[Samba] Joining Samba AD DC from Docker container fails - timeout
phlogistonjohn at asynchrono.us
Wed Jun 16 12:06:26 UTC 2021
On Wednesday, June 16, 2021 3:35:08 AM EDT Rowland penny via samba wrote:
> On 15/06/2021 22:13, greg at theschaubs.com wrote:
> > Hi Roland,
> > The container is not privileged because it would conflict with other host
> > processes. From a network perspective, it is running a macvlan
> > configuration.
> If the container isn't privileged, then give up now, it must be a
> privileged container if you want to run a DC in it.
So far that's been my experience too. The AD DC needs to read and write the
'security.NTACL' xattr and that in turn needs CAP_SYS_ADMIN .
If Greg has some way around this requirement I'd love to hear more, but I
didn't find one myself.
> > To be clear, the ports are open and available. A netstat from within the
> > container shows that those are the only two ports listening. Similarly, a
> > port scan performed from within the container on the DC source host shows
> > all of those ports as advertised. Therefore, it appears that the docker
> > image is not running processes that would listen on those ports.
> > Additionally, running smbd made some of those available, but not all.
> > Perhaps most importantly, smbd did not listen on port 135. I have not
> > tried to start nmbd or winbind prior to the join, only smbd. I can try
> > it with those services running.
> You shouldn't have any of the Samba daemons running when joining and you
> should only start the 'samba' daemon if and when you get the DC joined
> to the domain
> > I hadn't done that yet because the documentation appears to me to imply
> > that none of the samba daemons should be running during the join. My
> > assumption was that samba-tool itself would initiate the processes needed
> > for all of the ports. If that is wrong, it would be very easy to fix.
> You need to ensure all the required ports are open in the firewall (if
> using one) before the join, this is to allow replication from the
> existing DC.
I have not tried creating a domain of multiple (containerized) DCs but I have
containerized DCs that member servers can join. This is all for test and
currently the parameters of domain are simplistic and hard-coded, but I am
able to successfully join member servers to said domain. So in the off chance
that it helps here's a link to one of the example configurations we have .
The example file is for k8s but the logic behind it should work for Docker
directly or any container runtime.
 - https://man7.org/linux/man-pages/man7/capabilities.7.html
 - https://github.com/samba-in-kubernetes/samba-container/blob/master/
More information about the samba