[Samba] Container setup?

Joachim Lindenberg samba at lindenberg.one
Thu Jul 4 17:14:51 UTC 2019 

Hello Sven,
thanks for your elaborate response, shedding quite some light. Let me please follow up on some of your suggestions and learn from more responses.

> Probably Debian or Ubuntu stable, as there's community provided samba builds for them. Distro builds are in general pretty crap.
The standard Ubuntu is definitely outdated, and I assume Debian similar. Where can I find these community builds and who "owns" and updates them (as I don´t want to rely on questionable sources/binaries)?

> Samba's databases need management, and not all of it can be done remotely.
I was assuming that if one uses multiple DCs one should rely on replication and never restore a DC from backup? Nevertheless I would not put persistence into the container..

>> *	What is a good and secure configuration? 
> Depends on what you need to be compatible with. If some client software needs SMB1 support, it's not going to get very secure…
Fully agree. I am mandating SMB3 for all windows hosts via GPO...

>> *	Most of the containers appear to use administrator secrets from a  configuration file, I´d prefer a prompt during initial startup 
>> (probably at the expense that only a second start may detach)
> Modify their docker files as needed?
I was thinking about a docker-compose up without -d and within the container run a script that checks already joined or not... does this make sense? Or use something like "docker exec -it <container> samba-tool domain join <dom> DC ... -U<credentials>". 
So far I was mostly consuming containers or modifying them a little, not really creating them...

>> *	What are the pros and cons of using a static IP for the container vs. port forwarding?
> Kerberos and AD are very sensitive to DNS issues; you're going to go insane without static IPs.
> AD also needs a *lot* of ports open to work.
Ok, static..

>> *	VPN in the container or on host? Actually I´d go for wireguard rather than OpenVPN..
>Whatever works better with your network setup, there's nothing preventing openvpn/wireguard from running on the same instance as samba.
Yes, but it container is then different IP than host.

>> *	How to include more bind configuration e.g. for an additional DNS zone? Or require that on a different DNS server?
> Given the continuous issues people have with BIND, I'd recommend using the internal DNS backend (maybe behind another, external DNS server) unless you have specific needs only BIND can handle.
I need some more DNS then the samba domain, but I could run that somewhere else. However I also read somewhere the internal backend is discouraged in case one runs multiple DCs.

>> *	What about sysvol?
> sysvol needs to be externally replicated to all your instances. I'd recommend running something like lsyncd inside the container and use its lua scripting capabilities (or external scripts) to a) make sure it doesn't run on the wrong instance and b) replicates everything to all DCs.
Inside the container? Or on the host and map that as a volume into the container? I also read lsyncd might have issues with network outages. Any other recommendation?

>> *	How to do updates?
>> 	I can imagine using a cron job to tear down the container, then pull or rebuild, then up. And schedule this for different work days for different instances..
> Inside the same major releases that should work, as long as /var/lib/samba is kept persistent. Between major releases you might need to migrate config files etc.
For major updates that require manual work I was thinking about joining new DCs and removing the old ones.

>For proper availability you probably need to make sure that FSMO roles are moved off the to be updated machine first, and if necessary seized back after the update.
Sure for (major) upgrades, but I don´t think that should be necessary for minor updates.
>> *	How to monitor replication is working?
>`samba-tool drs showrepl --json` is available with Samba 4.9+, that should be relatively easy to parse and monitor.
>With older versions you'll have to parse the textual output, which is a pain in the ass, but doable.
Which motivates me to go that route in order to benefit from the newer version.

Thanks & Best Regards, Joachim

--
Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

More information about the samba mailing list