John Mulligan
2022-Apr-19 14:19 UTC
[Samba] Deploy separate DC & file share services in one host
On Saturday, April 16, 2022 12:54:12 PM EDT Hailong Wang via samba wrote:> Hi everyone. > I use docker to deploy AD DC & smbd file share service in two containers on > a single host. the docker image is based on Ubuntu 20.04, samba version is > 4.13.17. > > When I visit the file share service( use wsdd2 & avahi ), windows 10 is > worked, but other clients like macOS, have a 50 percent possibility to show > the DC file share (netlogon & sysvol). > > According to "Setting up Samba as an Active Directory Domain Controller" > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Dom > ain_Controller#Using_the_Domain_Controller_as_a_File_Server, I know AD DC > can act as the file share service, but it will show netlogon and sysvol in > the shared directory. > > Any idea?How are you separating the network traffic for the different samba instances? Are you trying to change ports (I see `rpc server port` set on the example)? Alternatively, are you giving the containers different IPs? Based on the fact that most clients require SMB traffic on port 445 I would personally be aiming for something like the latter. But I'd like to know more before making assumptions about your network.> > # DC smb.conf > > [global] > netbios name = DCSERVER > realm = SAMBADC.COM > server role = active directory domain controller > workgroup = SAMBADC > server services = -dns > rpc server port = 10240 > bind interfaces only = Yes > > [netlogon] > path = /var/lib/samba/sysvol/SAMBADC.COM/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > # file share smb.conf > > [global] > security = ADS > server role = MEMBER SERVER > workgroup = SAMBADC > netbios name = FSSERVER > realm = SAMBADC.COM > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config SAMBADC: backend = rid > idmap config SAMBADC: range = 10000-999999 > > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288 > SO_SNDBUF=524288 > > winbind enum groups = Yes > winbind enum users = Yes > winbind refresh tickets = Yes > winbind separator = + > winbind use default domain = Yes > winbind expand groups = 2
Hailong Wang
2022-Apr-19 20:29 UTC
[Samba] Deploy separate DC & file share services in one host
From: samba <samba-bounces at lists.samba.org> on behalf of John Mulligan via samba <samba at lists.samba.org> Sent: Tuesday, April 19, 2022 10:19 PM Subject: Re: [Samba] Deploy separate DC & file share services in one host ?> > Hi everyone. > > I use docker to deploy AD DC & smbd file share service in two containers on > > a single host. the docker image is based on Ubuntu 20.04, samba version is > > 4.13.17. > > > > When I visit the file share service( use wsdd2 & avahi ),? windows 10 is > > worked, but other clients like macOS, have a 50 percent possibility to show > > the DC file share (netlogon & sysvol). > > > > According to "Setting up Samba as an Active Directory Domain Controller" > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Dom > > ain_Controller#Using_the_Domain_Controller_as_a_File_Server, I know AD DC > > can act as the file share service, but it will show netlogon and sysvol in > > the shared directory. > > > > Any idea? > > How are you separating the network traffic for the different samba instances? Are > you trying to change ports (I see `rpc server port` set on the example)? > Alternatively, are you giving the containers different IPs? > > Based on the fact that most clients require SMB traffic on port 445 I would > personally be aiming for something like the latter. But I'd like to know more > before making assumptions about your network.I use two docker containers, one deploy docker dc, another deploy file share service. both use `network_mode: host`, share the host IP, and both binding port 445. The first time I forgot the port conflict, but after deployment, it miracle worked! maybe the reason is I use `smbd --foreground --no-process-group` to start the service in the file share container This is the result that I use lsof to check the port listening in the host. I tag where the process comes from at the tail. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME smbd 153418 root 44u IPv6 896533 0t0 TCP *:445 (LISTEN) # dc smbd smbd 153418 root 46u IPv4 896535 0t0 TCP *:445 (LISTEN) # dc smbd smbd 156185 root 46u IPv6 898503 0t0 TCP *:445 (LISTEN) # file share smbd smbd 156185 root 48u IPv4 898505 0t0 TCP *:445 (LISTEN) # file share smbd winbindd 156219 root 22u IPv4 897720 0t0 TCP 192.168.199.156:47126->192.168.199.156:445 (ESTABLISHED) # file share winbindd smbd 156221 root 49u IPv4 897721 0t0 TCP 192.168.199.156:445->192.168.199.156:47126 (ESTABLISHED) # dc another smbd My idea is that can I bind a domain or other things for the smbd processes in every container, like a reverse proxy. The different domains can go to file share or dc.