[Samba] Deploy separate DC & file share services in one host

Wed Apr 20 13:31:16 UTC 2022

On Tuesday, April 19, 2022 4:29:50 PM EDT Hailong Wang wrote:
> From: samba <samba-bounces at lists.samba.org> on behalf of John Mulligan via
> samba <samba at lists.samba.org> Sent: Tuesday, April 19, 2022 10:19 PM
> Subject: Re: [Samba] Deploy separate DC & file share services in one host
>  
> 
> > > Hi everyone.
> > > I use docker to deploy AD DC & smbd file share service in two containers
> > > on
> > > a single host. the docker image is based on Ubuntu 20.04, samba version
> > > is
> > > 4.13.17.
> > > 
> > > When I visit the file share service( use wsdd2 & avahi ),  windows 10 is
> > > worked, but other clients like macOS, have a 50 percent possibility to
> > > show
> > > the DC file share (netlogon & sysvol).
> > > 
> > > According to "Setting up Samba as an Active Directory Domain Controller"
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory
> > > _Dom ain_Controller#Using_the_Domain_Controller_as_a_File_Server, I know
> > > AD DC can act as the file share service, but it will show netlogon and
> > > sysvol in the shared directory.
> > > 
> > > Any idea?
> > 
> > How are you separating the network traffic for the different samba
> > instances? Are you trying to change ports (I see `rpc server port` set on
> > the example)? Alternatively, are you giving the containers different IPs?
> > 
> > Based on the fact that most clients require SMB traffic on port 445 I
> > would
> > personally be aiming for something like the latter. But I'd like to know
> > more before making assumptions about your network.
> 
> I use two docker containers, one deploy docker dc, another deploy file share
> service. both use `network_mode: host`, share the host IP, and both binding
> port 445.
> 
> The first time I forgot the port conflict, but after deployment, it miracle
> worked!
> 

For some value of worked. :-) It is probably the source of the issues you're 
reporting.

> maybe the reason is I use `smbd --foreground --no-process-group` to start
> the service in the file share container
> 
> This is the result that I use lsof to check the port listening in the host.
> I tag where the process comes from at the tail.
> 
> COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> smbd     153418 root   44u  IPv6 896533      0t0  TCP *:445 (LISTEN) # dc
> smbd smbd     153418 root   46u  IPv4 896535      0t0  TCP *:445 (LISTEN) #
> dc smbd smbd     156185 root   46u  IPv6 898503      0t0  TCP *:445
> (LISTEN) # file share smbd smbd     156185 root   48u  IPv4 898505      0t0
>  TCP *:445 (LISTEN) # file share smbd winbindd 156219 root   22u  IPv4
> 897720      0t0  TCP 192.168.199.156:47126->192.168.199.156:445
> (ESTABLISHED) # file share winbindd smbd     156221 root   49u  IPv4 897721
>      0t0  TCP 192.168.199.156:445->192.168.199.156:47126 (ESTABLISHED) # dc
> another smbd
> 

It's interesting that you don't experience a port conflict up front. Since 
you're using host networking it is basically like running two independent 
smbds on the same host.  Maybe an smbd expert would know why. I don't think 
this is a "magic" container behavior -- a socket option perhaps?

> My idea is that can I bind a domain or other things for the smbd processes
> in every container, like a reverse proxy. The different domains can go to
> file share or dc.

I'd suggest isolating at least one of your containers networking by giving it 
"it's own" ip address. Something like macvlan [1] might be easy for you to set 
up and run with docker. There are certainly other options.  We've run AD DCs 
and file servers on the same Kubernetes nodes without much (networking) issues 
due to the native support for each Pod getting an IP of it's own. So, it's 
should be doable in docker, in abstract.

I think if you keep trying to run both AD DC and file server Samba servers on 
the same host, without some network isolation you're going to keep running 
into strange behaviors.

[1] - https://docs.docker.com/network/macvlan/