AD Auth

Question

AD Auth

farzadha2 opened this issue a year ago · comments

Hi
I was looking at the repo, i was reading the Readme but didnt seem to find how i can add the information to authenticate with my AD server
i also read #49
which also saw the SAMBA_GLOBAL_CONFIG_someuniquevalue
but in this value i assume that the container would also need packages like realmd to connect to the domain to be able to share files?

Thank you

Marvin · Answer 1 · Thu Apr 20 2023 15:40:29 GMT+0800 (China Standard Time)

Hi there,

thanks for the issue. That's true, there is no explicit config, but since you can configure everything using the global config envs, you can alter the samba config to your needs.

As far as I know it was available back in the time when this container was debian/ubuntu based - this container exists for several years now - and it had some breaking changes in it's earlier times.
But I never tested it. I don't have an AD to test this setup easily.

If you like to help, you can try do get it working with minimal configuration - see what alpine packages are missing, and give me an example config string which would be needed

if there are not to many dependencies missing - maybe it's just realmd without much other dependencies I might add it to the container, if the configuration is a large string I might reduce it to some ad connection envs which automatically enable the realmd

but this would need your input and in the end a test of my setup - if your up to it I'm happy to get this supported in my container

Marvin · Answer 2 · Thu Apr 20 2023 16:07:59 GMT+0800 (China Standard Time)

if the whole impact for esablishing is too big, I might create a new variant which contains all those needed changes :)

farzadha2 · Answer 3 · Mon Apr 24 2023 06:51:33 GMT+0800 (China Standard Time)

Hi there, so i was trying to create the following but im a bit stumped not sure what i missed i did though using docker ubuntu latest

created dockerfile

FROM ubuntu:latest

ARG domain
ARG realm
ARG dc
ARG admin_password

RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y samba krb5-user winbind

ADD krb5.conf /etc/krb5.conf
ADD smb.conf /etc/samba/smb.conf
ADD startup.sh /root/startup.sh
RUN chmod +x /root/startup.sh

RUN echo "$admin_password" | kinit Administrator@$realm
RUN net ads join -U Administrator%$admin_password

CMD ["/root/startup.sh"]

then created krb5.conf

[libdefaults]
    default_realm = MYDOMAIN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

then created smb.conf

[global]
    workgroup = MYDOMAIN.LOCAL
    security = ads
    realm = MYDOMAIN.LOCAL
    password server = dc2.mydomain.local
    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    winbind use default domain = true
    winbind offline logon = false
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = /home/%U
    template shell = /bin/bash

then created startup.sh

#!/bin/bash

echo "Starting winbindd"
/etc/init.d/winbind start

echo "Joining domain"
net ads join -U Administrator

echo "Starting smbd"
/etc/init.d/smbd start

tail -f /dev/null

after that the docker-compose


version: '3'
services:
  sambashares:
    build:
      context: .
      args:
        domain: mydomain.local
        realm: MYDOMAIN.LOCAL
        dc: dc2.mydomain.local
        admin_password: MyAdminPassword123
    container_name: sambashares
    ports:
      - "445:445"
      - "139:139"
    privileged: true
    restart: always

but im getting this error

 => ERROR [7/8] RUN echo "MyAdminPassword123" | kinit Administrator@MYDOMAIN.LOCAL                                                                                                                                                                           1.6s
------
 > [7/8] RUN echo "Passw0rd" | kinit Administrator@MYDOMAIN.LOCAL:
#0 1.406 kinit: Cannot find KDC for realm "MYDOMAIN.LOCAL" while getting initial credentials
------
failed to solve: process "/bin/sh -c echo \"$admin_password\" | kinit Administrator@$realm" did not complete successfully: exit code: 1

Thank you again

farzadha2 · Answer 4 · Mon Jul 31 2023 12:27:30 GMT+0800 (China Standard Time)

hi @MarvAmBass i was wondering if you got a chance to look at the AD join info?

Thank you

Marvin · Answer 5 · Mon Jul 31 2023 13:12:49 GMT+0800 (China Standard Time)

Hi, I'm sorry but since this is not a usecase I need, I didn't have time for that. Althrough it's interesting and would be a nice to have...

Marvin · Answer 6 · Mon Sep 25 2023 02:40:35 GMT+0800 (China Standard Time)

thanks for this issue, I thought about it, and I need to close this issue - usually AD connections need windbind etc.

this is meant as minimal general purpose samba/cifs fileserver - with nice preconfigurations to make specials like multi user shares and apple stuff e.g. timemachine integration possbile.

If someone needs more sophisticated stuff, he can either use my image as a base, and install and add missing stuff (e.g. winbind)
or use my scripts and configurations as a baseline to build his/her own container.

but active directory support etc. is not in scope of this image. and it's not planned for this image in the future