How to use SAMBA+ Container

All shares will be configured as subdirectories of the --shares-directory.

Example:

when creating a container with

  --shares-directory /data/storage/samba/shares
  --shares "share1;share2"

The resulting directory structure is:

host# ls -l /data/storage/samba/shares
total 8
drwxr-xr-x. 2 root root 4096 Jun  1 11:23 share1
drwxr-xr-x. 2 root root 4096 Jun  1 11:23 share2

In the container the resulting config would look like this:

container# net conf list | tail -10
[share1]
        path = /srv/samba/shares/share1
        guest ok = no
        read only = no

[share2]
        path = /srv/samba/shares/share2
        guest ok = no
        read only = no

The fileserver is configured to use the "acl_xattr" VFS object to allow the use of full Windows ACLs on the server. To configure permissions it is most convenient to connect to the fileserver either as the "csmbadmin" user, or in the case of a member server a member of the domain administrators group, and configure permissions from the Windows Explorer security tab.

You don't need to configure the SerNet SAMBA+ repositories in your Container, you just download "csmb" and run the following command:

$ sudo ./csmb create standalone $CONTAINERNAME \
  --state-directory $STATEDIR \
  --shares-directory /path/to/your/shares \
  --dns-server $DNS \
  --listen $IP \
  --workgroup $WORKGROUP \
  --shares "$SHARE1;$SHARE2" \
  --users "$USER1%$PWD;$USER2%$PWD"

$ sudo ./csmb create member $CONTAINERNAME \
  --state-directory $STATEDIR \
  --shares-directory /path/to/your/shares \
  --dns-server $IPDC \
  --listen $IP \
  --workgroup $WORKGROUP \
  --realm $REALM \
  --shares "$SHARE1;$SHARE2" \
  --join-user "Administrator" \
  --join-passwd "Passw0rd"

The join password will be stored in a file temporarily, but the file will be removed after joining for security reasons.

State directory and shares directory are local directories on the host that will be exported to the container via a bind mount. These are very important, because persistent data will be stored here. Please make sure to include these directories in your backup (it makes sense to stop the samba services before copying tdb files).

Further configuration can be done by entering the container with:

$ sudo ./csmb enter $CONTAINERNAME

and using the Samba 'net conf' command afterwards.

This container is not made to run a Active Directory Domain Controller (there will probably a dedicated container for AD DCs soon). Also print serving is currently not supported.

To update the container including Samba, please use the csmb "update" command.

Example:

$ sudo ./csmb update standalone $CONTAINERNAME \
  --state-directory $STATEDIR \
  --shares-directory /path/to/your/shares \
  --dns-server $DNS \
  --listen $IP \
  --workgroup $WORKGROUP \
  --shares "$SHARE1;$SHARE2" \
  --users "$USER1%$PWD;$USER2%$PWD"

As this basically recreates the container, you have to pass the full set of options used when creating the container. Using the csmb "update" has the benefit of ease of use as it also performs the following steps:

• stop the existing container
• rename the existing container to CONTAINERNAME-DATE (where DATE is in the format YYYYMMDD-HHMMSS)
• create the new container

In case the new container is not fully functional, you can start the old container by running:

$ sudo ./csmb stop CONTAINERNAME
$ sudo ./csmb start CONTAINERNAME-DATE

csmb supports both standard ways of setting up container networking: NATed and bridged.

NAT

To specify an IP on the host running the container use the csmb option --listen.

Example:

# csmb ... --listen 192.168.1.2

The container runtime will establish a port forwarding for port 445 on the container. The container will provide the service only on the specified IP address.

Bridged

To support bridged networking, csmb provides the options --network and --ip to specify the container network that the container will be attached to and its IP address.

Typically, you will attach a dedicated network interface of the host to the bridge device associated with the container network.

To find the host network bridge associated with a container network, you can use the command 'docker network inspect' to retrieve the Id of the network:

$ sudo docker network inspect NETWORK_NAME | jq '.[0].Id'
"a796598154d6ac14be8818c9abc6002b9cdd91fc5f0352edf6bbb7b418429841"

The container runtime uses this Id by default for the bridge name, e.g.:

$ sudo brctl show | grep a796598154d6
br-a796598154d6         8000.0242bd8a10d3       no

To attach a host interface to the bridge use the 'ip link' command:

$ sudo ip link set dev HOST_INTERFACE master BRIDGE

Example:

$ sudo ip link set dev ens1 master br-a796598154d6

Finally you can set an IP on the bridge port of the host

$ sudo ip a add IP/NETMASK dev BRIDGE

Example:

$ sudo ip a add 192.168.2.2/24 dev br-a796598154d6

Note that the resulting network configuration from the ip commands does not persist system reboots. To make this configuration persistent, please consult your system network documentation.

If you don't want to use the "csmb" script, you can of course use the plain container by setting the following environment variables as needed:

Required:
SAMBA_SERVERNAME ... The name of the server
SAMBA_DNSSERVER  ... DNS server to use inside the container

For standalone server:
SAMBA_DOMAIN     ... The Windows workgroup for the container

For AD member server:
SAMBA_WORKGROUP  ... The Windows workgroup for the container
SAMBA_REALM      ... The Active Directory realm
SAMBA_JOIN_USER  ... The name of the user used for joining the domain

The join password is read from the file /var/lib/samba/join.pass inside the container. The password file is deleted after the join.

Optional:
SAMBA_SHARES     ... List of shares to provision, separated by ";",
                     eg SAMBA_SHARES="share1;share2"
SAMBA_USERS      ... List of users to provision, separated by ";",
                     eg SAMBA_USERS="user1%pass1;user2%pass2"