Hello, I am trying to figure out, whether there are any best practices how to run a Samba AD DC in a container. First of all: why a container? Because obviously containers require less resources and are easier to update than multiple linux systems ? and I want to spend some of the savings into redundancy (multiple DCs, also distributed to serve different locations). Googling around I found several containers on github/dockerhub, e.g. <https://github.com/Fmstrat/samba-domain> https://github.com/Fmstrat/samba-domain (ubuntu with openvpn), <https://hub.docker.com/r/instantlinux/samba-dc> https://hub.docker.com/r/instantlinux/samba-dc , https://hub.docker.com/r/laslabs/alpine-samba-dc (both alpine), and very likely more. But what is really an adequate setup? * What are pros and cons of container vs. VMs? * What is the right distro to start with? * Ubuntu appears to be lazy on updates. My 18.04.2 runs samba 4.7.6, 19.04 appears to run 4.10.0 which is not marked as stable on samba.org (probably there is now an update available, but I didn?t check). * Don?t know versions for Alpine. But Alpine is reported to have problems with DNS resolution, and I don?t know to what extend they are relevant with a DC. * What are the minimum packages required? * I have seen some containers using pam, but who authenticates into a container? * What is a good and secure configuration? * Most of the containers appear to use administrator secrets from a configuration file, I?d prefer a prompt during initial startup (probably at the expense that only a second start may detach) * What are the pros and cons of using a static IP for the container vs. port forwarding? * VPN in the container or on host? Actually I?d go for wireguard rather than OpenVPN.. * How to include more bind configuration e.g. for an additional DNS zone? Or require that on a different DNS server? * What about sysvol? * Ntpd - https://marc.info/?l=samba <https://marc.info/?l=samba&m=154695462230809&w=2> &m=154695462230809&w=2 ? * How to do updates? * I can imagine using a cron job to tear down the container, then pull or rebuild, then up. And schedule this for different work days for different instances.. * How to monitor replication is working? * I have seen some warnings about replication and containers, but I can only guess what the root cause really is. I don?t expect one size fits all. If that would be the result, then excellent, and then ideally samba would just publish that container. But if not, then collecting experiences and publishing a configuration (docker build file, docker-compose.yaml, configuration files) with instructions on github would be great. Than anyone interested (like me) can clone and modify. Or a section on the wiki.. Any other thoughts? Thanks & Best Regards, Joachim
Mandi! Joachim Lindenberg via samba In chel di` si favelave...> But what is really an adequate setup?I use container (LXC, proxmox) for my DC. Al work flawlessy, only: + must be 'privileged' container (no unprivileged ones) + you have to let the container manage the syste clock (there's a specific 'CAP') or instruct ntpd NOT to use system clock ('disable kernel' in ntp.conf). -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> * What are pros and cons of container vs. VMs?Same as any other containerized setup. We've been running our Samba DCs and file servers in nspawn containers (similar to LXC) for a couple of years, no container-specific issues yet. Though I'm not sure if docker is the right tool for the job; samba as a fat daemon running a bazillion subprocesses orchestrated by a persistent database that's very sensitive to instances leaving and joining the domain seems the antithesis to docker's philosophy.> * What is the right distro to start with?Probably Debian or Ubuntu stable, as there's community provided samba builds for them. Distro builds are in general pretty crap.> * Don?t know versions for Alpine. But Alpine is reported to have > problems with DNS resolution, and I don?t know to what extend they are > relevant with a DC.Alpine uses musl-libc rather than glibc, and does not utilize NSSwitch. This is a problem for anything that needs or wants alternate authentication and/or name service backends, including winbind/kerberos/ldap.> * What are the minimum packages required?Depends on your distro and what features you want (printer support, e.g.)> * I have seen some containers using pam, but who authenticates into a > container?Samba's databases need management, and not all of it can be done remotely. I think docker exec would suffice for samba's use case, though.> * What is a good and secure configuration?Depends on what you need to be compatible with. If some client software needs SMB1 support, it's not going to get very secure?> * Most of the containers appear to use administrator secrets from a > configuration file, I?d prefer a prompt during initial startup (probably at > the expense that only a second start may detach)Modify their docker files as needed?> * What are the pros and cons of using a static IP for the container > vs. port forwarding?Kerberos and AD are very sensitive to DNS issues; you're going to go insane without static IPs. AD also needs a *lot* of ports open to work.> * VPN in the container or on host? Actually I?d go for wireguard > rather than OpenVPN..Whatever works better with your network setup, there's nothing preventing openvpn/wireguard from running on the same instance as samba.> * How to include more bind configuration e.g. for an additional DNS > zone? Or require that on a different DNS server?Given the continuous issues people have with BIND, I'd recommend using the internal DNS backend (maybe behind another, external DNS server) unless you have specific needs only BIND can handle.> * What about sysvol?sysvol needs to be externally replicated to all your instances. I'd recommend running something like lsyncd inside the container and use its lua scripting capabilities (or external scripts) to a) make sure it doesn't run on the wrong instance and b) replicates everything to all DCs.> * Ntpd - https://marc.info/?l=samba > <https://marc.info/?l=samba&m=154695462230809&w=2> &m=154695462230809&w=2 ?NTP doesn't necessarily have to run inside Samba's container. All that's necessary is that all domain joined machines have their clocks synced within at most 5 minutes deviation. In practice, any even remotely sane NTP setup will be within ?1 second.> * How to do updates? > > * I can imagine using a cron job to tear down the container, then pull > or rebuild, then up. And schedule this for different work days for different > instances..Inside the same major releases that should work, as long as /var/lib/samba is kept persistent. Between major releases you might need to migrate config files etc. For proper availability you probably need to make sure that FSMO roles are moved off the to be updated machine first, and if necessary seized back after the update.> * How to monitor replication is working? > > * I have seen some warnings about replication and containers, but I > can only guess what the root cause really is.`samba-tool drs showrepl --json` is available with Samba 4.9+, that should be relatively easy to parse and monitor. With older versions you'll have to parse the textual output, which is a pain in the ass, but doable. -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190703/3ffc0834/signature.sig>
On 7/3/19 8:21 AM, Sven Schwedas via samba wrote: > Though I'm not sure if docker is the right tool for the job; samba as a> fat daemon running a bazillion subprocesses orchestrated by a persistent > database that's very sensitive to instances leaving and joining the > domain seems the antithesis to docker's philosophy. >Docker would be a terrible choice for this; Docker is really designed to containerize a single app; for a suite of tools use LXD or nspawn. While I haven't used nspawn, I'm a huge fan of LXD, which is simple, elegant, well maintained, and UNIX-y in feel. If you're on Ubuntu or need to run an Ubuntu container, LXD is a no-brainer choice.
Hello Sven, thanks for your elaborate response, shedding quite some light. Let me please follow up on some of your suggestions and learn from more responses.> Probably Debian or Ubuntu stable, as there's community provided samba builds for them. Distro builds are in general pretty crap.The standard Ubuntu is definitely outdated, and I assume Debian similar. Where can I find these community builds and who "owns" and updates them (as I don?t want to rely on questionable sources/binaries)?> Samba's databases need management, and not all of it can be done remotely.I was assuming that if one uses multiple DCs one should rely on replication and never restore a DC from backup? Nevertheless I would not put persistence into the container..>> * What is a good and secure configuration? > Depends on what you need to be compatible with. If some client software needs SMB1 support, it's not going to get very secure?Fully agree. I am mandating SMB3 for all windows hosts via GPO...>> * Most of the containers appear to use administrator secrets from a configuration file, I?d prefer a prompt during initial startup >> (probably at the expense that only a second start may detach) > Modify their docker files as needed?I was thinking about a docker-compose up without -d and within the container run a script that checks already joined or not... does this make sense? Or use something like "docker exec -it <container> samba-tool domain join <dom> DC ... -U<credentials>". So far I was mostly consuming containers or modifying them a little, not really creating them...>> * What are the pros and cons of using a static IP for the container vs. port forwarding? > Kerberos and AD are very sensitive to DNS issues; you're going to go insane without static IPs. > AD also needs a *lot* of ports open to work.Ok, static..>> * VPN in the container or on host? Actually I?d go for wireguard rather than OpenVPN.. >Whatever works better with your network setup, there's nothing preventing openvpn/wireguard from running on the same instance as samba.Yes, but it container is then different IP than host.>> * How to include more bind configuration e.g. for an additional DNS zone? Or require that on a different DNS server? > Given the continuous issues people have with BIND, I'd recommend using the internal DNS backend (maybe behind another, external DNS server) unless you have specific needs only BIND can handle.I need some more DNS then the samba domain, but I could run that somewhere else. However I also read somewhere the internal backend is discouraged in case one runs multiple DCs.>> * What about sysvol? > sysvol needs to be externally replicated to all your instances. I'd recommend running something like lsyncd inside the container and use its lua scripting capabilities (or external scripts) to a) make sure it doesn't run on the wrong instance and b) replicates everything to all DCs.Inside the container? Or on the host and map that as a volume into the container? I also read lsyncd might have issues with network outages. Any other recommendation?>> * How to do updates? >> I can imagine using a cron job to tear down the container, then pull or rebuild, then up. And schedule this for different work days for different instances.. > Inside the same major releases that should work, as long as /var/lib/samba is kept persistent. Between major releases you might need to migrate config files etc.For major updates that require manual work I was thinking about joining new DCs and removing the old ones.>For proper availability you probably need to make sure that FSMO roles are moved off the to be updated machine first, and if necessary seized back after the update.Sure for (major) upgrades, but I don?t think that should be necessary for minor updates.>> * How to monitor replication is working? >`samba-tool drs showrepl --json` is available with Samba 4.9+, that should be relatively easy to parse and monitor. >With older versions you'll have to parse the textual output, which is a pain in the ass, but doable.Which motivates me to go that route in order to benefit from the newer version. Thanks & Best Regards, Joachim -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at
Hi Marco, anybody,> + must be 'privileged' container (no unprivileged ones)I have seen containers with and without calling for being privileged, but you never know without trying and testing carefully... Googling I found https://github.com/lxc/lxd/issues/3442#issuecomment-312560949 but I am not really clear about the conclusion. Does it really have to be privileged? Thanks & Best Regards, Joachim