Using the latest image from docker hub :

When defining several account in docker-compose file the entrypoint script seems to take all defined users as one multiline user :

docker-compose.yml (partial content)
environment:
ACCOUNT_aaa: aaapass
ACCOUNT_bbb: bbbpass

ACCOUNT: adding account: aaa
samba | bbb
samba | useradd: invalid user name 'aaa
samba | bbb'
samba | passwd: user 'aaa
samba | bbb' does not exist

Greetings,

Is there a way to have a custom docker image or server setup in order to run a samba that supposed to serve files on MacOS and Windows and as well a mariadb server , both on the same image ? and just to configure image and run it once at startup on each Debian machine ?

Thanks in advance

Hello,

I'm struggling to add a global variable to the smb.conf file through environment variables.
For some testing purpose, I'm trying to make sure devices still using SMBv1 can connect. So I'd like to set the "client max protocole" global directive to nt1 to ensure I can still join it.

Reading your readme, I thought that this would make the job :

...
environment:
   - SAMBA_GLOBAL_CONFIG_CLIENT_SPACE_MAX_SPACE_PROTOCOL=nt1
...

There's some evidence that I'm doing it the wrong way, this results in :

   # Docker Envs global config options
   log level = 1
   workgroup = WORKGROUP
   server string = Samba Server
   map to guest = Bad user
   nt1

Obviously, I'm not heading in the right direction, if you could give me any advice I'd be grateful.

Hello @MarvAmBass

I'm almost done with my "ready-to-go" docker-compose file for Synology NAS.
Last OS version, DSM 7, disables by default the SMBv1 protocol, which is not a bad thing TBH.
But some old equipments (e.g. Sonos) are still stucked with SMBv1 implementation.
Your image is the perfect way to expose specific data without lowering the whole NAS security setup.

I struggled a bit those past days to make the container appear in the Windows 10 Network Discovery tab.
I fell upon this particular page : https://devanswers.co/discover-ubuntu-machines-samba-shares-windows-10-network/
which then lead me to this github repo : https://github.com/christgau/wsdd

I think this could complete greatly your image to make it fully discoverable automatically on every OS.

I’m eager to receive your feedback.

Hi, thank you for the container.

Does it support vfs? (for the recycle bin).

I have this issue quite frequently, probably because I rebuild my container a lot.

In the log I see over and over,

Daemon already running on PID 15
+ exec avahi-daemon --no-rlimits

but if I enter the container and check the pid, samba is running on that pid.

I believe it to be this bug, not sure if you want to work around it?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876342

rm /var/run/avahi-daemon/pid at container start (before running avahi) would probably be enough.

seems like the current build is broken

investigating...

Have you had any luck with guest login? No matter what I try, I seem to get NT_STATUS_ACCESS_DENIED

I did have success once mapping guest to the same UID as my share, but then it has rights I don't want it to have (eg write).

And nobody user should still have read access to my share, the other permissions are r+x

Sorry if I haven't explained this clearly, I've been going crazy trying to get it to work.

I am using this image in a Raspberry Pi environment, and am getting the following error repeating continuously. Everything seems to be working but the log is just full of this as log level 3.

starting.
open_ep: SO_RCVBUFFORCE: Operation not permitted
cannot read additional dns hostnames from testparm
cannot read netbios aliases from testparm

There are many ways to do this, but most of the containers I've run across that allow this have you set environment variables with the uid and gid that you'd like to use. For example,

services:
  samba:
    container_name: samba
    image: ghcr.io/servercontainers/samba
    restart: unless-stopped
    environment:
      UID: 1001
      GID: 1001

      SAMBA_CONF_LOG_LEVEL: 3
...

README.md instructions for creating a samba hash still refer to the docker hub repo rather than ghcr.io

I get an image update notification every single day.
Is there a reason this image gets updated so often? Does anything change at all?

I get "No such file or directory" for both registry.tdb and account_policy.tdb in /var/lib/samba/. I have no idea why that is and I cannot connect to my samba server.

Yesterday, when I first started, I immediately got connection timeout upon connecting. Later on I think it somehow confused StorageServer with my other samba server running on my Synology NAS. Not sure though. I also tried manually connecting to it (smb://rpi.local), it did not timeout immediately but could not connect any way. Seemed like it could not find the server. The first time I tired connecting it had logged my main computers LAN IP, though.

But today, after a restart, StorageServer doesn't show up at all. First I though well maybe it's because the server was not running before I started my main computer, but that doesn't really make any sense. Connecting to it manually though, I now get connection timeout immediately. Today it doesn't log my IP. Anyhow, I have no clue what's going on.

I read somewhere that it might be due to a wireless connection. I tried wired connection but the issue is still the same.

Here's some context for you:

version: '3'
services:
  samba:
    image: ghcr.io/servercontainers/samba
    restart: always
    network_mode: host
    environment:
      MODEL: 'TimeCapsule'
      AVAHI_NAME: StorageServer

      WSDD2_DISABLE: 1

      SAMBA_CONF_LOG_LEVEL: 3
  
      ACCOUNT_user1: "user1:1000:XXX..."
      ACCOUNT_user2: "user2:1000:XXX..."

      SAMBA_VOLUME_CONFIG_shared_home: "[Home]; path=/shares/homes/%U; valid users = user1, user2; guest ok = no; read only = no; browseable = yes"
      SAMBA_VOLUME_CONFIG_shared_media: "[Media]; path=/shares/media; valid users = user1, user2; guest ok = no; read only = no; browseable = yes"
      
      SAMBA_VOLUME_CONFIG_public: "[Public]; path=/shares/public; valid users = user1, user2; guest ok = no; read only = no; browseable = yes"
      SAMBA_VOLUME_CONFIG_public_ro: "[Public ReadOnly]; path=/shares/public; guest ok = yes; read only = yes; browseable = yes"
      
      SAMBA_VOLUME_CONFIG_timemachine: "[TimeMachine]; path=/shares/timemachine/%U; valid users = user1; guest ok = no; read only = no; browseable = yes; fruit:time machine = yes; fruit:time machine max size = 500G"

    volumes:
      - /etc/avahi/services/:/external/avahi
      - ./shares/public:/shares/public
      - ./shares/homes:/shares/homes
      - ./shares/timemachine:/shares/timemachine
      - ./shares/media:/shares/media

[...]

>> CONTAINER: starting initialisation
>> SAMBA CONFIG: no $SAMBA_CONF_WORKGROUP set, using 'WORKGROUP'
>> SAMBA CONFIG: no $SAMBA_CONF_SERVER_STRING set, using 'Samba Server'
>> SAMBA CONFIG: no $SAMBA_CONF_MAP_TO_GUEST set, using 'Bad User'
>> ACCOUNT: adding account: user2
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/smbpasswd.so' loaded
startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
Forcing Primary Group to 'Domain Users' for user2
tdb(/var/lib/samba/account_policy.tdb): tdb_open_ex: could not open file /var/lib/samba/account_policy.tdb: No such file or directory
Could not open tdb: No such file or directory
account_policy_get: tdb_fetch_uint32_t failed for type 1 (min password length), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 2 (password history), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 3 (user must logon to change password), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 4 (maximum password age), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 5 (minimum password age), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 6 (lockout duration), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 7 (reset count minutes), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 8 (bad lockout attempt), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 9 (disconnect time), returning 0
account_policy_get: tdb_fetch_uint32_t failed for type 10 (refuse machine password change), returning 0
Added user user2.
>> ACCOUNT: found SMB Password HASH instead of plain-text password
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/smbpasswd.so' loaded
Forcing Primary Group to 'Domain Users' for user2
Forcing Primary Group to 'Domain Users' for user2
Enabled user user2.
>> ACCOUNT: adding account: user1
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/smbpasswd.so' loaded
Forcing Primary Group to 'Domain Users' for user1
Added user user1.
>> ACCOUNT: found SMB Password HASH instead of plain-text password
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/smbpasswd.so' loaded
Forcing Primary Group to 'Domain Users' for user1
Forcing Primary Group to 'Domain Users' for user1
Enabled user user1.
>> VOLUME: adding volume: Public (path=/shares/public)
>> VOLUME: adding volume: Home (path=/shares/homes/%U)
  >> multiuser volume - /shares/homes/%U
>> VOLUME: adding volume: Public ReadOnly (path=/shares/public)
>> VOLUME: adding volume: TimeMachine (path=/shares/timemachine/%U)
  >> TIMEMACHINE: adding volume to zeroconf: TimeMachine
  >> TIMEMACHINE: zeroconf model: TimeCapsule
  >> TIMEMACHINE: adding samba timemachine specifics to volume config: TimeMachine (/shares/timemachine/%U)
  >> multiuser volume - /shares/timemachine/%U
>> VOLUME: adding volume: Media (path=/shares/media)
>> ZEROCONF: custom avahi samba.service name: StorageServer
>> ZEROCONF: samba.service file
############################### START ####################################
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
 <name replace-wildcards="yes">StorageServer</name>
 <service>
   <type>_smb._tcp</type>
   <port>445</port>
 </service>

 <service>
  <type>_device-info._tcp</type>
  <port>0</port>
  <txt-record>model=TimeCapsule</txt-record>
 </service>

 <service>
  <type>_adisk._tcp</type>
  <txt-record>sys=waMa=0,adVF=0x100</txt-record>
  <txt-record>dk0=adVN=TimeMachine,adVF=0x82</txt-record>
 </service>
</service-group>
################################ END #####################################
>> WSDD2 - DISABLED
>> EXTERNAL AVAHI: found external avahi, now maintaining avahi service file 'samba.service'
>> EXTERNAL AVAHI: internal avahi gets disabled
>> EXTERNAL AVAHI: list of services
-rw-rw-rw-    1 root     root           521 Apr  4 11:32 /external/avahi/samba.service
>> CMD: exec docker CMD
runsvdir -P /container/config/runit
+ sleep 2
+ exec smbd --foreground
[2023/04/04 11:32:06.776433,  0] ../../source3/smbd/server.c:1741(main)
  smbd version 4.16.10 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/04/04 11:32:06.776772,  2] ../../source3/smbd/server.c:1744(main)
  uid=0 gid=0 euid=0 egid=0
[2023/04/04 11:32:06.777860,  2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2023/04/04 11:32:06.777981,  2] ../../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2023/04/04 11:32:06.778275,  3] ../../source3/param/loadparm.c:3974(lp_load_ex)
  lp_load_ex: refreshing parameters
[2023/04/04 11:32:06.778599,  3] ../../source3/param/loadparm.c:557(init_globals)
  Initialising global parameters
[2023/04/04 11:32:06.778864,  3] ../../source3/param/loadparm.c:2876(lp_do_section)
  Processing section "[global]"
[2023/04/04 11:32:06.779163,  2] ../../source3/param/loadparm.c:2893(lp_do_section)
  Processing section "[Public]"
[2023/04/04 11:32:06.779326,  2] ../../source3/param/loadparm.c:2893(lp_do_section)
  Processing section "[Home]"
[2023/04/04 11:32:06.779488,  2] ../../source3/param/loadparm.c:2893(lp_do_section)
  Processing section "[Public ReadOnly]"
[2023/04/04 11:32:06.779612,  2] ../../source3/param/loadparm.c:2893(lp_do_section)
  Processing section "[TimeMachine]"
[2023/04/04 11:32:06.779875,  2] ../../source3/param/loadparm.c:2893(lp_do_section)
  Processing section "[Media]"
[2023/04/04 11:32:06.780076,  3] ../../source3/param/loadparm.c:1677(lp_add_ipc)
  adding IPC service
  added interface veth7bc2aae ip=169.254.10.36 bcast=169.254.255.255 netmask=255.255.0.0
  added interface vethe23e0c5 ip=169.254.32.188 bcast=169.254.255.255 netmask=255.255.0.0
  added interface veth7c1385a ip=169.254.43.19 bcast=169.254.255.255 netmask=255.255.0.0
  added interface vethcded778 ip=169.254.53.242 bcast=169.254.255.255 netmask=255.255.0.0
  added interface veth6fe3ca9 ip=169.254.131.99 bcast=169.254.255.255 netmask=255.255.0.0
  added interface veth232b952 ip=169.254.172.168 bcast=169.254.255.255 netmask=255.255.0.0
  added interface vetha5f3a81 ip=169.254.220.180 bcast=169.254.255.255 netmask=255.255.0.0
  added interface veth88aafc9 ip=169.254.229.108 bcast=169.254.255.255 netmask=255.255.0.0
  added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
  added interface br-7b192404602e ip=172.21.0.1 bcast=172.21.255.255 netmask=255.255.0.0
  added interface wlan0 ip=192.168.0.157 bcast=192.168.0.255 netmask=255.255.255.0
  added interface br-4af4a540167a ip=192.168.64.1 bcast=192.168.79.255 netmask=255.255.240.0
  added interface br-0b8e333daa93 ip=192.168.80.1 bcast=192.168.95.255 netmask=255.255.240.0
[2023/04/04 11:32:06.783394,  3] ../../source3/smbd/server.c:1808(main)
  loaded services
[2023/04/04 11:32:06.783642,  1] ../../source3/profile/profile_dummy.c:30(set_profile_level)
  INFO: Profiling support unavailable in this build.
[2023/04/04 11:32:06.783721,  3] ../../source3/smbd/server.c:1827(main)
  Standard input is not a socket, assuming -D option
[2023/04/04 11:32:06.783782,  3] ../../source3/smbd/server.c:1840(main)
  Becoming a daemon.
[2023/04/04 11:32:06.785082,  2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2023/04/04 11:32:06.785359,  2] ../../source3/passdb/pdb_interface.c:163(make_pdb_method_name)
  No builtin backend found, trying to load plugin
[2023/04/04 11:32:06.786021,  3] ../../lib/util/modules.c:167(load_module_absolute_path)
  load_module_absolute_path: Module '/usr/lib/samba/pdb/smbpasswd.so' loaded
[2023/04/04 11:32:06.797127,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2023/04/04 11:32:06.798585,  2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2023/04/04 11:32:06.800645,  2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2023/04/04 11:32:06.801411,  2] ../../lib/tdb_wrap/tdb_wrap.c:65(tdb_wrap_log)
  tdb(/var/lib/samba/registry.tdb): tdb_open_ex: could not open file /var/lib/samba/registry.tdb: No such file or directory
[2023/04/04 11:32:06.801557,  3] ../../lib/dbwrap/dbwrap_tdb.c:484(db_open_tdb)
  Could not open tdb: No such file or directory
[2023/04/04 11:32:07.095104,  3] ../../source3/auth/token_util.c:688(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2023/04/04 11:32:07.099922,  2] ../../source3/smbd/server.c:1379(smbd_parent_loop)
  waiting for connections

and also (because of the 65536 character limit here):

• Console log: level 4 -> https://pastebin.com/raw/zqdfcy1u
• Console log: level 10 -> https://pastebin.com/raw/Ya7e50Pf

Today when I manually try to connect, I get this in the logs (level 10):

[2023/04/04 12:30:21.916925, 10, pid=238, effective(0, 0), real(0, 0)] ../../source3/lib/messages.c:421(messaging_recv_cb)
  messaging_recv_cb: Received message 0x314 len 0 (num_fds:0) from 234
[2023/04/04 12:30:21.917767, 10, pid=238, effective(0, 0), real(0, 0)] ../../source3/smbd/smbd_cleanupd.c:173(smbd_cleanupd_process_exited)
  smbd_cleanupd_process_exited: cleaned up pid 250

I also should mention that the docker-compose.yml example file does no difference except also complaining about WSDD2. The issue(s?) is exactly the same.

Any pointers? Please help!

Does this Docker container support the following?:

SAMBA_VOLUME_CONFIG_public: "[Public]; path=/mnt/dataTank; browsable = yes; guest ok = yes; read only = yes; write list = share; spotlight backend = elasticsearch; elasticsearch:address = 192.168.10.100; elasticsearch:port = 9200;"

more specifically:

spotlight backend = elasticsearch
elasticsearch:address = 192.168.10.100
elasticsearch:port = 9200;

I'm getting the following error when starting the container, but I don't know yet if it has been triggered by the above:

tdb(/var/lib/samba/account_policy.tdb): tdb_open_ex: could not open file /var/lib/samba/account_policy.tdb: No such file or directory
Could not open tdb: No such file or directory

I use samba in podman.
podman run -d --name samba -e ACCOUNT_test=test -e UID_test=0 -e "SAMBA_VOLUME_CONFIG_public=[Public]; path=/shares/public; valid users = test; guest ok = no; read only = no; browseable = yes" -v %h/ZFS/test:/shares/public -p 4450:445 -p 1390:139 -p 4450:445/udp -p 1390:139/udp servercontainers/samba
But when I upload files to the smb folder, the fault prompts lack of permissions.
。

################################################################################

Welcome to the servercontainers/samba

################################################################################

>> CONTAINER: starting initialisation
>> SAMBA CONFIG: no $SAMBA_CONF_LOG_LEVEL set, using '1'
>> SAMBA CONFIG: no $SAMBA_CONF_WORKGROUP set, using 'WORKGROUP'
>> SAMBA CONFIG: no $SAMBA_CONF_SERVER_STRING set, using 'Samba Server'
>> SAMBA CONFIG: no $SAMBA_CONF_MAP_TO_GUEST set, using 'Bad User'
>> ACCOUNT: adding account: test
startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
Added user test.
Changing password for test
New password: 
Bad password: too weak
Retype password: 

passwd: password for test changed by root
New SMB password:
Retype new SMB password:

Enabled user test.
>> ZEROCONF: samba.service file
############################### START ####################################
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
 <name replace-wildcards="yes">%h</name>
 <service>
   <type>_smb._tcp</type>
   <port>445</port>
 </service>
</service-group>
################################ END #####################################
>> CMD: exec docker CMD
runsvdir -P /container/config/runit
Found user 'avahi' (UID 86) and group 'avahi' (GID 86).
Successfully dropped root privileges.
avahi-daemon 0.8 starting up.
WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Successfully called chroot().
Successfully dropped remaining capabilities.
Loading service file /services/samba.service.
Joining mDNS multicast group on interface lo.IPv6 with address ::1.
New relevant interface lo.IPv6 for mDNS.
Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
New relevant interface lo.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for ::1 on lo.*.
Registering new address record for 127.0.0.1 on lo.IPv4.
cannot read additional dns hostnames from testparm
cannot read netbios aliases from testparm
starting.
open_ep: SO_RCVBUFFORCE: Operation not permitted
Server startup complete. Host name is ca079d12b56a.local. Local service cookie is 2376014848.
Service "ca079d12b56a" (/services/samba.service) successfully established.
open_ep: SO_RCVBUFFORCE: Operation not permitted
smbd version 4.14.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
uid=0 gid=0 euid=0 egid=0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Processing section "[Public]"
added interface tap0 ip=10.0.2.100 bcast=10.0.2.255 netmask=255.255.255.0
INFO: Profiling support unavailable in this build.
Registered MSG_REQ_POOL_USAGE
No builtin backend found, trying to load plugin
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_POOL_USAGE
daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Failed to fetch record!
waiting for connections
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_POOL_USAGE
check_ntlm_password:  authentication for user [test] -> [test] -> [test] succeeded
Processing section "[Public]"
test-systemproductname (ipv4:10.0.2.100:38292) connect to service Public initially as user test (uid=1000, gid=1000) (pid 85)

But I obviously set the UID to 0.

The samba version currently contained in servercontainers/samba:latest segfaults on our machine.
There is more recent version in apk (4.15.5) which fixes said issue, but this has not yet propagated into :latest.

Thanks for the great work! I especially like the idea of storing users' (hashed) passwords directly into the compose.yaml.

Currently, the space character in the global config key is specially handled, but sometimes we need colons(:) in the key as well.

FYI: fruit:nfs_aces needs to be in the section [global] in order to work.
https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html

Or, we can just support putting custom global config into one key, just like in SAMBA_VOLUME_CONFIG_.

Thanks for the container!

I'm trying to hash my passwords to add to my compose file. I was getting bad password errors when trying to connect to a share after using the hashing script and providing my own username and password. Providing a password in plaintext works perfectly fine.

I tried the hashed example in the provided docker-compose.yml in this repo (with user/pass foo/bar), and it works! For quick reference, that example string is:

foo:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:86C156FC198B358CCCF6278D8BD49B6A:[U          ]:LCT-61B0859A:

But when I run the hashing script and feed it foo/bar, it doesn't seem to produce the same string.

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ docker run -ti --rm --entrypoint create-hash.sh servercontainers/samba
>> Enter username: foo
>> New password:
>> Retype password:
foo:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:86C156FC198B358CCCF6278D8BD49B6A:[U          ]:LCT-63DC4CC7:

And with the string I've generated myself, foo/bar doesn't work, leading me to believe that for whatever reason, the script is not functioning properly right now. I've pulled servercontainers/samba:latest as of writing this issue.

Hey, I've been using this container for years, and recently added a second user and came across a bug.

With one user configured in the docker-compose file, if I mount my /home dir and add:
SAMBA_VOLUME_CONFIG_homes: "[homes]; writable = yes; browseable = no;"
to the docker-compose file, all works fine.

When I add a second ACCOUNT_username to the docker-compose file, I lose write access to the shared home folder.

...
    environment:
      ACCOUNT_user1: user1pass
      ACCOUNT_user2: user2pass
      SAMBA_VOLUME_CONFIG_homes: "[homes]; writable = yes; browseable = no;"
    volumes:
      - /home:/home

Is there a preferred way of sharing home folders?

You should use GitHub Actions to build docker images instead of local builds/ServerContainers. It's free and linked to the repo

Hi,

i think i need my samba users in a group. So i have changed the start command. This is not really good readable.

So the questions:

• do i havent seen an beeter way ?
• or is it possible the extend the next image with an better solution ?

Here my start-command:
` command: /bin/bash -c "usermod -aG users user1&usermod -aG users user2&usermod -aG users user3&usermod -aG users user4&usermod -aG users user5&smbd -FS -d 2 < /dev/null"

`

Greetings

Hi
I was looking at the repo, i was reading the Readme but didnt seem to find how i can add the information to authenticate with my AD server
i also read #49
which also saw the SAMBA_GLOBAL_CONFIG_someuniquevalue
but in this value i assume that the container would also need packages like realmd to connect to the domain to be able to share files?

Thank you

It adds a volume with autogenerated name in docker. But if you only create shares for folders that you also mount then it will just contain empty folders that correlate with your mounts. (assuming your mounted them inside /shares)

Problem Description

After updating to Samba 4.15.2-rc0, files deleted through smb client are automatically added back.

Things I've done to verify

1. There's no log about it. Even after set log level to 10.
2. I tried turn off/off recycle plugin and it doesn't help.
3. When I roll back to samba 4.14.8, everything is fine.

Detailed conf

Here's my env confs:

I'm pretty clueless on Samba configuration. And I'm stymied with getting the setup to work.

Current behavior on my Mac OSx Big Sur client is that I can discover the server ("newsounds"), but I can't connect.
I'm only setting it up as guest right now. When I connect, a "Loading..." box is briefly displayed before I get "Connection Failed".

I think I've got about the dead simplest setup: not disabling anything, just trying to mount one directory.

docker-compose.yml:

rec@newsounds:~/samba$ cat *
version: '3'
services:
  samba:
    image: servercontainers/samba
    restart: unless-stopped
    network_mode: host
    # uncomment to solve bug: https://github.com/ServerContainers/samba/issues/50 - wsdd2 only - not needed for samba
    cap_add:
      - CAP_NET_ADMIN
    environment:
      AVAHI_NAME: newsounds
      SAMBA_CONF_LOG_LEVEL: 2
      SAMBA_CONF_SERVER_STRING: newsounds
      SAMBA_VOLUME_CONFIG_music: "[Music]; path=/home/shares/Music; guest ok = yes; read only = yes; browseable = yes"
    volumes:
      - /home/${USER}/Music:/home/shares/Music

If I docker exec -it ... into the container, the /home/shares/Music folder exists, has files, and I can read all files in it.

When run from my host, nmblookup '*' does not show the host, though the other samba server on my net does show up.

From the host:

rec@newsounds:~/samba$ smbclient --list=newsounds -N -U guest

	Sharename       Type      Comment
	---------       ----      -------
	Music           Disk
	IPC$            IPC       IPC Service (newsounds)

My host is modern Ubuntu server, headless:

rec@newsounds:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy

The ubuntu firewall is disabled:

rec@newsounds:~/samba$ sudo ufw status
Status: inactive

I've posted the startup log as a gist at https://gist.github.com/cobbr2/328fce96e3e2be2fea34a73f74ae86a7

Thanks for looking, it seems there must be something completely obvious I'm missing.

Hi there,

I setup the docker image based on the docker compose example. However, I have not been able to see the samba share being announced on the network. I'm running the image on a raspberry pi. On my mac I have to manually connect to the server to be able to access the share.

Here is my configuration:

   samba:
    image: servercontainers/samba
    restart: always
    network_mode: host
    environment:
      MODEL: 'MacPro7,1@ECOLOR=226,226,224'
      AVAHI_NAME: StorageServer
      WSDD2_DISABLE: 1
      SAMBA_CONF_LOG_LEVEL: 3
      GROUP_family: 1500
      ACCOUNT_bjoern: "bjoern:redacted"
      UID_bjoern: 1000
      GROUPS_bjoern: family

      SAMBA_VOLUME_CONFIG_shared_home: "[NetShare]; path=/shares/samba_data; valid users = bjoern; guest ok = no; read only = no; browseable = yes"
      SAMBA_VOLUME_CONFIG_timemachine: "[TimeMachine]; path=/shares/timemachine/%U; valid users = bjoern; guest ok = no; read only = no; browseable = yes; fruit:time machine = yes; fruit:time machine max size = 500G"
    volumes:
      - /etc/avahi/services/:/external/avahi
      - /4tb_hdd/samba_data:/shares/samba_data
      - /4tb_hdd/timemachine_data:/shares/timemachine_data

I'm currently using servercontainers/samba:smbd-wsdd2-latest in this docker-compose stack deployed through Portainer:

version: '2.0'

services:
  samba:
    image: servercontainers/samba:smbd-wsdd2-latest
    container_name: samba
    hostname: my-hostname
    cap_add:
      - CAP_NET_ADMIN
    environment:
      ACCOUNT_samba: $PASSWORD
      UID_samba: 1000
      SAMBA_VOLUME_CONFIG_out: "[My Share];path=shares/out;valid users=samba;guest ok=no;read only=no;browsable=yes"
    restart: unless-stopped
    volumes:
      - /scratch/folder1:/shares/out/folder1:rw
      - /scratch/folder2/output:/shares/out/folder2:rw
      - /scratch/folder3/output:/shares/out/folder3:rw
      - /scratch/folder4:/shares/out/folder4:rw
      - /scratch/folder5:/shares/out/folder5:rw
networks:
  default:
    name: peer
    external: true

This setup works great (peer is an ipvlan peered to host), but as I was cleaning up my instance I noticed a rogue volume associated with this container mounted at /shares. This is coming from a VOLUME ["shares"] in the Dockerfile. In my setup, this volume is meaningless, because I'm mounting into subdirectories of that folder. And I can't create a single combined volume and mount it at /shares without setting up symlinks on the host, which I'd prefer to not do.

Would removing this break any expected behavior? My understanding is that this would be mounted manually anyway, either directly or at a subfolder level. The only case where I can see this breaking is someone using this as a place to create empty shares and fill them, but having that data stored in an anonymous volume seems dangerous.

Hello,

I wouldn't call this an issue, rather my mistake but can't realize what. I have minimalist config prepared from your yml example file adapted to my use case and the container doesn't start. I'm out of ideas after checking all closed issues.
Using a folder /2share-64G with mask 0777 where a flash drive is permanent mounted on host. This folder is to be mappped into /share (container)

This is the error while deploying the container:
"failed to solve: rpc error: code = Unknown desc = failed to solve with frontend dockerfile.v0: failed to read dockerfile: open /var/lib/docker/tmp/buildkit-mount2953766315/Dockerfile: no such file or directory
"
Much appreciated your time in giving a clue !
And Congrats for the work done here!
A\

yml file ->>
version: '3'

services:
samba:
build: .
image: servercontainers/samba:latest
container_name: Samba
hostname: SMB-srv7
restart: always
network_mode: host
# uncomment to solve bug: #50 - wsdd2 only - not needed for samba
#cap_add:
# - CAP_NET_ADMIN
environment:
MODEL: 'TimeCapsule'

  SAMBA_CONF_LOG_LEVEL: 3

  # uncomment to disable optional services
  WSDD2_DISABLE: 1
  AVAHI_DISABLE: 1

  GROUP_family: 1500


  ACCOUNT_synchro: <my-pass>
  UID_synchro: 1001
  GROUPS_synchro: family



  SAMBA_VOLUME_CONFIG_syncro: "[2shareHome64]; path=/share; valid users = synchro; guest ok = no; read only = no; browseable = yes"
  
volumes:
  
  # avoid loops when mounting folders to /shares (I'd recommend explicit mapping for each share)
  - /2share-64G:/share

Is there a way to configure authentication of users via Active Directory in this container? Preferably through docker environment variables.

I accidentally had a typo in a SAMBA_VOLUME_CONFIG and there was no error message, the container just started and then flapped trying to run exec smbd --foreground.

Example bad configuration line (missing ] on the end of the name):

SAMBA_VOLUME_CONFIG_NAS: "[NAS; path=/shares/NAS/%U; valid users = wmoss, john; guest ok = no; read only = no; browseable = yes"

Container logs:

...
samba  | Enabled user wmoss.
samba  | >> VOLUME: adding volume: [NAS; path=/shares/NAS/%U; valid users = wmoss, john; guest ok = no; read only = no; browseable = yes (path=/shares/NAS/%U)
samba  |   >> multiuser volume - /shares/NAS/%U
samba  | >> ZEROCONF: samba.service file
samba  | ############################### START ####################################
samba  | <?xml version="1.0" standalone='no'?>
samba  | <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
samba  | <service-group>
samba  |  <name replace-wildcards="yes">%h</name>
samba  |  <service>
samba  |    <type>_smb._tcp</type>
samba  |    <port>445</port>
samba  |  </service>
samba  | </service-group>################################ END #####################################
samba  | >> WSDD2 - DISABLED
samba  | >> AVAHI - DISABLED
samba  | >> CMD: exec docker CMD
samba  | runsvdir -P /container/config/runit
samba  | + sleep 2
samba  | + exec smbd --foreground
samba  | + sleep 2
samba  | + exec smbd --foreground
samba  | + sleep 2
samba  | + exec smbd --foreground
...

My device:

bash-5.1# uname -a
Linux lg-red 5.14.2-postmarketos-qcom-msm8974 #1 SMP PREEMPT Wed Sep 22 17:19:22 UTC 2021 armv7l Linux

How I start the docker container:

$ docker run -d --name=samba -e PUID=1000 -e PGID=1000 -e ACCOUNT_SHARED=shared -e SAMBA_GLOBAL_CONFIG_guest_SPACE_account="shared" -e SAMBA_GLOBAL_CONFIG_browseable="yes" -e SAMBA_GLOBAL_CONFIG_writable="yes" -e SAMBA_GLOBAL_CONFIG_netbios_SPACE_name="$HOSTNAME" -e SAMBA_GLOBAL_CONFIG_additional_SPACE_dns_SPACE_hostnames="$HOSTNAME.local" -e SAMBA_GLOBAL_CONFIG_netbios_SPACE_aliases="$HOSTNAME.local" -e SAMBA_VOLUME_CONFIG_SHARES="[shares]" -e SAMBA_VOLUME_CONFIG_1="path = /shares" -e SAMBA_VOLUME_CONFIG_2="readonly = no" -e SAMBA_VOLUME_CONFIG_3="guest only = yes" -e SAMBA_VOLUME_CONFIG_4="guest ok = yes" -e AVAHI_NAME="$HOSTNAME (Samba)" --network host -v /mnt/hdd:/shares --restart unless-stopped --privileged servercontainers/samba

Log from wsdd2

bash-5.1# wsdd2 -W
starting.
ifname (null), ifindex 0
hostname lg-red, netbios name LG-RED, workgroup WORKGROUP
wsdd-mcast-v4 udp port 3702 239.255.255.250 127.0.0.1 @ lo
wsdd-mcast-v4 udp port 3702 239.255.255.250 172.16.42.1 @ usb0
wsdd-mcast-v4 udp port 3702 239.255.255.250 192.168.192.136 @ ztmjfcu42p
wsdd-mcast-v4 udp port 3702 239.255.255.250 172.17.0.1 @ docker0
wsdd-mcast-v4 udp port 3702 239.255.255.250 192.168.0.176 @ eth0
wsdd-mcast-v6 udp port 3702 ff02::c ::1 @ lo
wsdd-mcast-v6 udp port 3702 ff02::c fc9c:be53:b1bb:5a8:817d::1 @ ztmjfcu42p
wsdd-mcast-v6 udp port 3702 ff02::c fe80::c8be:ceff:fe9b:6001 @ ztmjfcu42p
wsdd-mcast-v6 udp port 3702 ff02::c fe80::42:6cff:fe3c:70c2 @ docker0
wsdd-mcast-v6 udp port 3702 ff02::c 2002:c634:bfd7:1:497e:742d:7bf9:118e @ eth0
wsdd-mcast-v6 udp port 3702 ff02::c 2002:c634:bfd7:1:39eb:ec6d:7b76:394e @ eth0: already bound
wsdd-mcast-v6 udp port 3702 ff02::c fe80::55cf:8d38:3d8b:cf7 @ eth0: already bound
wsdd-http-v4 tcp port 3702 - 172.16.42.1 @ usb0
wsdd-http-v4 tcp port 3702 - 192.168.0.176 @ eth0
wsdd-http-v6 tcp port 3702 - 2002:c634:bfd7:1:497e:742d:7bf9:118e @ eth0
wsdd-http-v6 tcp port 3702 - 2002:c634:bfd7:1:39eb:ec6d:7b76:394e @ eth0: already bound
wsdd-http-v6 tcp port 3702 - fe80::55cf:8d38:3d8b:cf7 @ eth0: already bound
llmnr-mcast-v4 udp port 5355 224.0.0.252 172.16.42.1 @ usb0
llmnr-mcast-v4 udp port 5355 224.0.0.252 192.168.0.176 @ eth0
llmnr-mcast-v6 udp port 5355 ff02::1:3 2002:c634:bfd7:1:497e:742d:7bf9:118e @ eth0
llmnr-mcast-v6 udp port 5355 ff02::1:3 2002:c634:bfd7:1:39eb:ec6d:7b76:394e @ eth0: already bound
llmnr-mcast-v6 udp port 5355 ff02::1:3 fe80::55cf:8d38:3d8b:cf7 @ eth0: already bound
llmnr-tcp-v4 tcp port 5355 - 172.16.42.1 @ usb0
llmnr-tcp-v4 tcp port 5355 - 192.168.0.176 @ eth0
llmnr-tcp-v6 tcp port 5355 - 2002:c634:bfd7:1:497e:742d:7bf9:118e @ eth0
llmnr-tcp-v6 tcp port 5355 - 2002:c634:bfd7:1:39eb:ec6d:7b76:394e @ eth0: already bound
llmnr-tcp-v6 tcp port 5355 - fe80::55cf:8d38:3d8b:cf7 @ eth0: already bound
Segmentation fault (core dumped)

It works fine with LLMNR only mode:

bash-5.1# wsdd2 -l
starting.

Recommendation:

Allow specifying arguments and pass to wsdd2, so I can pass -l to it to avoid segmentation fault. Yes I need LLMNR only.

I can't find this config key in the official document, but find this link by google, it said:

# This isn't mentioned in the docs, hmm:
## INCORRECT PARAMETER - FULLSYNC ENABLE BY FRUIT:TIME MACHINE- SEE VFS_FRUIT DOC
##fruit:advertise_fullsync = true

So I want to know where this configuration is imported from. And thank you for your work on this wonderful project.

Hi,

I'm using Docker in rootless mode, which map uid 0 in the container to my uid on the host. However, after adding ACCOUNT_root, UID_root, and GROUPS_root, the share (Backups) can't be accessed anymore (not even by the non-root account). The public share can still be used though.

docker-compose.yml:

services:
  samba:
    container_name: samba
    hostname: ${SMB_SERVER_NAME}
    image: servercontainers/samba:a3.15.4-s4.15.5-r0
    cap_add:
     - CAP_NET_ADMIN
    env_file:
      - .env
    ports:
      - "137:137/udp"
      - "138:138/udp"
      - "139:139/tcp"
      - "445:445/tcp"
    volumes:
      - ./backups:/shares/backups
      - ./public:/shares/public
    restart: always

.env:

TZ=Asia/Bangkok
SMB_SERVER_NAME=orangepi
GROUP_family=1500
ACCOUNT_alice=alipass
UID_alice=1000
GROUPS_alice=family
ACCOUNT_root=rootpass
UID_root=0
GROUPS_root=family
SAMBA_CONF_LOG_LEVEL=3
SAMBA_VOLUME_CONFIG_Public=[Public]; path=/shares/public; guest ok = yes; read only = no; browseable = yes
SAMBA_VOLUME_CONFIG_Backups=[Backups]; path=/shares/backups; valid users = alice, root; guest ok = no; read only = no; browseable = yes; force group = family

ls -la on the host:

drwxrwxrwx 2 myuser myuser 4096 Apr 13 12:20 backups
-rw-r--r-- 1 myuser myuser  445 Apr 13 12:03 docker-compose.yml
-rw-r--r-- 1 myuser myuser  471 Apr 13 12:30 .env
drwxrwxrwx 2 myuser myuser 4096 Apr 13 12:12 public

ls -la /shares/ in the container:

drwxr-xr-x    4 root     root          4096 Apr 13 05:04 .
drwxr-xr-x    1 root     root          4096 Apr 13 05:30 ..
drwxrwxrwx    2 root     root          4096 Apr 13 05:20 backups
drwxrwxrwx    2 root     root          4096 Apr 13 05:12 public

Logs: https://gist.github.com/weeix/e7ee6bd6521995bd9ded68b833b9d86c

Sceenshot:

Server Env:

• Armbian 11 (bullseye)
• Docker 20.10.14 (linux/arm64)
• Docker Compose 2.4.1
• servercontainers/samba:a3.15.4-s4.15.5-r0

Client Env:

• Windows 11 Home 21H2

All my shares are readonly. What am I doing wrong here?

config:

version: '3'
 
services:
  samba:
    build: .
    image: servercontainers/samba
    container_name: samba
    #network_mode: host
    hostname: ${SMB_SERVER_NAME}
      
    environment:
      MODEL: 'TimeCapsule'
      AVAHI_NAME: ${SMB_SERVER_NAME}
      SAMBA_CONF_WORKGROUP: protech    
      SAMBA_CONF_LOG_LEVEL: 3

      # uncomment to disable optional services
      #WSDD2_DISABLE: 1
      #AVAHI_DISABLE: 1
      
      ACCOUNT_jeroen: ${SMB_PWD_JEROEN}
      UID_jeroen: 1000
      
      ACCOUNT_nathalie: ${SMB_PWD_NATHALIE}
      UID_nathalie: 1020
      
      GROUP_Backups: 1001
      GROUP_Downloads: 1002
      GROUP_Games: 1003
      GROUP_Nathalie: 1004
      GROUP_Media: 1005
      GROUP_Music: 1006
      GROUP_TMP: 1007
      GROUP_Pictures: 1008
      GROUP_Software: 1009
      GROUP_Jeroen: 1010
      GROUP_Personal: 1011
      GROUP_Dump: 1012
      GROUP_Ebooks: 1013
      GROUP_Movies: 1014
      GROUP_Docs: 1015
      GROUP_Sport: 1016
      GROUP_veeam: 1021
      GROUPS_jeroen: Backups,Downloads,Games,Nathalie,Media,Music,TMP,Pictures,Dump,Ebooks,Docs,Sport,Movies,veeam,Software,Jeroen,Personal
      GROUPS_nathalie: Media,Music,Pictures,Personal,Dump,Software,Nathalie
      
      #Download share
      SAMBA_VOLUME_CONFIG_Downloads: "[Downloads]; path=/shares/Downloads; valid users = @Downloads; force group = Downloads; invalid users = nathalie"
      #Software share
      SAMBA_VOLUME_CONFIG_Software: "[Software]; path=/shares/Software; valid users = @Software; force group = Software; read list = nathalie"
      #Media share
      SAMBA_VOLUME_CONFIG_Media: "[Media]; path=/shares/Media; valid users = @Media; force group = Media; read list = nathalie"
      #Personal share
      SAMBA_VOLUME_CONFIG_Personal: "[Personal]; path=/shares/Personal"
      #Dump share
      SAMBA_VOLUME_CONFIG_Dump: "[Dump]; path=/shares/Dump; valid users = @Dump; force group = Downloads"

    volumes:      
      - ${NAS_FOLDER}/Downloads:/shares/Downloads
      - ${NAS_FOLDER}/Software:/shares/Software
      - ${NAS_FOLDER}/Media:/shares/Media
      - ${NAS_FOLDER}/Personal:/shares/Personal
      - ${NAS_FOLDER}/Dump:/shares/Dump
      
    ports:
      - ${Host_LAN_IP}:137:137/udp
      - ${Host_LAN_IP}:138:138/udp
      - ${Host_LAN_IP}:139:139/tcp
      - ${Host_LAN_IP}:445:445/tcp
      
    restart: unless-stopped

Filesystem:

total 20
drwxrwx--- 2 root   1002 4096 Dec  4  2016 Downloads
drwxrwx--- 7 jeroen 1012 4096 Feb 19 20:26 Dump
drwxrwx--- 9 jeroen 1005 4096 Feb 20 19:19 Media
drwxrwx--- 5 root   1011 4096 Feb 19 19:46 Personal
drwxrwx--- 8 jeroen 1009 4096 Nov 18 16:15 Software

Container logs:

Attaching to samba
samba  | ################################################################################
samba  | 
samba  | Welcome to the servercontainers/samba
samba  | 
samba  | ################################################################################
samba  | 
samba  | >> CONTAINER: already initialized - direct start of samba
samba  | >> CMD: exec docker CMD
samba  | runsvdir -P /container/config/runit
samba  | Process 326 died: No such process; trying to remove PID file. (/run/avahi-daemon//pid)
samba  | Found user 'avahi' (UID 86) and group 'avahi' (GID 86).
samba  | Successfully dropped root privileges.
samba  | avahi-daemon 0.8 starting up.
samba  | WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
samba  | Successfully called chroot().
samba  | Successfully dropped remaining capabilities.
samba  | Loading service file /services/samba.service.
samba  | Joining mDNS multicast group on interface eth0.IPv4 with address 172.16.9.2.
samba  | New relevant interface eth0.IPv4 for mDNS.
samba  | Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
samba  | New relevant interface lo.IPv4 for mDNS.
samba  | Network interface enumeration completed.
samba  | Registering new address record for 172.16.9.2 on eth0.IPv4.
samba  | Registering new address record for 127.0.0.1 on lo.IPv4.
samba  | cannot read additional dns hostnames from testparm
samba  | cannot read netbios aliases from testparm
samba  | starting.
samba  | open_ep: SO_RCVBUFFORCE: Operation not permitted
samba  | Server startup complete. Host name is NASje.local. Local service cookie is 4067034504.
samba  | Service "NASje" (/services/samba.service) successfully established.

Here I am trying to remove a file in the Dump folder as samba user: jeroen

Might be worth noting that the docker-compose.yml is limited in swarm mode due to the build-option. This is ignoired in swarm mode so the Dockerfile is not executed and wsdd/avahi don't work.
Will do a PR if I succeed fixing this.

The latest version of the image seems to fail on startup when setting up the users.

Here is a sample compose file:

services:
  samba:
    image: servercontainers/samba
    cap_add:
      - CAP_NET_ADMIN
    network_mode: host
    restart: unless-stopped
    environment:
      SAMBA_CONF_WORKGROUP: HOME
      ACCOUNT_admin: password
      UID_admin: 1000
      GROUPS_admin: admin
      GROUP_admin: 1000
      SAMBA_VOLUME_CONFIG_backup: "[Backup]; path=/shares/backup; valid users = admin; guest ok = no; read only = no; browseable = yes"
    volumes:
      - /mnt/backup:/shares/backup

Here is the beginning of the log when starting the container for the first time:

samba-samba-1  | ################################################################################
samba-samba-1  |
samba-samba-1  | Welcome to the servercontainers/samba
samba-samba-1  |
samba-samba-1  | ################################################################################
samba-samba-1  |
samba-samba-1  | >> CONTAINER: starting initialisation
samba-samba-1  | >> SAMBA CONFIG: no $SAMBA_CONF_LOG_LEVEL set, using '1'
samba-samba-1  | >> SAMBA CONFIG: no $SAMBA_CONF_SERVER_STRING set, using 'Samba Server'
samba-samba-1  | >> SAMBA CONFIG: no $SAMBA_CONF_MAP_TO_GUEST set, using 'Bad User'
samba-samba-1  | >> GROUP: adding group admin with GID: 1000
samba-samba-1  | >> ACCOUNT: adding account: admin with UID: 1000
samba-samba-1  | adduser: uid '1000' in use
samba-samba-1  | startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
samba-samba-1  | Failed to add entry for user admin.
samba-samba-1  | passwd: unknown user admin
samba-samba-1  | New SMB password:
samba-samba-1  | Failed to find entry for user admin.
samba-samba-1  | Retype new SMB password:
samba-samba-1  | Failed to find user admin in passdb backend.
samba-samba-1  | >> ACCOUNT: adding account: admin to group: admin
samba-samba-1  | addgroup: unknown user admin
samba-samba-1  | >> VOLUME: adding volume: Backup (path=/shares/backup)

This type of error usually happens when wrong params are sent to adduser. I saw a commit in another samba repo that seems to fix a similar issue: dperson/samba@e059b4f
Maybe this can help fix it here.

Thanks for your help!

Thank you for your work.

I'm working on adopting this image, and my specific use case is to samba share specific directories on the host machine from the docker image.

I've setup a docker-compose file, defined like this:

networks:
  samba:
    driver: bridge
services:
  samba:
    restart: unless-stopped
    image: servercontainers/samba:{{ samba.version }}
    networks:
      - samba
    volumes:
      # This is the parent folder of all HLOS storage
      - "{{ storage_dir }}:/media"
    ports:
      - 139:139
      - 445:445
    environment:
      - SAMBA_CONF_WORKGROUP={{samba.workgroup}}
      - SAMBA_CONF_SERVER_STRING={{samba.server_string}}
      - SAMBA_CONF_MAP_TO_GUEST={{samba.map_to_guest}}
      - ACCOUNT_{{default_username}}={{default_password}}
      - SAMBA_VOLUME_CONFIG_HomelabOS="[HomelabOS]; path=/media; guest ok = yes; valid users = {{default_username}} read only = no; browseable = true;"

It's being deployed to the host via ansible, so the {{ var }} bits are variable substition that also happen to mask my user/pass ;)

Unfortunately, while I can authenticate to the machine using CIFS/SMB it never lets me actually connect, and see files. The logs show this:

 >> CONTAINER: starting initialisation                                                                                                                                                                                │
│   >> ACCOUNT: adding account: kpoorman                                                                                                                                                                                 │
│   New password: Retype new password: passwd: password updated successfully                                                                                                                                             │
│   New SMB password:                                                                                                                                                                                                    │
│   Retype new SMB password:                                                                                                                                                                                             │
│   Added user kpoorman.                                                                                                                                                                                                 │
│   Enabled user kpoorman.                                                                                                                                                                                               │
│   >> CMD: exec docker CMD                                                                                                                                                                                              │
│   bash -c smbd -FS -d 2 < /dev/null                                                                                                                                                                                    │
│   smbd version 4.9.5-Debian started.                                                                                                                                                                                   │
│   Copyright Andrew Tridgell and the Samba Team 1992-2018                                                                                                                                                               │
│   uid=0 gid=0 euid=0 egid=0                                                                                                                                                                                            │
│   Registered MSG_REQ_POOL_USAGE                                                                                                                                                                                        │
│   Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED                                                                                                                                                                      │
│   added interface eth0 ip=172.28.0.2 bcast=172.28.255.255 netmask=255.255.0.0                                                                                                                                          │
│   INFO: Profiling support unavailable in this build.                                                                                                                                                                   │
│   daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections                                                                                                                               │
│   Failed to fetch record!                                                                                                                                                                                              │
│   waiting for connections                                                                                                                                                                                              │
│   samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x55e759dd1510] mpx_fde[(nil)] fd[12] - disabling                                                                                                                          │                                                                                                         │
│   check_ntlm_password:  authentication for user [kpoorman] -> [kpoorman] -> [kpoorman] succeeded                                                                                                                       │
│   process_usershare_file: stat of /var/lib/samba/usershares/homelabos failed. No such file or directory                                                                                                                │
│   process_usershare_file: stat of /var/lib/samba/usershares/homelabos failed. No such file or directory                                                                                                                │
│   process_usershare_file: stat of /var/lib/samba/usershares/homelabos failed. Permission denied                                                                                                                        │
│   process_usershare_file: stat of /var/lib/samba/usershares/homelabos failed. Permission denied                                                                                                                        │
│   check_usershare_stat: file /var/lib/samba/usershares/ owned by uid 0 is not a regular file

I'm not sure what i need to do to enable this?

When using a FQDN for an Avahi hostname it gets a .local extension.
Would it be possible to only set a FQDN for as Avahi hostname?

The avahi-daemon runs as the avahi user.
The health check script first filters out processes with the root user ps aux | grep '[0-9] root'.
This results in an unhealthy container status.

ps aux
PID USER TIME COMMAND
1 root 0:00 runsvdir -P /container/config/runit
101 root 0:00 runsv wsdd2
102 root 0:00 runsv avahi
103 root 0:00 runsv samba
104 root 0:00 smbd --foreground
105 root 0:00 /usr/sbin/wsdd2
108 avahi 0:00 avahi-daemon: running [udocker.local]
109 avahi 0:00 avahi-daemon: chroot helper
111 root 0:00 {smbd-notifyd} smbd --foreground
112 root 0:00 {cleanupd} smbd --foreground
113 root 0:00 /usr/lib/samba/samba-bgqd --ready-signal-fd=45 --parent-watch-fd=12 --debuglevel=9 -F
152 root 0:00 sh
220 root 0:00 ps aux

data.env:

WSDD2_DISABLE=true
AVAHI_DISABLE=true
GROUP_foo=1001
ACCOUNT_foo=mooh
UID_foo=1001
GROUPS_foo=foo
SAMBA_CONF_LOG_LEVEL=3
SAMBA_CONF_MAP_TO_GUEST=never
SAMBA_VOLUME_CONFIG_data=[data]; comment=data share on server; path=/shares/data; writeable=yes; guest ok=no; read only=no

run:

docker run --rm --env-file ./data.env -v /path/to/data:/shares/data -p 139:139 -p 445:445 ghcr.io/servercontainers/samba:smbd-only-latest

Returns me that the user foo cannot be added:

mkdir: can't create directory '/var/run/samba': File exists
>> CONTAINER: starting initialisation
cp: can't stat '/container/config/avahi/samba.service': No such file or directory
>> SAMBA CONFIG: no $SAMBA_CONF_WORKGROUP set, using 'WORKGROUP'
>> SAMBA CONFIG: no $SAMBA_CONF_SERVER_STRING set, using 'Samba Server'
>> GROUP: adding group foo with GID: 1001
>> ACCOUNT: adding account: foo with UID: 1001
adduser: uid '1001' in use

which will lead to follow up errors.

I execed into the container and indeed cannot create the user, but /etc/passwd does not show up the user. On other systems it appears to be no problem to add a user and a group with the same name and ids.

Any idea?

Hello! I found your project as one of the easiest to adapt as a TimeMachine Samba container.

I was able to access Samba with a direct connection from MacOS, but it would not appear in auto-discovery. In the startup log, I noticed </service-group> was missing at the end of samba.service:

>> ZEROCONF: samba.service file                                                                                                                           
############################### START ####################################            
<?xml version="1.0" standalone='no'?>                                                                                                                     
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">                                          
<service-group>                                                                                                                                           
 <name replace-wildcards="yes">My TimeCapsule</name>                                
 <service>                                                                            
   <type>_smb._tcp</type>                                                                                                                                
   <port>445</port>                                                                        
 </service>                                                                                                                                               
                                                                                    
 <service>                                                                                                                                                
  <type>_device-info._tcp</type>                                                                                                                          
  <port>0</port>                                                                      
  <txt-record>model=TimeCapsule</txt-record>                                                                                                             
 </service>                                                                                                                                              
                                                                                                                                                          
 <service>                                                                            
  <type>_adisk._tcp</type>                                                                                                                          
  <txt-record>sys=waMa=0,adVF=0x100</txt-record>                                      
  <txt-record>dk0=adVN=TimeCapsule A,adVF=0x82</txt-record>                                                                                  
  <txt-record>dk1=adVN=TimeCapsule B,adVF=0x82</txt-record>             
  <txt-record>dk2=adVN=TimeCapsule C,adVF=0x82</txt-record>                                                                             
 </service>                                                                                                                                         
################################ END #####################################

I cloned the repo and modified scripts/entrypoint.sh and modified line 123 to not insert </service-group> at the end of the samba.service file. Instead, I added it after the if-block for dk txt-records, on line 129 or so:

        if ! grep '<txt-record>dk' /etc/avahi/services/samba.service 2> /dev/null >/dev/null;
        then
          # for first time add complete service
          echo '
 <service>
  <type>_adisk._tcp</type>
  <txt-record>sys=waMa=0,adVF=0x100</txt-record>
  <txt-record>dk'"$NUMBER"'=adVN='"$VOL_NAME"',adVF=0x82</txt-record>
 </service>' >> /etc/avahi/services/samba.service
        else
          # from the second one only append new txt-record
          REPLACE_ME=$(grep '<txt-record>dk' /etc/avahi/services/samba.service | tail -n 1)
          sed -i 's;'"$REPLACE_ME"';'"$REPLACE_ME"'\n  <txt-record>dk'"$NUMBER"'=adVN='"$VOL_NAME"',adVF=0x82</txt-record>;g' /etc/avahi/services/samba.service
        fi
        echo '
</service-group>' >> /etc/avahi/services/samba.service
    fi

I modified my local docker-compose.yml to use this new context, and it works perfectly now.

Samba seems to be configured to provide a very verbose logging output to stdout, including registering every time a file is opened and closed. When being used for a Time Machine backup, this is a lot of spam into syslog on the Docker Host.

It does not appear possible to configure this through setting SAMBA_GLOBAL_CONFIG_log or SAMBA_GLOBAL_CONFIG_log_level.

Workaround is to set the docker instance's logging driver to 'none', but of course this entirely disables logging for it.

Sample:

Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/6bb read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/663 (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/6af read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/34 (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/69a read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/679 (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/6ab read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/69e (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/69d read=No write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/69d (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/69d read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/6b8 (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/6a9 read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/5b (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/696 read=No write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/696 (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/696 read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/63 (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/6a0 read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/699 (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/69e read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/69b (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/69b read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/6b4 (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/6c9 read=Yes write=No (numopen=16)
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio closed file luxo.sparsebundle/bands/6af (numopen=15) NT_STATUS_OK
Aug 07 20:46:09 wall-e docker-compose[929]: samba_1 | barberio opened file luxo.sparsebundle/bands/6bf read=Yes write=No (numopen=16)

Hello ! Me again, sorry to disturb you ! 😄

I got a request for you. Actually, If I try to write on a share with a defined user, e.g. media, the file will belong to media/media (for an uid=1035, so 1035/1035). This is perfectly fine on a classic Linux distros, but NASes and their custom Linux implementations are often locking gid group values to a certain extent.

For instance, Synology are using gid=100 for basic users, and 65000+ for user-defined groups.
To ensure there aren't any denied permission, being able to choose the GID of our user would be awesome, have a look on the following screenshot, if I could set GID_media=100 (gid of "users" group), it would be flawless :

At least the configuration leads to duplicate server role statements within smb.conf

Any ideas?

Hi!

In June last year you committed change befc254 to scripts/samba_create_timemachine_user_dir.sh (now: samba_create_user_dir.sh) adding two lines which force timemachine root folder to be owned by nobody:nogroup and have file mode bits set to 777. While I can't think of any reasonable scenario that could require this, there sure will be a reason why this has been implemented.

Now while this may not seem to matter much in the closed container environment, it may easily become a security issue on the docker host system. Making the directory world readable, will allow every user on the host system to change the directory contents. E.g. rename subdirectories and create new ones with arbitrary (malicious) content. I know nothing about TimeMachine, but as this applies to all multi-user shares (having a path ending with '%U') it may also affect user home directories which are shared that way.

As in my case, I defined a docker volume '/home:/shares/home/' and a samba volume with 'path=/shares/home/%U' this would leave my /home on the host system with 777 permissions. Any local user (attacker) could now rename the home directory of another user (victim) and place a malicious .bashrc in it which will be executed upon login of victim with victim's UID/GID. If done cleverly, victim would not even notice and attacker could at least gain access to all of victim's files and spy on its shell input/output.

Suggested remedy: Fully revert change befc254. Is it really needed? There should be nothing writing to parent directories of samba shares (except samba_create_user_dir.sh), in my very humble opinion. As long as the directory is readable and executable we should change neither ownership nor permissions.

If this still brakes TimeMachine shares, maybe permissions could be restricted to 775? Please note this might still create a security issue on the host system (or any other system which has access to the filesystem if it is shared) under some circumstances, as GID's are not synced between containers and their host. The GID 65533 of nogroup in your container may be used for anything on the host system and every user could be member of it.

Please also note that group "nogroup" in your container does not have any users assigned to it. The primary group of user "nobody" is "nobody". Maybe you wanted to use group "nobody" in the first place. But again, this may just be some TimeMachine / Mac OS weirdness.

Maybe the behaviour should also at least be limited to TimeMachine shares, if it is really necessary and can not be mitigated otherwise. Your entrypoint.sh could specify a parameter to samba_create_user_dir.sh which is passed by samba preexec and enables/disables the chown and chmod.

In any case, if permissions/ownership need to be changed, place a prominent warning in the documentation of SAMBA_VOLUME_CONFIG_myconfigname, making users aware of possible implications.

Using "servercontainers/samba:latest" with "Created": "2022-01-20T09:28:41.6175721Z".

Kind regards
Daniel

Host OS: Debian Testing (Bookworm), current as at 28/12/22 06:00UTC
Docker version: Docker 20:10:21 (current stable version from https://download.docker.com/linux/debian/dists/bullseye/stable/ - there's no repository for Debian testing/Bookworm)
Container version: servercontainers/samba:smbd-avahi-latest (also occurs with samba:latest)
Client OS: Various - Debian testing/Bookworm, MacOS 12.6.1/12.6/12.5.1

Issue: Clients can see the server, but are unable to see shares, browse shares or connect to shares directly. Suspect this is related to a package update on Debian testing.

Background: Have been running this Samba container release happily for several months. A few weeks ago I updated the host OS to Debian Testing (Bookworm) to support other software (mailctl); everything had been running fine since then. In the last few days, something in recent Debian package updates seems to have resulted in a failure to browse/connect.

Other Info: I'm not 100% sure when this started - I first noticed share browsing had failed on 26/11/22. Initially thinking it was a firewall issue I completely cleared iptables and re-established default install settings with no change. After that, I completely uninstalled all docker containers & Docker, re-installed Docker from the above repository, and installed servercontainers/samba:smbd-avahi-latest from DockerHub.

Testing: Since it seemed avahi discovery was working fine, I modified my environment & increased the samba loglevel to 4. Examining the samba logs in the container showed initial startup seemed to be OK, but I noticed the following errors in /var/log/samba/log.rpcd_classic:

[2022/11/28 04:42:56, 3] ../../source3/smbd/password.c:84(register_homes_share)
Adding homes service for user 'redacteduser' using home directory: '/home/redacteduser'
[2022/11/28 04:42:56, 2] ../../lib/tdb_wrap/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/share_info.tdb): tdb_open_ex: could not open file /var/lib/samba/share_info.tdb: Permission denied
[2022/11/28 04:42:56, 3] ../../lib/dbwrap/dbwrap_tdb.c:484(db_open_tdb)
Could not open tdb: Permission denied
[2022/11/28 04:42:56, 0] ../../source3/lib/sharesec.c:161(share_info_db_init)
Failed to open share info database /var/lib/samba/share_info.tdb (Permission denied)
[2022/11/28 04:42:56, 3] ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
string_to_sid: SID redacteduser is not in a valid format

Since this indicated a permissions issue with share_info.tdb, I looked at that:

/var/log/samba # ls -al /var/lib/samba/share_info.tdb
-rw------- 1 root root 421888 Nov 28 04:42 /var/lib/samba/share_info.tdb

Changing permissions from 600 to 660 didn't solve the problem, however changing them from 600 to 666 does - all clients could see the server, browse shares, read/write/create/delete files, etc as per normal. Reverting permissions back to the 'correct' 600 causes samba to once again fail.

Obviously opening up the permissions like that is not a good solution, security wise. Also, I can't fathom what changes outside the container may have caused this issue - but it seems that something has. Hopefully you might have an idea...

Thanks for looking, and I'm happy to attempt any further testing if needed.

It's also about 100MB smaller than 4.9.4.

...properly? Is it me?

In my docker-compose.yml I have:

  environment:

  XXX

  SAMBA_GLOBAL_CONFIG_server_SPACE_multi_SPACE_channel_SPACE_support: yes
  SAMBA_GLOBAL_CONFIG_aio_SPACE_read_SPACE_size: 1
  SAMBA_GLOBAL_CONFIG_aio_SPACE_write_SPACE_size: 1

  YYY

On Start with docker logs i get:

>> global config - adding: 'aio read size' = '1' to /etc/samba/smb.conf
>> global config - adding: 'server multi channel support' = 'yes' to /etc/samba/smb.conf
>> global config - adding: 'aio write size' = '1' to /etc/samba/smb.conf

But the logs also show then the key/values are NOT added:

[global]
dns proxy = No
load printers = No
log file = /dev/stdout
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = smbpasswd
printcap name = /dev/null
security = USER
server role = standalone server
server string = Samba docker container on FALLEN
smb1 unix extensions = No
fruit:aapl = yes
fruit:model = RackMac
idmap config * : backend = tdb
acl allow execute always = Yes
wide links = Yes

Also when I manually check the smb.conf in container or run testparm, the values are not there.

Sorry to bother you, but I can't get hash password to work. The creation of the hash is working fine and this is my config:
ACCOUNT_foo: foo:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:21611C6EKJHKJHKJHB56F8CB9E6:[U]:LCT-61B0641E
It's valid yml and docker is starting just fine, but I can't log in.

The explanation on github is not super clear.