How to get SAMBA+ Container

SAMBA+ container subscriptions can be procured at (currency EUR) or (currency USD). In the licence section of your user account in the shop you see the procured subscription key thet you need to retrieve the SAMBA+ container images and required scripts. The password is always "sambaplus".

Getting started with the SAMBA+ Container

First of all, you need a system running Docker / Podman as a host. Change to this system and start with the SAMBA+ Container setup there.

Then please go forward and download the csmb wrapper script here:

After that, the credentials need to be stored via

$ chmod u+x csmb
$ sudo ./csmb login --key $SUBSCRIPTIONKEY --password sambaplus

After that, please consider where you want to store the persistent data of the container and pass the path to the csmb option "--state-directory". For your convenience, if the directory does not exist, csmb will create it for you.

Samba's persistent data like TDB databases will be stored in the state directory. Make sure to dump TDB files regularly and add them to your backup.

The path to the Samba shares (csmb option "--shares-directory") will be created by csmb if it does not exist.

If you run more than one container, make sure to separate their state directories!


The software offered for download by this service is Open Source and Free Software licensed under the GNU General Public License (GPL) version 3 or higher. It is provided as is, without any warranty under the conditions of the GPL. For details see the homepages of the GNU General Public License and the Free Software Foundation.

Default administrative account

csmb will create a user account "csmbadmin" that can be used to administrate the server, particularly file permissions (see below). The password for the account is either taken from the csmb option "--csmbadmin-password" or read interactively from the command line when creating a container.


Fileshares and ACLs

All shares will be configured as subdirectories of the --shares-directory.


when creating a container with

  --shares-directory /data/storage/samba/shares
  --shares "share1;share2"

The resulting directory structure is:

host# ls -l /data/storage/samba/shares
total 8
drwxr-xr-x. 2 root root 4096 Jun  1 11:23 share1
drwxr-xr-x. 2 root root 4096 Jun  1 11:23 share2

In the container the resulting config would look like this:

container# net conf list | tail -10
        path = /srv/samba/shares/share1
        guest ok = no
        read only = no

        path = /srv/samba/shares/share2
        guest ok = no
        read only = no

The fileserver is configured to use the "acl_xattr" VFS object to allow the use of full Windows ACLs on the server. To configure permissions it is most convenient to connect to the fileserver either as the "csmbadmin" user, or in the case of a member server a member of the domain administrators group, and configure permissions from the Windows Explorer security tab.


Standalone server

You don't need to configure the SerNet SAMBA+ repositories in your Container, you just download "csmb" and run the following command:

$ sudo ./csmb create standalone $CONTAINERNAME \
  --state-directory $STATEDIR \
  --shares-directory /path/to/your/shares \
  --dns-server $DNS \
  --listen $IP \
  --workgroup $WORKGROUP \
  --shares "$SHARE1;$SHARE2" \
  --users "$USER1%$PWD;$USER2%$PWD"


Member server

$ sudo ./csmb create member $CONTAINERNAME \
  --state-directory $STATEDIR \
  --shares-directory /path/to/your/shares \
  --dns-server $IPDC \
  --listen $IP \
  --workgroup $WORKGROUP \
  --realm $REALM \
  --shares "$SHARE1;$SHARE2" \
  --join-user "Administrator" \
  --join-passwd "Passw0rd"

The join password will be stored in a file temporarily, but the file will be removed after joining for security reasons.

State directory and shares directory are local directories on the host that will be exported to the container via a bind mount. These are very important, because persistent data will be stored here. Please make sure to include these directories in your backup (it makes sense to stop the samba services before copying tdb files).

Further configuration can be done by entering the container with:

$ sudo ./csmb enter $CONTAINERNAME

and using the Samba 'net conf' command afterwards.

This container is not made to run a Active Directory Domain Controller (there will probably a dedicated container for AD DCs soon). Also print serving is currently not supported.


Updating the Container

To update the container including Samba, please use the csmb "update" command.


$ sudo ./csmb update standalone $CONTAINERNAME \
  --state-directory $STATEDIR \
  --shares-directory /path/to/your/shares \
  --dns-server $DNS \
  --listen $IP \
  --workgroup $WORKGROUP \
  --shares "$SHARE1;$SHARE2" \
  --users "$USER1%$PWD;$USER2%$PWD"

As this basically recreates the container, you have to pass the full set of options used when creating the container. Using the csmb "update" has the benefit of ease of use as it also performs the following steps:

  • stop the existing container
  • rename the existing container to CONTAINERNAME-DATE (where DATE is in the format YYYYMMDD-HHMMSS)
  • create the new container

In case the new container is not fully functional, you can start the old container by running:

$ sudo ./csmb stop CONTAINERNAME
$ sudo ./csmb start CONTAINERNAME-DATE


Network Configuration

csmb supports both standard ways of setting up container networking: NATed and bridged.


To specify an IP on the host running the container use the csmb option --listen.


# csmb ... --listen

The container runtime will establish a port forwarding for port 445 on the container. The container will provide the service only on the specified IP address.


To support bridged networking, csmb provides the options --network and --ip to specify the container network that the container will be attached to and its IP address.

Typically, you will attach a dedicated network interface of the host to the bridge device associated with the container network.

To find the host network bridge associated with a container network, you can use the command 'docker network inspect' to retrieve the Id of the network:

$ sudo docker network inspect NETWORK_NAME | jq '.[0].Id'

The container runtime uses this Id by default for the bridge name, e.g.:

$ sudo brctl show | grep a796598154d6
br-a796598154d6         8000.0242bd8a10d3       no

To attach a host interface to the bridge use the 'ip link' command:

$ sudo ip link set dev HOST_INTERFACE master BRIDGE


$ sudo ip link set dev ens1 master br-a796598154d6

Finally you can set an IP on the bridge port of the host

$ sudo ip a add IP/NETMASK dev BRIDGE


$ sudo ip a add dev br-a796598154d6

Note that the resulting network configuration from the ip commands does not persist system reboots. To make this configuration persistent, please consult your system network documentation.


Environment variables

If you don't want to use the "csmb" script, you can of course use the plain container by setting the following environment variables as needed:

SAMBA_SERVERNAME ... The name of the server
SAMBA_DNSSERVER  ... DNS server to use inside the container

For standalone server:
SAMBA_DOMAIN     ... The Windows workgroup for the container

For AD member server:
SAMBA_WORKGROUP  ... The Windows workgroup for the container
SAMBA_REALM      ... The Active Directory realm
SAMBA_JOIN_USER  ... The name of the user used for joining the domain

The join password is read from the file /var/lib/samba/join.pass inside the container. The password file is deleted after the join.

SAMBA_SHARES     ... List of shares to provision, separated by ";",
                     eg SAMBA_SHARES="share1;share2"
SAMBA_USERS      ... List of users to provision, separated by ";",
                     eg SAMBA_USERS="user1%pass1;user2%pass2"


Contact us
Deutsch English Français