Rowland penny
2021-Jun-16 07:35 UTC
[Samba] Joining Samba AD DC from Docker container fails - timeout
On 15/06/2021 22:13, greg at theschaubs.com wrote:> Hi Roland, > > The container is not privileged because it would conflict with other host > processes. From a network perspective, it is running a macvlan > configuration.If the container isn't privileged, then give up now, it must be a privileged container if you want to run a DC in it.> > To be clear, the ports are open and available. A netstat from within the > container shows that those are the only two ports listening. Similarly, a > port scan performed from within the container on the DC source host shows > all of those ports as advertised. Therefore, it appears that the docker > image is not running processes that would listen on those ports. > Additionally, running smbd made some of those available, but not all. > Perhaps most importantly, smbd did not listen on port 135. I have not tried > to start nmbd or winbind prior to the join, only smbd. I can try it with > those services running.You shouldn't have any of the Samba daemons running when joining and you should only start the 'samba' daemon if and when you get the DC joined to the domain> > I hadn't done that yet because the documentation appears to me to imply that > none of the samba daemons should be running during the join. My assumption > was that samba-tool itself would initiate the processes needed for all of > the ports. If that is wrong, it would be very easy to fix.You need to ensure all the required ports are open in the firewall (if using one) before the join, this is to allow replication from the existing DC. Rowland
John Mulligan
2021-Jun-16 12:06 UTC
[Samba] Joining Samba AD DC from Docker container fails - timeout
On Wednesday, June 16, 2021 3:35:08 AM EDT Rowland penny via samba wrote:> On 15/06/2021 22:13, greg at theschaubs.com wrote: > > Hi Roland, > > > > The container is not privileged because it would conflict with other host > > processes. From a network perspective, it is running a macvlan > > configuration. > > If the container isn't privileged, then give up now, it must be a > privileged container if you want to run a DC in it. >So far that's been my experience too. The AD DC needs to read and write the 'security.NTACL' xattr and that in turn needs CAP_SYS_ADMIN [1]. If Greg has some way around this requirement I'd love to hear more, but I didn't find one myself.> > To be clear, the ports are open and available. A netstat from within the > > container shows that those are the only two ports listening. Similarly, a > > port scan performed from within the container on the DC source host shows > > all of those ports as advertised. Therefore, it appears that the docker > > image is not running processes that would listen on those ports. > > Additionally, running smbd made some of those available, but not all. > > Perhaps most importantly, smbd did not listen on port 135. I have not > > tried to start nmbd or winbind prior to the join, only smbd. I can try > > it with those services running. > > You shouldn't have any of the Samba daemons running when joining and you > should only start the 'samba' daemon if and when you get the DC joined > to the domain > > > I hadn't done that yet because the documentation appears to me to imply > > that none of the samba daemons should be running during the join. My > > assumption was that samba-tool itself would initiate the processes needed > > for all of the ports. If that is wrong, it would be very easy to fix. > > You need to ensure all the required ports are open in the firewall (if > using one) before the join, this is to allow replication from the > existing DC. >I have not tried creating a domain of multiple (containerized) DCs but I have containerized DCs that member servers can join. This is all for test and currently the parameters of domain are simplistic and hard-coded, but I am able to successfully join member servers to said domain. So in the off chance that it helps here's a link to one of the example configurations we have [2]. The example file is for k8s but the logic behind it should work for Docker directly or any container runtime. [1] - https://man7.org/linux/man-pages/man7/capabilities.7.html [2] - https://github.com/samba-in-kubernetes/samba-container/blob/master/ examples/kubernetes/samba-ad-server-deployment.yml#L23