[Samba] Deploy separate DC & file share services in one host
phlogistonjohn at asynchrono.us
Wed Apr 20 13:31:16 UTC 2022
On Tuesday, April 19, 2022 4:29:50 PM EDT Hailong Wang wrote:
> From: samba <samba-bounces at lists.samba.org> on behalf of John Mulligan via
> samba <samba at lists.samba.org> Sent: Tuesday, April 19, 2022 10:19 PM
> Subject: Re: [Samba] Deploy separate DC & file share services in one host
> > > Hi everyone.
> > > I use docker to deploy AD DC & smbd file share service in two containers
> > > on
> > > a single host. the docker image is based on Ubuntu 20.04, samba version
> > > is
> > > 4.13.17.
> > >
> > > When I visit the file share service( use wsdd2 & avahi ), windows 10 is
> > > worked, but other clients like macOS, have a 50 percent possibility to
> > > show
> > > the DC file share (netlogon & sysvol).
> > >
> > > According to "Setting up Samba as an Active Directory Domain Controller"
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory
> > > _Dom ain_Controller#Using_the_Domain_Controller_as_a_File_Server, I know
> > > AD DC can act as the file share service, but it will show netlogon and
> > > sysvol in the shared directory.
> > >
> > > Any idea?
> > How are you separating the network traffic for the different samba
> > instances? Are you trying to change ports (I see `rpc server port` set on
> > the example)? Alternatively, are you giving the containers different IPs?
> > Based on the fact that most clients require SMB traffic on port 445 I
> > would
> > personally be aiming for something like the latter. But I'd like to know
> > more before making assumptions about your network.
> I use two docker containers, one deploy docker dc, another deploy file share
> service. both use `network_mode: host`, share the host IP, and both binding
> port 445.
> The first time I forgot the port conflict, but after deployment, it miracle
For some value of worked. :-) It is probably the source of the issues you're
> maybe the reason is I use `smbd --foreground --no-process-group` to start
> the service in the file share container
> This is the result that I use lsof to check the port listening in the host.
> I tag where the process comes from at the tail.
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> smbd 153418 root 44u IPv6 896533 0t0 TCP *:445 (LISTEN) # dc
> smbd smbd 153418 root 46u IPv4 896535 0t0 TCP *:445 (LISTEN) #
> dc smbd smbd 156185 root 46u IPv6 898503 0t0 TCP *:445
> (LISTEN) # file share smbd smbd 156185 root 48u IPv4 898505 0t0
> TCP *:445 (LISTEN) # file share smbd winbindd 156219 root 22u IPv4
> 897720 0t0 TCP 192.168.199.156:47126->192.168.199.156:445
> (ESTABLISHED) # file share winbindd smbd 156221 root 49u IPv4 897721
> 0t0 TCP 192.168.199.156:445->192.168.199.156:47126 (ESTABLISHED) # dc
> another smbd
It's interesting that you don't experience a port conflict up front. Since
you're using host networking it is basically like running two independent
smbds on the same host. Maybe an smbd expert would know why. I don't think
this is a "magic" container behavior -- a socket option perhaps?
> My idea is that can I bind a domain or other things for the smbd processes
> in every container, like a reverse proxy. The different domains can go to
> file share or dc.
I'd suggest isolating at least one of your containers networking by giving it
"it's own" ip address. Something like macvlan  might be easy for you to set
up and run with docker. There are certainly other options. We've run AD DCs
and file servers on the same Kubernetes nodes without much (networking) issues
due to the native support for each Pod getting an IP of it's own. So, it's
should be doable in docker, in abstract.
I think if you keep trying to run both AD DC and file server Samba servers on
the same host, without some network isolation you're going to keep running
into strange behaviors.
 - https://docs.docker.com/network/macvlan/
More information about the samba