- No OpenVPN testing
- Mount custom Samba [global] parameters to files in /etc/samba/smb.conf.d
A well documented, tried and tested Samba Active Directory Domain Controller that works with the standard Windows management tools; built from scratch using internal DNS and kerberos and not based on existing containers.
ENVVAR | default value | dc only | description |
---|---|---|---|
DOMAIN |
SAMDOM.LOCAL | Your Domain Name | |
DOMAIN_USER |
Administrator | Best leave at default. unknown consequences | |
DOMAIN_PASS |
youshouldsetapassword | Domain Administrator Password | |
DOMAIN_NETBIOS |
SAMDOM | WORKGROPUP/NETBIOS Domain Name usally first part of DOMAIN | |
HOSTIP |
NONE | X | Set external Host IP if not running in network host mode. Use for splitdns. Samba will use HOSTIP and HOSTNAME to populate internal DNS |
HOSTNAME |
$(hostname) | Hostname of Samba. Overrides you containers hostname. Only works while proivisioning a domain ! Samba will use HOSTNAME and HOSTIP to populate internal DNS | |
JOIN |
false | Set to true if DC should join Domain | |
JOIN_SITE |
Default-First-Site-Name | Sitename to join to | |
JOIN_SITE_VPN |
false | Use openvpn config before connection to DC is possible | |
NTPSERVERLIST |
0.pool.ntp.org 1.pool... | List of NTP Server | |
RECYCLEBIN |
true | X | Optional Feature: Enable AD RecylceBin |
CHANGE_KRB_TGT_PW |
true | X | Optional Service: Only activate on PDC! Change password of krbtgt user (Kerberos Ticket Granting Ticket) to prevent Golden Ticket attacks |
DISABLE_MD5 |
true | Disable MD5 Clients and Server | |
DISABLE_PW_COMPLEXITY |
false | X | Disable Password requirements |
ENABLE_CUPS |
false | Enable CUPS - cups is not installed but setup in smb.conf modify Dockerfile | |
ENABLE_DYNAMIC_PORTRANGE |
NONE | If samba is behind a reverse proxy on some small systems the ports need to be limited | |
ENABLE_INSECURE_LDAP |
false | Enable insecure ldap connections | |
ENABLE_LAPS_SCHEMA |
true | X | Setup Local Administrator Password Solution |
ENABLE_LOGS |
false | Enable log files - disabled. log to stdout and ship docker logs | |
ENABLE_MSCHAPV2 |
false | Enable MSCHAP authentication | |
ENABLE_RFC2307 |
true | X | Enable RDC2307 LDAP Extension in AD |
ENABLE_TLS |
false | Enable TLS. Samba will autogen a cert if not provided before first start | |
ENABLE_DEBUG |
false | Enables debug messages set DEBUG_LEVEL accordingly | |
DEBUG_LEVEL |
0 | Level of debug messages | |
ENABLE_BIND_INTERFACE |
false | set to true to bind services to interfaces | |
BIND_INTERFACES |
eth0 | set interface name to bind services to |
docker exec -it samba-ad-dc "samba-tool dns zonecreate .in-addr.arpa -U\administrator --password="
docker exec -it samba-ad-dc "net rpc rights grant "\Domain Admins" SeDiskOperatorPrivilege -U\administrator --password= "
net ads leave -UAdministrator --password
##Fix DNS Update errors - Failed DNS update - with error code 26 - by setting update command to use RPC instead of D$ add to smb.conf => dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
/etc/localtime:/etc/localtime:ro
- Sets the timezone to match the host/data/docker/containers/samba/data/:/var/lib/samba
- Stores samba data so the container can be moved to another host if required./data/docker/containers/samba/config/samba:/etc/samba/external
- Stores the smb.conf so the container can be mored or updates can be easily made./data/docker/containers/samba/config/openvpn/docker.ovpn:/docker.ovpn
- Optional for connecting to another site via openvpn./data/docker/containers/samba/config/openvpn/credentials:/credentials
- Optional for connecting to another site via openvpn that requires a username/password. The format for this file should be two lines, with the username on the first, and the password on the second. Also, make sure your ovpn file containsauth-user-pass /credentials
mkdir -p /data/docker/builds
cd /data/docker/builds
git clone https://github.com/Fmstrat/samba-domain.git
cd samba-domain
docker build -t samba-domain .
Or just use the HUB:
docker pull nowsci/samba-domain
To set things up you will first want a new IP on your host machine so that ports don't conflict. A domain controller needs a lot of ports, and will likely conflict with things like dnsmasq. The below commands will do this, and set up some required folders.
ifconfig eno1:1 192.168.3.222 netmask 255.255.255.0 up
mkdir -p /data/docker/containers/samba/data
mkdir -p /data/docker/containers/samba/config/samba
If you plan on using a multi-site VPN, also run:
mkdir -p /data/docker/containers/samba/config/openvpn
cp /path/to/my/ovpn/MYSITE.ovpn /data/docker/containers/samba/config/openvpn/docker.ovpn
- In some cases on Windows clients, you would join with the domain of CORP, but when entering the computer domain you must enter CORP.EXAMPLE.COM. This seems to be the case when using most any samba based DC.
- Make sure your client's DNS is using the DC, or that your mail DNS is relaying for the domain
- Ensure client's are using corp.example.com as the search suffix
- If you're using a VPN, pay close attention to routes. You don't want to force all traffic through the VPN
While the Samba team does not recommend using a DC as a file server, it's understandable that some may wish to. Once the container is up and running and your /data/docker/containers/samba/config/samba/smb.conf
file is set up after the first run, you can enable shares by shutting down the container, and making the following changes to the smb.conf
file.
In the [global]
section, add:
security = user
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=corp,dc=example,dc=com
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Administrator,cn=Users,dc=corp,dc=example,dc=com
ldap ssl = off
ldap passwd sync = no
server string = MYSERVERHOSTNAME
wins support = yes
preserve case = yes
short preserve case = yes
default case = lower
case sensitive = auto
preferred master = yes
unix extensions = yes
follow symlinks = yes
client ntlmv2 auth = yes
client lanman auth = yes
mangled names = no
Then add a share to the end based on how you mount the volume:
[storage]
comment = storage
path = /storage
public = no
read only = no
writable = yes
write list = @root NOWSCI\myuser
force user = root
force group = root
guest ok = yes
valid users = NOWSCI\myuser
Check the samba documentation for how to allow groups/etc.
The container is stateless, so you can do a docker rmi samba-domain
and then restart the container to rebuild packages when a security update occurs. However, this puts load on servers that isn't always required, so below are some scripts that can help minimize things by letting you know when containers have security updates that are required.
This script loops through running containers and sends you an email when security updates are required.
#!/bin/bash
function needsUpdates() {
RESULT=$(docker exec ${1} bash -c ' \
if [[ -f /etc/apt/sources.list ]]; then \
grep security /etc/apt/sources.list > /tmp/security.list; \
apt-get update > /dev/null; \
apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -s; \
fi; \
')
RESULT=$(echo $RESULT)
GOODRESULT="Reading package lists... Building dependency tree... Reading state information... Calculating upgrade... 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."
if [[ "${RESULT}" != "" ]] && [[ "${RESULT}" != "${GOODRESULT}" ]]; then
return 0
else
return 1
fi
}
function sendEmail() {
echo "Container ${1} needs security updates";
H=`hostname`
ssh -i /data/keys/<KEYFILE> <USRER>@<REMOTEHOST>.com "{ echo \"MAIL FROM: root@${H}\"; echo \"RCPT TO: <USER>@<EMAILHOST>.com\"; echo \"DATA\"; echo \"Subject: ${H} - ${1} container needs security update\"; echo \"\"; echo -e \"\n${1} container needs update.\n\n\"; echo -e \"docker exec ${1} bash -c 'grep security /etc/apt/sources.list > /tmp/security.list; apt-get update > /dev/null; apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -s'\n\n\"; echo \"Remove the -s to run the update\"; echo \"\"; echo \".\"; echo \"quit\"; sleep 1; } | telnet <SMTPHOST> 25"
}
CONTAINERS=$(docker ps --format "{{.Names}}")
for CONTAINER in $CONTAINERS; do
echo "Checking ${CONTAINER}"
if needsUpdates $CONTAINER; then
sendEmail $CONTAINER
fi
done
And the following script keeps track of when new images are posted to hub.docker.com.
#!/bin/bash
DATAPATH='/data/docker/updater/data'
if [ ! -d "${DATAPATH}" ]; then
mkdir "${DATAPATH}";
fi
IMAGES=$(docker ps --format "{{.Image}}")
for IMAGE in $IMAGES; do
ORIGIMAGE=${IMAGE}
if [[ "$IMAGE" != *\/* ]]; then
IMAGE=library/${IMAGE}
fi
IMAGE=${IMAGE%%:*}
echo "Checking ${IMAGE}"
PARSED=${IMAGE//\//.}
if [ ! -f "${DATAPATH}/${PARSED}" ]; then
# File doesn't exist yet, make baseline
echo "Setting baseline for ${IMAGE}"
curl -s "https://registry.hub.docker.com/v2/repositories/${IMAGE}/tags/" > "${DATAPATH}/${PARSED}"
else
# File does exist, do a compare
NEW=$(curl -s "https://registry.hub.docker.com/v2/repositories/${IMAGE}/tags/")
OLD=$(cat "${DATAPATH}/${PARSED}")
if [[ "${OLD}" == "${NEW}" ]]; then
echo "Image ${IMAGE} is up to date";
else
echo ${NEW} > "${DATAPATH}/${PARSED}"
echo "Image ${IMAGE} needs to be updated";
H=`hostname`
ssh -i /data/keys/<KEYFILE> <USER>@<REMOTEHOST>.com "{ echo \"MAIL FROM: root@${H}\"; echo \"RCPT TO: <USER>@<EMAILHOST>.com\"; echo \"DATA\"; echo \"Subject: ${H} - ${IMAGE} needs update\"; echo \"\"; echo -e \"\n${IMAGE} needs update.\n\ndocker pull ${ORIGIMAGE}\"; echo \"\"; echo \".\"; echo \"quit\"; sleep 1; } | telnet <SMTPHOST> 25"
fi
fi
done;
Keep in mind, for all examples replace nowsci/samba-domain
with samba-domain
if you build your own from GitHub.
Start a new domain, and forward non-resolvable queries to the main DNS server
- Local site is
192.168.3.0
- Local DC (this one) hostname is
LOCALDC
using the host IP of192.168.3.222
- Local main DNS is running on
192.168.3.1
docker run -t -i \
-e "DOMAIN=CORP.EXAMPLE.COM" \
-e "DOMAINPASS=ThisIsMyAdminPassword" \
-e "DNSFORWARDER=192.168.3.1" \
-e "HOSTIP=192.168.3.222" \
-p 192.168.3.222:53:53 \
-p 192.168.3.222:53:53/udp \
-p 192.168.3.222:88:88 \
-p 192.168.3.222:88:88/udp \
-p 192.168.3.222:135:135 \
-p 192.168.3.222:137-138:137-138/udp \
-p 192.168.3.222:139:139 \
-p 192.168.3.222:389:389 \
-p 192.168.3.222:389:389/udp \
-p 192.168.3.222:445:445 \
-p 192.168.3.222:464:464 \
-p 192.168.3.222:464:464/udp \
-p 192.168.3.222:636:636 \
-p 192.168.3.222:1024-1044:1024-1044 \
-p 192.168.3.222:3268-3269:3268-3269 \
-v /etc/localtime:/etc/localtime:ro \
-v /var/log/samba:/var/log/samba:ro \
-v /data/docker/containers/samba/data/:/var/lib/samba \
-v /data/docker/containers/samba/config/samba:/etc/samba/external \
--dns-search corp.example.com \
--dns 192.168.3.222 \
--dns 192.168.3.1 \
--add-host localdc.corp.example.com:192.168.3.222 \
-h localdc \
--name samba \
--privileged \
nowsci/samba-domain
Join an existing domain, and forward non-resolvable queries to the main DNS server
- Local site is
192.168.3.0
- Local DC (this one) hostname is
LOCALDC
using the host IP of192.168.3.222
- Local existing DC is running DNS and has IP of
192.168.3.201
- Local main DNS is running on
192.168.3.1
docker run -t -i \
-e "DOMAIN=CORP.EXAMPLE.COM" \
-e "DOMAINPASS=ThisIsMyAdminPassword" \
-e "JOIN=true" \
-e "DNSFORWARDER=192.168.3.1" \
-e "HOSTIP=192.168.3.222" \
-p 192.168.3.222:53:53 \
-p 192.168.3.222:53:53/udp \
-p 192.168.3.222:88:88 \
-p 192.168.3.222:88:88/udp \
-p 192.168.3.222:135:135 \
-p 192.168.3.222:137-138:137-138/udp \
-p 192.168.3.222:139:139 \
-p 192.168.3.222:389:389 \
-p 192.168.3.222:389:389/udp \
-p 192.168.3.222:445:445 \
-p 192.168.3.222:464:464 \
-p 192.168.3.222:464:464/udp \
-p 192.168.3.222:636:636 \
-p 192.168.3.222:1024-1044:1024-1044 \
-p 192.168.3.222:3268-3269:3268-3269 \
-v /etc/localtime:/etc/localtime:ro \
-v /data/docker/containers/samba/data/:/var/lib/samba \
-v /data/docker/containers/samba/config/samba:/etc/samba/external \
--dns-search corp.example.com \
--dns 192.168.3.222 \
--dns 192.168.3.1 \
--dns 192.168.3.201 \
--add-host localdc.corp.example.com:192.168.3.222 \
-h localdc \
--name samba \
--privileged \
nowsci/samba-domain
Join an existing domain, forward DNS, remove security features, and connect to a remote site via openvpn
- Local site is
192.168.3.0
- Local DC (this one) hostname is
LOCALDC
using the host IP of192.168.3.222
- Local existing DC is running DNS and has IP of
192.168.3.201
- Local main DNS is running on
192.168.3.1
- Remote site is
192.168.6.0
- Remote DC hostname is
REMOTEDC
with IP of192.168.6.222
(notice the DNS and host entries)
docker run -t -i \
-e "DOMAIN=CORP.EXAMPLE.COM" \
-e "DOMAINPASS=ThisIsMyAdminPassword" \
-e "JOIN=true" \
-e "DNSFORWARDER=192.168.3.1" \
-e "MULTISITE=true" \
-e "NOCOMPLEXITY=true" \
-e "INSECURELDAP=true" \
-e "HOSTIP=192.168.3.222" \
-p 192.168.3.222:53:53 \
-p 192.168.3.222:53:53/udp \
-p 192.168.3.222:88:88 \
-p 192.168.3.222:88:88/udp \
-p 192.168.3.222:135:135 \
-p 192.168.3.222:137-138:137-138/udp \
-p 192.168.3.222:139:139 \
-p 192.168.3.222:389:389 \
-p 192.168.3.222:389:389/udp \
-p 192.168.3.222:445:445 \
-p 192.168.3.222:464:464 \
-p 192.168.3.222:464:464/udp \
-p 192.168.3.222:636:636 \
-p 192.168.3.222:1024-1044:1024-1044 \
-p 192.168.3.222:3268-3269:3268-3269 \
-v /etc/localtime:/etc/localtime:ro \
-v /data/docker/containers/samba/data/:/var/lib/samba \
-v /data/docker/containers/samba/config/samba:/etc/samba/external \
-v /data/docker/containers/samba/config/openvpn/docker.ovpn:/docker.ovpn \
-v /data/docker/containers/samba/config/openvpn/credentials:/credentials \
--dns-search corp.example.com \
--dns 192.168.3.222 \
--dns 192.168.3.1 \
--dns 192.168.6.222 \
--dns 192.168.3.201 \
--add-host localdc.corp.example.com:192.168.3.222 \
--add-host remotedc.corp.example.com:192.168.6.222 \
--add-host remotedc:192.168.6.222 \
-h localdc \
--name samba \
--privileged \
--cap-add=NET_ADMIN --device /dev/net/tun \
nowsci/samba-domain
Keep in mind for all examples DOMAINPASS
can be removed after the first run.
Start a new domain, and forward non-resolvable queries to the main DNS server
- Local site is
192.168.3.0
- Local DC (this one) hostname is
LOCALDC
using the host IP of192.168.3.222
- Local main DNS is running on
192.168.3.1
version: '2'
networks:
extnet:
external: true
services:
# ----------- samba begin ----------- #
samba:
image: nowsci/samba-domain
container_name: samba
volumes:
- /etc/localtime:/etc/localtime:ro
- /data/docker/containers/samba/data/:/var/lib/samba
- /data/docker/containers/samba/config/samba:/etc/samba/external
environment:
- DOMAIN=CORP.EXAMPLE.COM
- DOMAINPASS=ThisIsMyAdminPassword
- DNSFORWARDER=192.168.3.1
- HOSTIP=192.168.3.222
networks:
- extnet
ports:
- 192.168.3.222:53:53
- 192.168.3.222:53:53/udp
- 192.168.3.222:88:88
- 192.168.3.222:88:88/udp
- 192.168.3.222:135:135
- 192.168.3.222:137-138:137-138/udp
- 192.168.3.222:139:139
- 192.168.3.222:389:389
- 192.168.3.222:389:389/udp
- 192.168.3.222:445:445
- 192.168.3.222:464:464
- 192.168.3.222:464:464/udp
- 192.168.3.222:636:636
- 192.168.3.222:1024-1044:1024-1044
- 192.168.3.222:3268-3269:3268-3269
dns_search:
- corp.example.com
dns:
- 192.168.3.222
- 192.168.3.1
extra_hosts:
- localdc.corp.example.com:192.168.3.222
hostname: localdc
cap_add:
- NET_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
devices:
- /dev/net/tun
privileged: true
restart: always
# ----------- samba end ----------- #
Join an existing domain, and forward non-resolvable queries to the main DNS server
- Local site is
192.168.3.0
- Local DC (this one) hostname is
LOCALDC
using the host IP of192.168.3.222
- Local existing DC is running DNS and has IP of
192.168.3.201
- Local main DNS is running on
192.168.3.1
version: '2'
networks:
extnet:
external: true
services:
# ----------- samba begin ----------- #
samba:
image: nowsci/samba-domain
container_name: samba
volumes:
- /etc/localtime:/etc/localtime:ro
- /data/docker/containers/samba/data/:/var/lib/samba
- /data/docker/containers/samba/config/samba:/etc/samba/external
environment:
- DOMAIN=CORP.EXAMPLE.COM
- DOMAINPASS=ThisIsMyAdminPassword
- JOIN=true
- DNSFORWARDER=192.168.3.1
- HOSTIP=192.168.3.222
networks:
- extnet
ports:
- 192.168.3.222:53:53
- 192.168.3.222:53:53/udp
- 192.168.3.222:88:88
- 192.168.3.222:88:88/udp
- 192.168.3.222:135:135
- 192.168.3.222:137-138:137-138/udp
- 192.168.3.222:139:139
- 192.168.3.222:389:389
- 192.168.3.222:389:389/udp
- 192.168.3.222:445:445
- 192.168.3.222:464:464
- 192.168.3.222:464:464/udp
- 192.168.3.222:636:636
- 192.168.3.222:1024-1044:1024-1044
- 192.168.3.222:3268-3269:3268-3269
dns_search:
- corp.example.com
dns:
- 192.168.3.222
- 192.168.3.1
- 192.168.3.201
extra_hosts:
- localdc.corp.example.com:192.168.3.222
hostname: localdc
cap_add:
- NET_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
devices:
- /dev/net/tun
privileged: true
restart: always
# ----------- samba end ----------- #
Join an existing domain, forward DNS, remove security features, and connect to a remote site via openvpn
- Local site is
192.168.3.0
- Local DC (this one) hostname is
LOCALDC
using the host IP of192.168.3.222
- Local existing DC is running DNS and has IP of
192.168.3.201
- Local main DNS is running on
192.168.3.1
- Remote site is
192.168.6.0
- Remote DC hostname is
REMOTEDC
with IP of192.168.6.222
(notice the DNS and host entries)
version: '2'
networks:
extnet:
external: true
services:
# ----------- samba begin ----------- #
samba:
image: nowsci/samba-domain
container_name: samba
volumes:
- /etc/localtime:/etc/localtime:ro
- /data/docker/containers/samba/data/:/var/lib/samba
- /data/docker/containers/samba/config/samba:/etc/samba/external
- /data/docker/containers/samba/config/openvpn/docker.ovpn:/docker.ovpn
- /data/docker/containers/samba/config/openvpn/credentials:/credentials
environment:
- DOMAIN=CORP.EXAMPLE.COM
- DOMAINPASS=ThisIsMyAdminPassword
- JOIN=true
- DNSFORWARDER=192.168.3.1
- MULTISITE=true
- NOCOMPLEXITY=true
- INSECURELDAP=true
- HOSTIP=192.168.3.222
networks:
- extnet
ports:
- 192.168.3.222:53:53
- 192.168.3.222:53:53/udp
- 192.168.3.222:88:88
- 192.168.3.222:88:88/udp
- 192.168.3.222:135:135
- 192.168.3.222:137-138:137-138/udp
- 192.168.3.222:139:139
- 192.168.3.222:389:389
- 192.168.3.222:389:389/udp
- 192.168.3.222:445:445
- 192.168.3.222:464:464
- 192.168.3.222:464:464/udp
- 192.168.3.222:636:636
- 192.168.3.222:1024-1044:1024-1044
- 192.168.3.222:3268-3269:3268-3269
dns_search:
- corp.example.com
dns:
- 192.168.3.222
- 192.168.3.1
- 192.168.6.222
- 192.168.3.201
extra_hosts:
- localdc.corp.example.com:192.168.3.222
- remotedc.corp.example.com:192.168.6.222
- remotedc:192.168.6.222
hostname: localdc
cap_add:
- NET_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
devices:
- /dev/net/tun
privileged: true
restart: always
# ----------- samba end ----------- #
For joining the domain with any client, everything should work just as you would expect if the active directory server was Windows based. For Ubuntu, there are many guides availble for joining, but to make things easier you can find an easily configurable script for joining your domain here: https://raw.githubusercontent.com/Fmstrat/samba-domain/master/ubuntu-join-domain.sh
The most common issue is when running multi-site and seeing the below DNS replication error when checking replication with docker exec samba samba-tool drs showrepl
CN=Schema,CN=Configuration,DC=corp,DC=example,DC=local
Default-First-Site-Name\REMOTEDC via RPC
DSA object GUID: faf297a8-6cd3-4162-b204-1945e4ed5569
Last attempt @ Thu Jun 29 10:49:45 2017 EDT failed, result 2 (WERR_BADFILE)
4 consecutive failure(s).
Last success @ NTTIME(0)
This has nothing to do with docker, but does happen in samba setups. The key is to put the GUID host entry into the start script for docker, and restart the container. For instance, if you saw the above error, Add this to you docker command:
--add-host faf297a8-6cd3-4162-b204-1945e4ed5569._msdcs.corp.example.com:192.168.6.222 \
Where 192.168.6.222
is the IP of REMOTEDC
. You could also do this in extra_hosts
in docker-compose.