AD Auth about samba HOT 6 CLOSED

Hi there,

thanks for the issue. That's true, there is no explicit config, but since you can configure everything using the global config envs, you can alter the samba config to your needs.

As far as I know it was available back in the time when this container was debian/ubuntu based - this container exists for several years now - and it had some breaking changes in it's earlier times.
But I never tested it. I don't have an AD to test this setup easily.

If you like to help, you can try do get it working with minimal configuration - see what alpine packages are missing, and give me an example config string which would be needed

if there are not to many dependencies missing - maybe it's just realmd without much other dependencies I might add it to the container, if the configuration is a large string I might reduce it to some ad connection envs which automatically enable the realmd

but this would need your input and in the end a test of my setup - if your up to it I'm happy to get this supported in my container

from samba.

if the whole impact for esablishing is too big, I might create a new variant which contains all those needed changes :)

from samba.

Hi there, so i was trying to create the following but im a bit stumped not sure what i missed i did though using docker ubuntu latest

created dockerfile

FROM ubuntu:latest

ARG domain
ARG realm
ARG dc
ARG admin_password

RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y samba krb5-user winbind

ADD krb5.conf /etc/krb5.conf
ADD smb.conf /etc/samba/smb.conf
ADD startup.sh /root/startup.sh
RUN chmod +x /root/startup.sh

RUN echo "$admin_password" | kinit Administrator@$realm
RUN net ads join -U Administrator%$admin_password

CMD ["/root/startup.sh"]

then created krb5.conf

[libdefaults]
    default_realm = MYDOMAIN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

then created smb.conf

[global]
    workgroup = MYDOMAIN.LOCAL
    security = ads
    realm = MYDOMAIN.LOCAL
    password server = dc2.mydomain.local
    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    winbind use default domain = true
    winbind offline logon = false
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = /home/%U
    template shell = /bin/bash

then created startup.sh

#!/bin/bash

echo "Starting winbindd"
/etc/init.d/winbind start

echo "Joining domain"
net ads join -U Administrator

echo "Starting smbd"
/etc/init.d/smbd start

tail -f /dev/null

after that the docker-compose

version: '3'
services:
  sambashares:
    build:
      context: .
      args:
        domain: mydomain.local
        realm: MYDOMAIN.LOCAL
        dc: dc2.mydomain.local
        admin_password: MyAdminPassword123
    container_name: sambashares
    ports:
      - "445:445"
      - "139:139"
    privileged: true
    restart: always

but im getting this error

 => ERROR [7/8] RUN echo "MyAdminPassword123" | kinit [email protected]                                                                                                                                                                           1.6s
------
 > [7/8] RUN echo "Passw0rd" | kinit [email protected]:
#0 1.406 kinit: Cannot find KDC for realm "MYDOMAIN.LOCAL" while getting initial credentials
------
failed to solve: process "/bin/sh -c echo \"$admin_password\" | kinit Administrator@$realm" did not complete successfully: exit code: 1

Thank you again

from samba.

hi @MarvAmBass i was wondering if you got a chance to look at the AD join info?

Thank you

from samba.

Hi, I'm sorry but since this is not a usecase I need, I didn't have time for that. Althrough it's interesting and would be a nice to have...

from samba.

thanks for this issue, I thought about it, and I need to close this issue - usually AD connections need windbind etc.

this is meant as minimal general purpose samba/cifs fileserver - with nice preconfigurations to make specials like multi user shares and apple stuff e.g. timemachine integration possbile.

If someone needs more sophisticated stuff, he can either use my image as a base, and install and add missing stuff (e.g. winbind)
or use my scripts and configurations as a baseline to build his/her own container.

but active directory support etc. is not in scope of this image. and it's not planned for this image in the future

from samba.