[Samba] Joining Samba AD DC from Docker container fails - timeout

John Mulligan phlogistonjohn at asynchrono.us
Wed Jun 16 12:06:26 UTC 2021 

On Wednesday, June 16, 2021 3:35:08 AM EDT Rowland penny via samba wrote:
> On 15/06/2021 22:13, greg at theschaubs.com wrote:
> > Hi Roland,
> > 
> > The container is not privileged because it would conflict with other host
> > processes.  From a network perspective, it is running a macvlan
> > configuration.
> 
> If the container isn't privileged, then give up now, it must be a
> privileged container if you want to run a DC in it.
> 

So far that's been my experience too. The AD DC needs to read and write the 
'security.NTACL' xattr and that in turn needs CAP_SYS_ADMIN [1].

If Greg has some way around this requirement I'd love to hear more, but I 
didn't find one myself.


> > To be clear, the ports are open and available.  A netstat from within the
> > container shows that those are the only two ports listening.  Similarly, a
> > port scan performed from within the container on the DC source host shows
> > all of those ports as advertised.  Therefore, it appears that the docker
> > image is not running processes that would listen on those ports.
> > Additionally, running smbd made some of those available, but not all.
> > Perhaps most importantly, smbd did not listen on port 135.  I have not
> > tried to start nmbd or winbind prior to the join, only smbd.  I can try
> > it with those services running.
> 
> You shouldn't have any of the Samba daemons running when joining and you
> should only start the 'samba' daemon if and when you get the DC joined
> to the domain
> 
> > I hadn't done that yet because the documentation appears to me to imply
> > that none of the samba daemons should be running during the join.  My
> > assumption was that samba-tool itself would initiate the processes needed
> > for all of the ports.  If that is wrong, it would be very easy to fix.
> 
> You need to ensure all the required ports are open in the firewall (if
> using one) before the join, this is to allow replication from the
> existing DC.
> 

I have not tried creating a domain of multiple (containerized) DCs but I have 
containerized DCs that member servers can join. This is all for test and 
currently the parameters of domain are simplistic and hard-coded, but I am 
able to successfully join member servers to said domain. So in the off chance 
that it helps here's a link to one of the example configurations we have [2]. 
The example file is for k8s but the logic behind it should work for Docker 
directly or any container runtime.


[1] - https://man7.org/linux/man-pages/man7/capabilities.7.html
[2] - https://github.com/samba-in-kubernetes/samba-container/blob/master/
examples/kubernetes/samba-ad-server-deployment.yml#L23

More information about the samba mailing list