[Samba] Deploy separate DC & file share services in one host

Hailong Wang whlsxl at outlook.com
Tue Apr 19 20:29:50 UTC 2022 

From: samba <samba-bounces at lists.samba.org> on behalf of John Mulligan via samba <samba at lists.samba.org>
Sent: Tuesday, April 19, 2022 10:19 PM
Subject: Re: [Samba] Deploy separate DC & file share services in one host 
 
> > Hi everyone.
> > I use docker to deploy AD DC & smbd file share service in two containers on
> > a single host. the docker image is based on Ubuntu 20.04, samba version is
> > 4.13.17.
> > 
> > When I visit the file share service( use wsdd2 & avahi ),  windows 10 is
> > worked, but other clients like macOS, have a 50 percent possibility to show
> > the DC file share (netlogon & sysvol).
> > 
> > According to "Setting up Samba as an Active Directory Domain Controller"
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Dom
> > ain_Controller#Using_the_Domain_Controller_as_a_File_Server, I know AD DC
> > can act as the file share service, but it will show netlogon and sysvol in
> > the shared directory.
> > 
> > Any idea?
> 
> How are you separating the network traffic for the different samba instances? Are 
> you trying to change ports (I see `rpc server port` set on the example)? 
> Alternatively, are you giving the containers different IPs?
> 
> Based on the fact that most clients require SMB traffic on port 445 I would 
> personally be aiming for something like the latter. But I'd like to know more 
> before making assumptions about your network.

I use two docker containers, one deploy docker dc, another deploy file share service. both use `network_mode: host`, share the host IP, and both binding port 445.

The first time I forgot the port conflict, but after deployment, it miracle worked!

maybe the reason is I use `smbd --foreground --no-process-group` to start the service in the file share container

This is the result that I use lsof to check the port listening in the host. I tag where the process comes from at the tail.

COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
smbd     153418 root   44u  IPv6 896533      0t0  TCP *:445 (LISTEN) # dc smbd
smbd     153418 root   46u  IPv4 896535      0t0  TCP *:445 (LISTEN) # dc smbd
smbd     156185 root   46u  IPv6 898503      0t0  TCP *:445 (LISTEN) # file share smbd
smbd     156185 root   48u  IPv4 898505      0t0  TCP *:445 (LISTEN) # file share smbd
winbindd 156219 root   22u  IPv4 897720      0t0  TCP 192.168.199.156:47126->192.168.199.156:445 (ESTABLISHED) # file share winbindd
smbd     156221 root   49u  IPv4 897721      0t0  TCP 192.168.199.156:445->192.168.199.156:47126 (ESTABLISHED) # dc another smbd

My idea is that can I bind a domain or other things for the smbd processes in every container, like a reverse proxy. The different domains can go to file share or dc.

More information about the samba mailing list