53:53
      - 192.168.1.102:53:53/udp
      - 192.168.1.102:88:88
      - 192.168.1.102:88:88/udp
      - 192.168.1.102:135:135
      - 192.168.1.102:137-138:137-138/udp
      - 192.168.1.102:139:139
      - 192.168.1.102:389:389
      - 192.168.1.102:389:389/udp
      - 192.168.1.102:445:445
      - 192.168.1.102:464:464
      - 192.168.1.102:464:464/udp
      - 192.168.1.102:636:636
      - 192.168.1.102:1024-1044:1024-1044
      - 192.168.1.102:3268-3269:3268-3269
    dns_search:
      - corp.example.com
    dns:
      - 192.168.1.102
      - 192.168.1.1
    extra_hosts:
      - localdc.corp.example.com:192.168.1.102
    hostname: localdc
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    privileged: true
    restart: always

NTP errors

Seeing the following errors in the container logs

==> /var/log/supervisor/ntpd-stdout---supervisor-ju_cttoq.log <==
28 Jun 08:42:36 ntpd[18]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized

==> /var/log/supervisor/ntpd-stderr---supervisor-2cixb8yq.log <==
28 Jun 09:36:49 ntpd[18]: frequency file /var/lib/ntp/ntp.drift.TEMP: Permission denied

I am able to join the domain and login fine, so not sure if it affecting any functionality.
The folder its complaining about /var/lib/ntp is empty.

Adding secondary DC with JOIN does not add expected DNS entries

When running a second copy of the container to act as a secondary DC with JOIN the DNS entries are not properly created.

This means that the secondary DC does not properly replicate it's DNS entries to the main DC and clients wont be to connect to the domain if the only the secondary DC is online.

Upgrade image to Ubuntu Bionic

Hi,
thanks for this useful image. Using it for testing AD authentication in other applications.

I would love to see the image being upgraded to use Bionic Beaver, which is the latest LTS version from Ubuntu.

Specifically I need support for LDAP_MATCHING_RULE_IN_CHAIN, see
https://bugzilla.samba.org/show_bug.cgi?id=10493

On my forked version this is working flawlessly with just updating the FROM clause. Would be happy to provide PR.

Note: The same question, for the same reason, is also asked by @zacaway in a comment here: #3 (comment)

Thanks,
Ben

split into latest / latest-multisite

when we can get this image walking again with @burnbabyburn on board ๐Ÿ˜‰ this would be my idea:

publish two versions of the image

  1. latest
  2. latest-multisite (including openvpn)

this would reduce complexity for the image

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.