Once the feature is available in samba the samba-container commands such as join and/or must-join can be updated to work with the ODJ files rather than just usernames & passwords stored in json files.

References:

• https://gitlab.com/samba-team/samba/-/merge_requests/1943

sambacc/samba-contaeiner should provide mechanisms to ensure that the shared directories exist and have the correct permissions (see #10 ).

This can be done via a subcommand or --setup rule (presumably both).

CTDB will only accept tracking of connections to a public ip. If "ctdb tickle" is used for a non-public ip address, no tcp packets are emitted at all. If "ctdb addtickle/deltickle" is used for a non-publi ip address, then a failures is generated.

          Checking this PyPI url I see that it is missing `Project description` entry. Consider adding.

Originally posted by @synarete in #82 (comment)

Discussed in #42

Currently sambacc mainly uses python print calls. The ctdb work brings in logging module support. Convert more call sites of print to use logging when appropriate.

I've started doing this in newer code but it should be done more thoroughly in the codebase.

If there are any mistakes in the formatting of the json config, sambacc crashes when trying to access missing elements.
It would be better if sambacc did some sort of data validation early on instead, and printed a friendlier error.

Currently we support "insecure" domain joins that pass a username and password on the CLI or env vars. This is convenient for throwaway ADs on a trusted network, but not so great for more production-like ADs.
Unlike #4 this allows for putting trusted information somewhere the tooling can access it directly, but in a more secured manner. I'm primarily thinking of something like a k8s secret mounted into the container as a file.

Specifically samba 4.15 has made changes to some of the command line options. As noted in a samba-container issue the option --log-stdout has been changed to --debug-output.

I'm proposing we add a mechanism for handling small behavior changes across samba versions like this.

Currently I'm thinking we can add an environment variable that indicates the various behaviors. I'm thinking something like SAMBA_FEATURES and our initial value can be SAMBA_FEATURES=cli_debug_output. In the future other behaviors could be tracked like SAMBA_FEATURES=cli_debug_output,foo_bar,something_cool.

PR #54 attempts to fix the warning:

WARNING: test command found but not installed in testenv
  cmd: /usr/bin/mypy
  env: /var/tmp/build/sambacc/.tox/py3-mypy

However, even after that is merged, there will still be a warning for py.test:

WARNING: test command found but not installed in testenv
  cmd: /usr/bin/py.test
  env: /var/tmp/build/sambacc/.tox/py3

While working on the warnings I found I couldn't resolve the latter within a few hours of work.
I'm partly creating this issue to capture some of the dead-ends and possible future paths.

The issue occurs because tox wants to use the python tools brought in by pip to the virtualenvs that get created for each environment. As the tox docs note the use of sitepackages=true can trigger this issue. PR #54 narrows down the incidences to only one - the py3 environment. We want sitepackages because we want to run some tests with things like samba's python modules present. However, these are C modules and are typically brought in via system packages. [1]

I tried one workaround which almost solved the problem, I configured all envs as sitepackages=false
and then for py3 only - I added a commands_pre to change the virtualenv to allow system site packages. Unfortunately, the pip command runs before commands_pre and as long as we specify the names of packages we rely on (inotify_simple, pyxattr). They'll still fail to install.

The last thing I can think of, which I don't want to implement at this time is a hack that will explicitly symlink in certain dependencies from the system without setting the virtualenvs to allow system site packages. At least for the container environment this wouldn't be too bad as we know exactly which RPMs match up with what python deps. I can imagine writing a small wrapper script to call from install_command that passes the deps to pip in most circumstances, but when enabled links in files listed via rpm -ql found in /usr/lib/python/site-packages and /usr/lib64/python/site-packages to the virtualenv.

[1] - xattr module too, but this at least has a package on pypi that pip could find. On the downside it would require a compiler and I would rather not need that to run our tests.

PR #98 added a MULTIDICT_NO_EXTENSIONS=1 env var workaround to get the fedora 39 based ci job working again. The issue is possibly due to:
aio-libs/multidict#887

But I have some doubts about that since Python 3.12 was already in Fedora 39 (I think?).

Regardless, revisit the workaround once the issue above has been resolved and there are python 3.12 wheels available for multidict.

Provisional - Issue assumes PR #98 will be merged.

The sambacc tool should be able to support more "traditional" domain joins if the user is unable or unwilling to put the password for the joining user in a secret. In that case the user should be able to log into a container and run a command to join rather than it happen automatically in container init.

See: samba-in-kubernetes/samba-container#163

Commit
89477bd Git checkout to a branch to avoid detached HEAD
adds the following change

-        git checkout "${node}"
+        git checkout -b "${node}" "${node}"

to tests/container/build.sh.

This is however problematic when we would like to build off a branch.
eg: When building the container off the latest commit, we would like to the master branch. This results in the following command
git checkout -b "master" "master"
which fails with
fatal: A branch named 'master' already exists.

The problem was seen when working on the samba-container PR
samba-in-kubernetes/samba-container#52

Add an identifier which can be used to identify the git commit used to build samba cc within the server image. This can help with debugging when trying to identify a problem in the samba image.

Currently we can pass samba debug level through the operator via the config param "samba-debug-level" (env var SAMBA_OP_SAMBA_DEBUG_LEVEL).
However, setting this causes ltdbtool to fail. Apparently, unlike most of the samba commands this one doesn't understand the typical --debuglevel option.

Tested with:

• samba-operator: git: d96dcdb17f0fd8a8c1fd22d446691078e4ac3466+
• samba-container: container: quay.io/samba.org/samba-server@sha256:e85f537555d76771e7e01dfc0795a80c6472a85c36a7e072bafa580cf20f6425

$ kubectl logs cshare1-0 -c ctdb-migrate
2021-11-02 20:25:03,743: INFO: Checking for /var/lib/samba/account_policy.tdb
2021-11-02 20:25:03,743: INFO: Converting /var/lib/samba/account_policy.tdb to /var/lib/ctdb/persistent/account_policy.tdb.0 ...
ltdbtool: invalid option -- '-'
Usage: ltdbtool dump [-e] [-p] [-s{0|32|64}] <idb>
       ltdbtool convert [-e] [-s{0|32|64}] [-o{0|32|64}] <idb> <odb>
       ltdbtool {help|-h}
Traceback (most recent call last):
  File "/usr/local/bin/samba-container", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/main.py", line 211, in main
    cfunc(CommandContext(cli))
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/ctdb.py", line 161, in ctdb_migrate
    ctdb.migrate_tdb(ctx.instance_config, ctx.cli.dest_dir)
  File "/usr/local/lib/python3.9/site-packages/sambacc/ctdb.py", line 465, in migrate_tdb
    _convert_tdb_file(tdb_path, dest_dir, pnn=pnn)
  File "/usr/local/lib/python3.9/site-packages/sambacc/ctdb.py", line 482, in _convert_tdb_file
    subprocess.check_call(list(cmd))
  File "/usr/lib64/python3.9/subprocess.py", line 373, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['ltdbtool', '--debuglevel=10', 'convert', '-s0', '/var/lib/samba/account_policy.tdb', '/var/lib/ctdb/persistent/account_policy.tdb.0']' returned non-zero exit status 255.

Improve timing behavior in sambacc. Currently, sambacc support two kinds of waiting: waiting on file changes or waiting by predefined sleeps. The file based wait depends on inotify and only works on a local file system. File wait works best but not enough situations so we should probably make time sleeps less hacky with sane timeouts.

Recently, local tox runs started finding black formatting issues that were not flagged before, most likely due to new release of the black tool.
There's a workaround present in PR #98 that avoids taking the newest versions. It would be good to remove this workaround and update the formatting (as long at it makes sense).

This issue is a reminder to get that done.

I keep forgetting about that. The AD DC config has this but apparently the user/groups config of the file server is still missing it. Please file an issue on sambacc.

Originally posted by @phlogistonjohn in samba-in-kubernetes/sit-environment#113 (comment)

The example container config has samba-container-config set to 'v0'. The instructions explicitly state only 'v1' is valid.

Which is it?

There should be a samba-container command that fetches the state of the sambacc configuration and applies it to any running instances. This is needed to support adding a new share to an existing smbd, for example.

This command should have a "server" / watch-and-react mode too.

The ci jobs have been failing consistently for around a week.

Issue seems to be related to xml libs on f38.

https://github.com/samba-in-kubernetes/sambacc/actions/runs/8677896977

Currently, when sambacc imports samba configuration from it's own JSON based fomat it uses the net conf import command line. Future versions of Samba will have a python binding for the smbconf library. This library can be used to read a text based config (smb.conf) or read/write registry based configuration. This would allow us to use the library directly rather than generating a text based configuration and shelling out to net command to update the registry.

It may also make post-init configuration updates simpler and easier to see exactly what is changing.

sambacc provides a "setup steps" feature for some commands (mainly run) in which you can pass to have sambacc perform and explict set of setup steps before launching the main command (starting a long running process like smbd,winbind).

An example from a recent task did: run --setup=config --setup=users --setup=users_passdb --setup=nsswitch smbd
While it's nice that the setups steps are granular enough to provide a fine level of control over how sambacc sets up the environment its a bit to remember and type.
This was not a problem when samba-container images are mostly getting run via a higher level of orchestration like the samba-operator. However, when working in a low-orchestration environment this can be annoying

This is is a "I'm not commited to this, but let's think about it" to consider some sort of higher level way to invoke the setup steps - probably through the config file.

As per a discussion at sambaXP - they may be a way to enable the ad-dc to provision without the need for having acl xattrs. This would be beneficial for samba-container AD DC image as it means we could potentially run without being a privileged container.

Currently, the must-join subcommand will attempt to use automated join methods once, and then wait forever to have a human interactively perform a join. If the command has good inputs, but a temporary issue blocked it from joining a human still has to intervene. Instead, we should periodically retry the given join params in case the failures were indeed transient. It should continue to support an interactive join.

Looks like I forgot to add tests.

When a share is exposed to samba there may be a need to limit the amount of data to samba. Ideally, this would be done at a layer outside of the samba container. However, there are cases where we are provided a single data volume and shares are directories within that volume. The sambacc library already has the ability to create the share directories and apply permissions to them.

The sambacc json configuration can provide a suggested quota value and parameter indicating kind of file system is in use. Unfortunately, this may be needed because unlike creating directories and applying permissions the tools/calls needed to set a directory or tree quota varies by filesystem. Not all file systems support directory quotas either.

Currently, the only place sambacc sources the admin password from is in the sambacc config file. This means if you want to keep the password more secure you have to put the entire config file in a secret (or equivalent). This is inconvient if you want to keep your sambacc configurations together in one place.

We could have sambacc source the password from another file and/or an environment variable. Off the top of my head I know that both podman and k8s have methods for passing secret data via those means.

This is not an issue for domain member servers because those already take the join user/pass in a separate file from the configuration.

Prevent the process from hanging indefinitely on acquiring the lock.

Maybe not too crucial but can be limit retries here instead of trying indefinitely?

          Maybe not too crucial but can be limit retries here instead of  trying indefinitely?

I think if the condition that causes the ObjectBusy exception persists indefinitely it could lead to a hung process that never completes.

        self, name: str, cookie: str, *, delay: int = 1, max_retries: int = 10

Originally posted by @avanthakkar in #123 (comment)

Preliminary work has been started to make the xattr attribute name configureable:
https://gitlab.com/samba-team/samba/-/merge_requests/1908

Failed to run a container with debug env var

~ podman run --rm -ti --privileged -e SAMBA_DEBUG_LEVEL=3 quay.io/samba.org/samba-ad-server
...
samba-tool: no such subcommand: --debuglevel=3

Ignore SAMBA_SPECIFICS=daemon_cli_debug_output env var for /usr/sbin/samba, but samba has this option

def samba_dc_foreground() -> SambaCommand:
    return samba_dc["--foreground"]

Issue created to track any possible regression in the use of the cmd_prefix value.

Was testing with code in
https://github.com/spuiuk/sambacc/tree/ctdb_check-2022021002
This adds 2 new patches.

1. Introduce ctdb-nodestatus check. This attempts to use the samba_cmds.CommandArgs.cmd_prefix to make it easier for use to write a unit test for this function.
2. The unit test for the function.

However cmd_prefix is passed as the first argument for the exec call instead of being pre-pended to the test script as we expected. This results in the test failing.

Running tox fails while running the new test added with the following errors.

========================================================================== FAILURES ==========================================================================
_______________________________________________________________________ test_check_ok ________________________________________________________________________

tmp_path = PosixPath('/tmp/pytest-of-sprabhu/pytest-20/test_check_ok0')

    def test_check_ok(tmp_path):
        import os
    
        datapath = tmp_path / "_ctdb"
        datapath.mkdir()
    
        fake_ctdb = [
            "#!/bin/sh",
            'if [ "$1$TESTFAIL" == "nodestatus" ]',
            "then exit 0;",
            "else exit 1;",
            "fi",
        ]
        fake_ctdb_script = datapath / "ctdb"
        with open(fake_ctdb_script, "w") as fh:
            fh.write("\n".join(fake_ctdb))
            fh.write("\n")
        os.chmod(fake_ctdb_script, 0o755)
    
        test_cmd_prefix = [datapath]
        # simulate nodestatus == OK
        pid = os.fork()
        if pid == 0:
>           ctdb.check_nodestatus(cmd_prefix=test_cmd_prefix)

tests/test_ctdb.py:591: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
sambacc/ctdb.py:490: in check_nodestatus
    samba_cmds.execute(cmd)
sambacc/samba_cmds.py:175: in execute
    os.execvp(cmd.name, cmd.argv())  # pragma: no cover
/usr/lib64/python3.9/os.py:574: in execvp
    _execvpe(file, args)
/usr/lib64/python3.9/os.py:616: in _execvpe
    raise last_exc
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

file = b'ctdb', args = [PosixPath('/tmp/pytest-of-sprabhu/pytest-20/test_check_ok0/_ctdb'), 'ctdb', 'nodestatus']
env = environ({'TOX_WORK_DIR': '/data/sprabhu/dev/ocs/sambacc/.tox', 'PATH': '/data/sprabhu/dev/ocs/sambacc/.tox/py39/bin:/u...TAFILE': '/data/sprabhu/dev/ocs/sambacc/.coverage', 'PYTEST_CURRENT_TEST': 'tests/test_ctdb.py::test_check_ok (call)'})

    def _execvpe(file, args, env=None):
        if env is not None:
            exec_func = execve
            argrest = (args, env)
        else:
            exec_func = execv
            argrest = (args,)
            env = environ
    
        if path.dirname(file):
            exec_func(file, *argrest)
            return
        saved_exc = None
        path_list = get_exec_path(env)
        if name != 'nt':
            file = fsencode(file)
            path_list = map(fsencode, path_list)
        for dir in path_list:
            fullname = path.join(dir, file)
            try:
>               exec_func(fullname, *argrest)
E               FileNotFoundError: [Errno 2] No such file or directory

/usr/lib64/python3.9/os.py:607: FileNotFoundError

This means that either you need to list out all the stock setup steps manually (like: --setup=config --setup=users --setup=users_passdb --setup=nsswitch --setup=share_paths) or you don't otherwise automatically get path ensurance/permissions update.

Currently, the setup tasks are a bit of a jumble anyway so we may want to clean it up in general too.

Tools smbd and winbindd does not have options --log-stdout or --stdout

~ smbd --log-stdout
Invalid option --log-stdout: unknown option

~ winbindd --log-stdout
Invalid option --log-stdout: unknown option

def _daemon_stdout_opt(daemon: str) -> str:
    if daemon == "smbd":
        opt = "--log-stdout"
    else:
        opt = "--stdout"
    opt_lst = get_samba_specifics()
    if _DAEMON_CLI_STDOUT_OPT in opt_lst:
        opt = "--debug-stdout"
    return opt