[Samba] freeradius on dc?

John Mulligan phlogistonjohn at asynchrono.us
Thu Dec 1 18:28:10 UTC 2022 

On Wednesday, November 30, 2022 4:14:07 PM EST Joachim Lindenberg via samba 
wrote:
> Hello John,
> 
> >I work on a project that is providing OCI container images, example
> >deployments and documentation.
> >https://github.com/samba-in-kubernetes/samba-container/
> >We have images for (member) file server, AD DC, client, and just recently
> >added a "toolbox" image for testing and diagnostics.
> Do you have instructions for a member container including join & leave
> instructions to an existing domain? Didn´t find that with the link given.

That's been on my TODO list, so unfortunately no  proper human-readable 
documentation for that exists at the moment. Perhaps this thread is the 
motivation I need to get working on that.

If you can read k8s YAML this might help serve as a starting point:
https://github.com/samba-in-kubernetes/samba-container/blob/master/tests/files/
samba-domain-member-pod.yml

The elevator-pitch version:
* Initialize your persistent storage: <container-cmd ...> quay.io/samba.org/
samba-server:latest init
* Polling join: <container-cmd ...>  quay.io/samba.org/samba-server:latest 
must-join --files --join-file=/etc/join-data/join.json
* Start winbind: <container-cmd ...>  quay.io/samba.org/samba-server:latest 
run winbind
* Start sbmd: <container-cmd ...>  quay.io/samba.org/samba-server:latest run 
smbd
(the trick here that makes it look simple is that I'm leaving out he shared 
mounts and the env vars ;-) )

> >Please don't let the 'kubernetes' in the org name scare you off the project
> >in question is not K8S specific.  I'd love more feedback and eyes on our
> >project.
> I always mention k8s in my trainings, may be I can also experiment with it
> now. So far my internet connection is the major hurdle and docker(-compose)
> was sufficient.


For me, the issue is that I've spent a lot of time focused on kubernetes and 
samba-operator [1] which does already implement domain joins with a member 
server, and is documented. It's just that samba-container doesn't explain how 
to do it manually :-(  I really want the other projects to stand on their own 
without k8s though so I'd really like to have docs for something like a full 
member server on docker-compose.


[1] https://github.com/samba-in-kubernetes/samba-operator

> 
> Thanks,
> Joachim
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Andrew Bartlett <abartlet at samba.org>
> > Gesendet: Mittwoch, 30. November 2022 00:51
> > An: Joachim Lindenberg <samba at lindenberg.one>; samba at lists.samba.org
> > Betreff: Re: [Samba] freeradius on dc?
> > 
> > On Tue, 2022-11-29 at 22:31 +0100, Joachim Lindenberg via samba wrote:
> > > Hello,
> > > 
> > > I am wondering whether it is possible / recommended or not, to install
> > > and use freeradius on a domain controller. The documentation at
> > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Act
> > > ive_Directory  is about installation/configuration on member servers
> > > only.
> > > 
> > > Any thoughts? What changes on a dc?
> > 
> > It should still just work, as the same winbindd is under the hood and this
> > mode of operation is connected, but running a member server allows more
> > separation of concerns and avoids any DC being 'special'.
> > 
> > VMs or containers are good for this.
> > 
> > Andrew Bartlett

More information about the samba mailing list