crazy-max / docker-samba Goto Github PK

View Code? Open in Web Editor NEW

376.0 6.0 43.0 143 KB

Samba Docker image

License: MIT License

Dockerfile 66.28% HCL 33.72%

docker samba alpine-linux samba-server samba4

docker-samba's Introduction

About

Samba Docker image.

Tip

Want to be notified of new releases? Check out 🔔 Diun (Docker Image Update Notifier) project!

Features
Build locally
Image
Environment variables
Volumes
Ports
Configuration
Usage
- Docker Compose
- Command line
Notes
Upgrade
Contributing
License

Features

Multi-platform image
Easy configuration through YAML
Improve operability with Mac OS X clients
Drop support for legacy protocols including NetBIOS, WINS, and Samba port 139
Service discovery for Windows supported using WSDD2

Build locally

git clone https://github.com/crazy-max/docker-samba.git
cd docker-samba

# Build image and output to docker (default)
docker buildx bake

# Build multi-platform image
docker buildx bake image-all

Image

Registry	Image
Docker Hub	`crazymax/samba`
GitHub Container Registry	`ghcr.io/crazy-max/samba`

Following platforms for this image are available:

$ docker run --rm mplatform/mquery crazymax/samba:latest
Image: crazymax/samba:latest
 * Manifest List: Yes
 * Supported platforms:
   - linux/amd64
   - linux/arm/v6
   - linux/arm/v7
   - linux/arm64
   - linux/386
   - linux/ppc64le
   - linux/s390x

Environment variables

TZ: Timezone assigned to the container (default UTC)
CONFIG_FILE: YAML configuration path (default /data/config.yml)
SAMBA_WORKGROUP: NT-Domain-Name or Workgroup-Name. (default WORKGROUP)
SAMBA_SERVER_STRING: Server string is the equivalent of the NT Description field. (default Docker Samba Server)
SAMBA_LOG_LEVEL: Log level. (default 0)
SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes)
SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes)
SAMBA_HOSTS_ALLOW: Set of hosts which are permitted to access a service. (default 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16)
SAMBA_INTERFACES: Allows you to override the default network interfaces list.
WSDD2_ENABLE: Enable service discovery for Windows (default 0)
WSDD2_HOSTNAME: Override hostname (default to host or container name)
WSDD2_NETBIOS_NAME: Set NetBIOS name (default to hostname)
WSDD2_INTERFACE: Reply only on this interface

More info: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

Volumes

/data: Contains cache, configuration and runtime data

Ports

445: SMB over TCP port
3702: WS-Discovery TCP/UDP port
5355: LLMNR TCP/UDP port

More info: https://wiki.samba.org/index.php/Samba_NT4_PDC_Port_Usage

Configuration

Before using this image you have to create the YAML configuration file /data/config.yml to be able to create users, provide global options and add shares. Here is an example:

auth:
  - user: foo
    group: foo
    uid: 1000
    gid: 1000
    password: bar
  - user: baz
    group: xxx
    uid: 1100
    gid: 1200
    password_file: /run/secrets/baz_password

global:
  - "force user = foo"
  - "force group = foo"

share:
  - name: foo
    path: /samba/foo
    browsable: yes
    readonly: no
    guestok: no
    validusers: foo
    writelist: foo
    veto: no
    hidefiles: /_*/
    recycle: yes

A more complete config.yml example is available here.

`veto`

veto: no is a list of predefined files and directories that will not be visible or accessible:

/._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/

More info: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#VETOFILES

`hidefiles`

hidefiles: /_*/ is a list of predefined files and directories that will not be visible, but are accessible:

/_*/

In this example, all files and directories beginning with an underscore (_) will be hidden.

More info: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#HIDEFILES

`recycle`

recycle: yes this option enables vfs_recycle module. The vfs_recycle intercepts file deletion requests and moves the affected files to a temporary repository rather than deleting them immediately. This gives the same effect as the Recycle Bin on Windows computers.

More info: https://www.samba.org/samba/docs/current/man-html/vfs_recycle.8.html

Usage

Docker Compose

Docker compose is the recommended way to run this image. Copy the content of folder examples/compose in /var/samba/ on your host for example. Edit the compose and configuration files with your preferences and run the following commands:

docker compose up -d
docker compose logs -f

Command line

You can also use the following minimal command:

docker run -d --network host \
  -v "$(pwd)/data:/data" \
  --name samba crazymax/samba

Upgrade

Recreate the container whenever I push an update:

docker compose pull
docker compose up -d

Notes

Variable interpolation

Values in a YAML file can be set by variables, and interpolated at runtime using a Bash-like syntax ${VARIABLE}.

Default values can be defined inline using typical shell syntax ${VARIABLE-default}. It evaluates to default only if VARIABLE is unset in the environment.

Here is an example:

auth:
  - user: foo
    group: foo
    uid: 1000
    gid: 1000
    password: bar

share:
  - name: foo
    path: /samba/foo
    browsable: ${BROWSABLE-no}
    readonly: no
    guestok: no
    validusers: foo
    writelist: foo

services:
  samba:
    image: crazymax/samba
    network_mode: host
    volumes:
      - "./data:/data"
      - "./foo:/samba/foo"
    environment:
      - "BROWSABLE=yes"
    restart: always

Status

Use the following commands to check the logs and status:

docker compose logs samba
docker compose exec samba smbstatus

Service discovery for Windows

Service discovery for Windows can be enabled by setting WSDD2_ENABLE to 1.

You also need to set the following capabilities to the container:

CAP_NET_ADMIN
CAP_NET_RAW

Name will be the hostname of the host if network mode is host or one of the container. If you want to override this value, you can set hostname in your compose file or set WSDD2_HOSTNAME env var.

NetBIOS name will be the hostname of the host. If you want to override this value, you can set WSDD2_NETBIOS_NAME env var.

See examples/windows as an example.

Contributing

Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a PayPal donation to ensure this journey continues indefinitely!

Thanks again for your support, it is much appreciated! 🙏

License

MIT. See LICENSE for more details.

docker-samba's People

Contributors

Stargazers

Watchers

docker-samba's Issues

Healthcheck of the container status

Hi!

I think there is not correct check, 'cuz for this is needed a public share right? And if not, the container will remain in an 'unhealthy' state.

HEALTHCHECK --interval=30s --timeout=10s \
  CMD smbclient -L \\localhost -U % -m SMB3

Cannot connect to share on Mac

Support guidelines

I've read the support guidelines

I've found a bug and checked that ...

... the documentation does not mention anything about my problem
... there are no open or closed issues that are related to my problem

Description

I am running a simple setup on Docker Desktop for mac.

docker-compose.yaml

---
version: "3.9"

services:
  samba:
    image: crazymax/samba
    container_name: samba
    network_mode: host
    volumes:
      - ./smb:/data
      - ./samba/foo:/samba/foo
    environment:
      - "TZ=Europe/London"
      - "SAMBA_LOG_LEVEL=0"
    restart: always

  avahi:
    image: ydkn/avahi
    hostname: smb-server
    network_mode: host
    volumes:
      - ./avahi-services:/etc/avahi/services:ro
    restart: always

config.yaml

auth:
  - user: foo
    group: foo
    uid: 1000
    gid: 1000
    password: bar

global:
  - "force user = foo"
  - "force group = foo"

share:
  - name: foo
    path: /samba/foo
    browsable: yes
    readonly: no
    guestok: no
    validusers: foo
    writelist: foo
    veto: no
    hidefiles: /_*/

When I run the docker compose file using docker-compose up I get no errors in the logs, I get it is on host smb-server.local but not entirely sure how I connect to it as a server in MacOS. It doesn't show up in the Network tab either in my Finder.

Docker state that the host network cannot be used with Docker Desktop for Mac, so unsure how to get this to work.

I also can't seem the find the IP of the server either, there's a bunch of IPs in the logs but none of them work when connecting either via curl or even smbutil

> curl -v -u "foo:bar" smb://192.168.48.2/samba/foo/file.txt
*   Trying 192.168.48.2:445...
* connect to 192.168.48.2 port 445 failed: Operation timed out
* Failed to connect to 192.168.48.2 port 445 after 75004 ms: Couldn't connect to server
* Closing connection
curl: (28) Failed to connect to 192.168.48.2 port 445 after 75004 ms: Couldn't connect to server

> docker-compose down && docker-compose up --force-recreate
[+] Running 3/0
 ⠿ Container samba               Removed                                                                                                                                                                                                                                                                                 0.0s
 ⠿ Container samba-test-avahi-1  Removed                                                                                                                                                                                                                                                                                 0.0s
 ⠿ Network samba-test_default    Removed                                                                                                                                                                                                                                                                                 0.1s
[+] Running 3/3
 ⠿ Network samba-test_default    Created                                                                                                                                                                                                                                                                                 0.1s
 ⠿ Container samba               Created                                                                                                                                                                                                                                                                                 0.1s
 ⠿ Container samba-test-avahi-1  Created                                                                                                                                                                                                                                                                                 0.1s
Attaching to samba, samba-test-avahi-1
samba-test-avahi-1  | Found user 'avahi' (UID 86) and group 'avahi' (GID 86).
samba-test-avahi-1  | Successfully dropped root privileges.
samba-test-avahi-1  | avahi-daemon 0.8 starting up.
samba-test-avahi-1  | WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
samba-test-avahi-1  | Successfully called chroot().
samba-test-avahi-1  | Successfully dropped remaining capabilities.
samba-test-avahi-1  | Loading service file /services/smb.service.
samba-test-avahi-1  | Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.48.2.
samba-test-avahi-1  | New relevant interface eth0.IPv4 for mDNS.
samba-test-avahi-1  | Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
samba-test-avahi-1  | New relevant interface lo.IPv4 for mDNS.
samba-test-avahi-1  | Network interface enumeration completed.
samba-test-avahi-1  | Registering new address record for 192.168.48.2 on eth0.IPv4.
samba-test-avahi-1  | Registering new address record for 127.0.0.1 on lo.IPv4.
samba               | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
samba               | [s6-init] ensuring user provided files have correct perms...exited 0.
samba               | [fix-attrs.d] applying ownership & permissions fixes...
samba               | [fix-attrs.d] done.
samba               | [cont-init.d] executing container initialization scripts...
samba               | [cont-init.d] 01-config.sh: executing...
samba               | Setting timezone to Europe/London
samba               | Initializing files and folders
samba               | Setting global configuration
samba               | Load smb config files from /etc/samba/smb.conf
samba               | Loaded services file OK.
samba               | Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
samba               |
samba               | Server role: ROLE_STANDALONE
samba               |
samba               | # Global parameters
samba               | [global]
samba               | 	disable netbios = Yes
samba               | 	disable spoolss = Yes
samba               | 	dns proxy = No
samba               | 	local master = No
samba               | 	map to guest = Bad User
samba               | 	pam password change = Yes
samba               | 	printcap name = /dev/null
samba               | 	security = USER
samba               | 	server role = standalone server
samba               | 	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
samba               | 	server string = Docker Samba Server
samba               | 	smb1 unix extensions = No
samba               | 	smb ports = 445
samba               | 	usershare allow guests = Yes
samba               | 	winbind scan trusted domains = Yes
samba               | 	fruit:time machine = yes
samba               | 	fruit:delete_empty_adfiles = yes
samba               | 	fruit:wipe_intentionally_left_blank_rfork = yes
samba               | 	fruit:veto_appledouble = no
samba               | 	fruit:posix_rename = yes
samba               | 	fruit:model = MacSamba
samba               | 	fruit:metadata = stream
samba               | 	idmap config * : backend = tdb
samba               | 	create mask = 0664
samba               | 	directory mask = 0775
samba               | 	force create mode = 0664
samba               | 	force directory mode = 0775
samba               | 	hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
samba               | 	hosts deny = 0.0.0.0/0
samba               | 	printing = bsd
samba               | 	strict locking = No
samba               | 	vfs objects = fruit streams_xattr
samba               | 	wide links = Yes
samba               | [cont-init.d] 01-config.sh: exited 0.
samba               | [cont-init.d] 02-svc-smbd.sh: executing...
samba               | [cont-init.d] 02-svc-smbd.sh: exited 0.
samba               | [cont-init.d] 03-svc-wsdd2.sh: executing...
samba               | [cont-init.d] 03-svc-wsdd2.sh: exited 0.
samba               | [cont-init.d] ~-socklog: executing...
samba               | [cont-init.d] ~-socklog: exited 0.
samba               | [cont-init.d] done.
samba               | [services.d] starting services
samba               | [services.d] done.
samba               | smbd version 4.18.9 started.
samba               | Copyright Andrew Tridgell and the Samba Team 1992-2023
samba-test-avahi-1  | Server startup complete. Host name is 640ee80fcef0.local. Local service cookie is 3120843938.
samba-test-avahi-1  | Service "640ee80fcef0" (/services/smb.service) successfully established.

Expected behaviour

I expect to be able to connect to my share

Actual behaviour

I am not able to connect to my share

Steps to reproduce

Added in description

Docker info

> docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.9.1)
  compose: Docker Compose (Docker Inc., v2.10.2)
  extension: Manages Docker extensions (Docker Inc., v0.2.9)
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
  scan: Docker Scan (Docker Inc., v0.19.0)

Server:
 Containers: 2
  Running: 1
  Paused: 0
  Stopped: 1
 Images: 440
 Server Version: 20.10.17
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.10.124-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 7.773GiB
 Name: docker-desktop
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5000
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

no config found

Logs

Added above

Additional info

No response

Config.yml doesn't seem to be read

Hello,
I cannot access my samba share, and it seems from reading the logs that the config.yml file was not read. I precise my OS is RaspberryPi OS 64-bit.

My compose file

version: "3.5"

services:
  samba:
    image: crazymax/samba
    container_name: samba
    ports:
      - 445:445
    volumes:
      - "./data:/data"
      - "/srv/nas/Public:/samba/Public"
    environment:
      - "TZ=Europe/Paris"
      - "SAMBA_LOG_LEVEL=1"
      - "SAMBA_HOSTS_ALLOW=192.168.1.0/16 172.17.0.0/12"
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

My config file

auth:
  - user: eric
    group: famille
    uid: 1001
    gid: 1000
    password_file: eric_passwd

global:
  - "force group = famille"

share:
  - name: public
    comment: "Repertoire partage de la famille xxx"
    path: /samba/Public
    browsable: yes
    readonly: no
    guestok: no
    valid users: @famille
    veto: no

And my logs

eric@vault:~/samba $ sudo docker-compose logs
Attaching to samba
samba    | Setting timezone to Europe/Paris
samba    | Initializing files and folders
samba    | Setting global configuration
samba    | Load smb config files from /etc/samba/smb.conf
samba    | Loaded services file OK.
samba    | Weak crypto is allowed
samba    |
samba    | Server role: ROLE_STANDALONE
samba    |
samba    | # Global parameters
samba    | [global]
samba    |      disable netbios = Yes
samba    |      disable spoolss = Yes
samba    |      dns proxy = No
samba    |      local master = No
samba    |      map to guest = Bad User
samba    |      pam password change = Yes
samba    |      printcap name = /dev/null
samba    |      security = USER
samba    |      server role = standalone server
samba    |      server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
samba    |      server string = Docker Samba Server
samba    |      smb ports = 445
samba    |      unix extensions = No
samba    |      usershare allow guests = Yes
samba    |      winbind scan trusted domains = Yes
samba    |      fruit:time machine = yes
samba    |      fruit:delete_empty_adfiles = yes
samba    |      fruit:wipe_intentionally_left_blank_rfork = yes
samba    |      fruit:veto_appledouble = no
samba    |      fruit:posix_rename = yes
samba    |      fruit:model = MacSamba
samba    |      fruit:metadata = stream
samba    |      idmap config * : backend = tdb
samba    |      create mask = 0664
samba    |      directory mask = 0775
samba    |      force create mode = 0664
samba    |      force directory mode = 0775
samba    |      hosts allow = 192.168.1.0/16 172.17.0.0/12
samba    |      hosts deny = 0.0.0.0/0
samba    |      printing = bsd
samba    |      strict locking = No
samba    |      vfs objects = fruit streams_xattr
samba    |      wide links = Yes
samba    | smbd version 4.15.5 started.
samba    | Copyright Andrew Tridgell and the Samba Team 1992-2021
samba    | INFO: Profiling support unavailable in this build.
samba    | Failed to fetch record!
samba    | pcap cache not loaded

Thanks for helping

CVE-2021-44142 - Update samba to patch the vulnerability

The vulnerability is patched in versions 4.13.17, 4.14.12, and 4.15.5.

Please consider releasing a new version of the docker image.

https://www.kb.cert.org/vuls/id/119678

Cannot delete files but can create them

Behaviour

I am running this in kubernetes, I can connect to the share on my mac and I can create/read/update files but I cannot delete them.

Steps to reproduce this issue

create share
connect via smb://{user}@{host_ip}:{port}/{share}
create, read, update, works but not delete

Configuration

Mac version : Big Sur 11.6
Docker version (type docker --version) : MicroK8s 1.23
Platform (Debian 9, Ubuntu 18.04, ...) : Ubuntu 20.04
System info (type uname -a) : Linux worker-node-1 5.4.0-1052-raspi #58-Ubuntu SMP PREEMPT Mon Feb 7 16:52:35 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ...

kubernetes manifests:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: samba-config
  namespace: share
  labels:
    app.kubernetes.io/instance: samba
    app.kubernetes.io/name: samba
data:
  config.yml: |-
    auth:
      - user: apollorion
        group: apollorion
        uid: 1000
        gid: 1000
        password: apollorion
    global:
      - "force user = root"
      - "force group = root"
      - "writable = yes"
    share:
      - name: share
        path: /mnt/share
        browsable: yes
        readonly: no
        guestok: no
        validusers: apollorion
        writelist: apollorion
        veto: no
        adminusers: apollorion
---
apiVersion: v1
kind: Service
metadata:
  name: samba
  namespace: share
  labels:
    app.kubernetes.io/instance: samba
    app.kubernetes.io/name: samba
spec:
  type: NodePort
  ports:
    - port: 139
      targetPort: netbios
      protocol: TCP
      name: netbios
    - port: 445
      targetPort: tcp
      protocol: TCP
      name: tcp
  selector:
    app.kubernetes.io/name: samba
    app.kubernetes.io/instance: samba
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: samba
  namespace: share
  labels:
    app.kubernetes.io/instance: samba
    app.kubernetes.io/name: samba
spec:
  revisionHistoryLimit: 3
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: samba
      app.kubernetes.io/instance: samba
  template:
    metadata:
      labels:
        app.kubernetes.io/name: samba
        app.kubernetes.io/instance: samba
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                - key: kubernetes.io/hostname
                  operator: In
                  values:
                    - worker-node-1
      automountServiceAccountToken: true
      dnsPolicy: ClusterFirst
      enableServiceLinks: true
      containers:
        - name: samba
          image: "ghcr.io/crazy-max/samba:4.15.5"
          imagePullPolicy: Always
          env:
            - name: TZ
              value: UTC
            - name: LOG_LEVEL
              value: DEBUG
          ports:
            - name: netbios
              containerPort: 139
              protocol: TCP
            - name: tcp
              containerPort: 445
              protocol: TCP
          volumeMounts:
            - name: config
              mountPath: /data/config.yml
              subPath: config.yml
            - name: share
              mountPath: /mnt/share
      volumes:
        - name: config
          configMap:
            name: samba-config
        - name: share
          hostPath:
            path: /mnt/share

Logs

Setting timezone to UTC
Initializing files and folders
Setting global configuration
Creating user apollorion/apollorion (1000:1000)
Added user apollorion.
Add global option: force user = root
Add global option: force group = root
Add global option: writable = yes
Creating share share
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

WARNING: The 'netbios name' is too long (max. 15 chars).

Server role: ROLE_STANDALONE

# Global parameters
[global]
        disable netbios = Yes
        disable spoolss = Yes
        dns proxy = No
        local master = No
        map to guest = Bad User
        pam password change = Yes
        printcap name = /dev/null
        security = USER
        server role = standalone server
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        server string = Docker Samba Server
        smb ports = 445
        unix extensions = No
        usershare allow guests = Yes
        winbind scan trusted domains = Yes
        fruit:time machine = yes
        fruit:delete_empty_adfiles = yes
        fruit:wipe_intentionally_left_blank_rfork = yes
        fruit:veto_appledouble = no
        fruit:posix_rename = yes
        fruit:model = MacSamba
        fruit:metadata = stream
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0775
        force create mode = 0664
        force directory mode = 0775
        force group = root
        force user = root
        hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
        hosts deny = 0.0.0.0/0
        printing = bsd
        strict locking = No
        vfs objects = fruit streams_xattr
        wide links = Yes


[share]
        admin users = apollorion
        delete veto files = Yes
        path = /mnt/share
        valid users = apollorion
        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
        write list = apollorion
smbd version 4.15.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
unix_convert: talloc_asprintf failed
_mdssvc_open: Couldn't create policy handle for share
unix_convert: talloc_asprintf failed

Directory privileges on host:

pi@worker-node-1:/mnt/share$ ls -lah
total 388K
drwxrwxrwx 1 root root 128K Aug 25 02:28 .
drwxr-xr-x 3 root root 4.0K Aug 24 15:58 ..
-rwxrwxrwx 1 root root   12 Aug 25 02:09 file.txt

Directory privileges in container:

total 388K
drwxrwxrwx 1 root root 128K Aug 25 02:28 .
drwxr-xr-x 1 root root 4.0K Aug 25 02:57 ..
-rwxrwxrwx 1 root root   12 Aug 25 02:09 file.txt

Directory privileges on macosx via samba:

total 320
drwxrwxrwx  1 apollorion  staff    16K Aug 24 22:28 .
drwxr-xr-x  4 root        wheel   128B Aug 24 22:58 ..
-rwxrwxrwx  1 apollorion  staff    12B Aug 24 22:09 file.txt

config.yml - create users and groups separately, allow users to have supplementary groups

Description

Hello, currently it is not possible for a user to be in several groups, so a share access could be managed by groups only (e.g. group per share). It could be solved by dividing user and groups definitions in confing.yml and allowing users to have multiple groups in group attribute (or use group for a main group and some other attribute for supplementary group list).

Error on start: can not run the container

Behaviour

I am trying to start Samba in a container using the latest version of your image, but the container doesn't start properly.

Steps to reproduce this issue

Place the docker-compose.yml and config.yml in the proper directory
Give the command docker compose up -d

Expected behaviour

The container should start without error.

Actual behaviour

The container doesn't start (see below for log).
The same behaviour happens also after the cache and lib folders and prune the system.

Configuration

Docker version (type docker --version) : Docker version 24.0.4, build 3713ee1
Docker compose version if applicable (type docker-compose --version) : Docker Compose version v2.19.1
Platform (Debian 9, Ubuntu 18.04, ...) : Debian Linux 12 (is a LXC container that runs in Proxmox 8.0.3)
System info (type uname -a) : Linux pxdocker 6.2.16-4-pve #1 SMP PREEMPT_DYNAMIC PVE 6.2.16-5 (2023-07-14T17:53Z) x86_64 GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ...
docker-compose.yml

version: "3.5"

services:
  samba:
    image: crazymax/samba
    container_name: samba
    network_mode: host
    volumes:
      - "./data:/data"
      - "/mnt:/samba/share"
    environment:
      - "TZ=Europe/Rome"
      - "SAMBA_LOG_LEVEL=0"
    restart: always

config.yml

auth:
  - user: myuser
    group: mygroup
    uid: 1000
    gid: 1000
    password: mypwd

global:
  - "force user = myuser"
  - "force group = mygroup"

share:
  - name: pxv
    path: /samba/share
    browsable: yes
    readonly: no
    guestok: no
    validusers: myuser
    writelist: myuser
    veto: no

ENV

PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SAMBA_LOG_LEVEL: 0
TZ: Europe/Rome

Docker info

Client: Docker Engine - Community
 Version:    24.0.4
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.19.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 2
 Server Version: 24.0.4
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: x5q8ghhnpx9ohgc5awn539t0d
  Is Manager: true
  ClusterID: pr62potg0aufrqzhzzulr5o7n
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.0.84
  Manager Addresses:
   192.168.0.84:2377
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
 runc version: v1.1.7-0-g860f061
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.2.16-4-pve
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 8GiB
 Name: pxdocker
 ID: bb34b978-5962-44f8-95fe-a4721bbc6fad
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Logs

Setting timezone to Europe/Rome
Initializing files and folders
Setting global configuration
Creating user myuser/mygroup (1000:1000)
addgroup: group 'mygroup' in use
Add global option: force user = myuser
Add global option: force group = mygroup
Creating share pxv
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_STANDALONE
# Global parameters
[global]
	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Docker Samba Server
	smb1 unix extensions = No
	smb ports = 445
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	force group = mygroup
	force user = myuser
	hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes
[pxv]
	delete veto files = Yes
	path = /samba/share
	read only = No
	valid users = myuser
	veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
	write list = myuser
smbd version 4.18.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
===============================================================
INTERNAL ERROR: sys_setgroups failed in pid 246 (4.18.3)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 246): sys_setgroups failed in 4.18.3
unable to produce a stack trace on this platform
dumping core in /var/log/samba/cores/smbd
===============================================================
INTERNAL ERROR: sys_setgroups failed in pid 254 (4.18.3)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 254): sys_setgroups failed in 4.18.3
unable to produce a stack trace on this platform
dumping core in /var/log/samba/cores/smbd

Why delete entrypoint.sh ?

Support guidelines

I've read the support guidelines

I've found a bug and checked that ...

... the documentation does not mention anything about my problem
... there are no open or closed issues that are related to my problem

Description

Hello I liked the entrypoint.sh because I could specify :

client min protocol = NT1
server min protocol = NT1
ntlm auth = ntlmv1-permitted

Now I don't get the init file point

Expected behaviour

retro compat please ?

Actual behaviour

entrypoint is misplaced

Steps to reproduce

...

Docker info

...

Docker Compose config

No response

Logs

...

Additional info

No response

Does the samba container image support samba-ceph

As the title, I want to use cephfs as the backend storage of samba

Feature: default share of `/data/config.yml`

Not a bug, just an idea.

Most people using this container are wanting to use it to share something that has been made available to the container using a mapped volume. Accessing and editing the config.yml from inside the container can be difficult, depending on your linux knowledge.

My suggestion is that by default, on first build, if it doesn't already exist, a /data/config.yml is created that is configured to share the /data folder in a public share. It could also contain a commented section with a full config example for reference.

This would enable users to immediately remotely access and edit the config.yml to suit their needs, just restarting the container for the new config to take effect.

How to configure to see the HOST

How to do so that when you enter the network, instead of leaving the ip address, the name of the hostname appears?
Ex:
NO: 192.168.1.45
YES: Raspberry

Thanks

TimeMachine

Can I config TimeMachine share somehow?
Is there any equivalent of these lines in the yaml?

vfs objects = fruit streams_xattr
fruit:time machine = yes

Entrypoint Conf parse not right

Behaviour

No shares are showing.

Here is the smb.conf as it was parsed by entrypoint.sh:

{"name":"public","comment":"Public","path":"/samba/public","browsable":"yes","readonly":"yes","guestok":"yes","veto":"no","recycle":"yes"}
{"name":"addohm","path":"/samba/addohm","browsable":"yes","readonly":"no","guestok":"no","validusers":"addohm","writelist":"addohm","veto":"no"}
{"name":"liyu","path":"/samba/liyu","browsable":"yes","readonly":"no","guestok":"no","validusers":"liyu","writelist":"liyu","veto":"no","hidefiles":"/_*/"}

Looks like json?

Here is how I have the config.yml set up

global:
  - "force user = addohm"
  - "force group = addohm"

  - name: public
    comment: Public
    path: /samba/public
    browsable: yes
    readonly: yes
    guestok: yes
    veto: no
    recycle: yes
  - name: addohm
    path: /samba/addohm
    browsable: yes
    readonly: no
    guestok: no
    validusers: addohm
    writelist: addohm
    veto: no
  - name: liyu
    path: /samba/liyu
    browsable: yes
    readonly: no
    guestok: no
    validusers: liyu
    writelist: liyu
    veto: no
    hidefiles: /_*/

if I manually correct the /etc/samba/smb.conf with the following everything works as expected

[public]                       
    comment = Public              
    path = /samba/public                                                                                                                  
    browsable = yes                                                                                                                             
    readonly = no                                                                                                                                          
    guest ok = yes                     
    veto = no                          
    recycle = yes                 
                                                                                                                                          
[addohm]                                                                                                                                        
    path = /samba/addohm                                                                                                                                   
    browsable = yes   
    readonly = no                 
    guest ok = no                
    validusers = addohm                                                                                                                   
    writelist = addohm                                                                                                                          
    veto = no                                                                                                                                              
                        
[liyu]                            
    path = /samba/liyu                         
    browsable = yes                                                                                                                       
    readonly = no                                                                                                                               
    guest ok = no                                                                                                                                          
    validusers = liyu   
    writelist = liyu              
    veto = no

Docker version (type docker --version) : Docker version 24.0.4, build 3713ee1
Platform (Debian 9, Ubuntu 18.04, ...) : Debian 12
System info (type uname -a) : Linux theserver 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64 GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ...

docker compose:

version: "3.5"

services:
  samba:
    image: crazymax/samba
    container_name: samba
    network_mode: host
    volumes:
      - "./config:/data"
      - "./data/public:/samba/public"
      - "./data/addohm:/samba/addohm"
      - "./data/liyu:/samba/liyu"
    environment:
      - "TZ=America/New_York"
      - "SAMBA_LOG_LEVEL=0"
    restart: always

Docker info

> Output of command `docker info`

Client: Docker Engine - Community
 Version:    24.0.4
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.19.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 5
  Running: 5
  Paused: 0
  Stopped: 0
 Images: 7
 Server Version: 24.0.4
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
 runc version: v1.1.7-0-g860f061
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-10-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 3.772GiB
 Name: levenas
 ID: afbcd55c-e29d-44f9-b2d1-ef804f49e3f9
 Docker Root Dir: /raid/docker
 Debug Mode: false
 Username: addohm
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false```
### Logs

Container logs (set LOG_LEVEL to debug if applicable)

Setting timezone to America/New_York
Initializing files and folders
Setting global configuration
Creating user addohm/addohm (1000:1000)
Added user addohm.
Creating user liyu/liyu (1001:1001)
Added user liyu.
Add global option: force user = addohm
Add global option: force group = addohm
Add global option: {"name":"public","comment":"Public","path":"/samba/public","browsable":"yes","readonly":"yes","guestok":"yes","veto":"no","recycle":"yes"}
Add global option: {"name":"addohm","path":"/samba/addohm","browsable":"yes","readonly":"no","guestok":"no","validusers":"addohm","writelist":"addohm","veto":"no"}
Add global option: {"name":"liyu","path":"/samba/liyu","browsable":"yes","readonly":"no","guestok":"no","validusers":"liyu","writelist":"liyu","veto":"no","hidefiles":"/_*/"}
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_STANDALONE

Global parameters

[global]
disable netbios = Yes
disable spoolss = Yes
dns proxy = No
local master = No
map to guest = Bad User
pam password change = Yes
printcap name = /dev/null
security = USER
server role = standalone server
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
server string = Docker Samba Server
smb1 unix extensions = No
smb ports = 445
usershare allow guests = Yes
winbind scan trusted domains = Yes
fruit:time machine = yes
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:veto_appledouble = no
fruit:posix_rename = yes
fruit:model = MacSamba
fruit:metadata = stream
idmap config * : backend = tdb
create mask = 0664
directory mask = 0775
force create mode = 0664
force directory mode = 0775
force group = addohm
force user = addohm
hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
hosts deny = 0.0.0.0/0
printing = bsd
strict locking = No
vfs objects = fruit streams_xattr
wide links = Yes
smbd version 4.18.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023```

Allow guest write access

Hey, thanks for the awesome Project!
There doesn't seem to be any way to give write permissions to guests, i can't set directory and create mask per share.

also is there a way to set file permissions per share?

Search SMB via browser

Hey,
Looks like search in deployed SMB share doesn't work with browser's handler(Chrome, Firefox). Is there any way to fix it?

bonjour ?

Description

Thank You for the Sharing!
I made it on my host!
But I can not find the samba server from the network on my MacBook, MAYBE a bonjour service is required?

README.md updates

Behaviour

Thanks for creating this project. I'd like to share user feedback and some proposals for documentation improvement.

Issue 1

The --load option in README.md is missing before the created image samba:local can be used with docker-compose up. Additionally, the default tag can be overruled as I'd like to push to my local registry:

git clone https://github.com/crazy-max/docker-samba.git
cd docker-samba

# Build image and output to docker (default)
-docker buildx bake
+docker buildx bake --load
+
+# To override the default tag samba:local, set environment variable
+DEFAULT_TAG=<username>samba:<tag> docker buildx bake --load

Issue 2

Copy the content of folder examples/compose in /var/samba/ on your host for example.

This is confusing, because any directory on the host can be used. Proposal to remove the sentence, or update to copy examples/compose to any location on the host.

Issue 3

Volumes of the shared directories are missing. It is recommended to save the data on the host and not inside the container. For example, the path setting in config.yml is the path inside the container, not the host. (Maybe confusing for beginners)
Proposal to update the README.md and docker-compose.yml to:

version: "3.5"

services:
  samba:
    image: registry.mydomain.com/erriez/docker-samba-cm:latest
    container_name: samba
    restart: always
    network_mode: host
+    volumes:
+      - $PWD/data:/data
+      - $PWD/samba/foo:/samba/foo
+      - $PWD/samba/public:/samba/public
+      - $PWD/samba/share:/samba/share

Issue 4

Missing documentation password_file: /run/secrets/baz_password in config.yml.
Proposal to add link to the official documentation how to create a secure password file: https://www.samba.org/samba/docs/current/man-html/smbpasswd.8.html

Is it possible to create a secure password with this container? A suggestion to share the password file via the volume data/.

Issue 5

User baz is currently not used in docker-compose.yml. It would be nice to create an example share with read/write permission for two users, for example in config.yml:

+  - name: foo-baz
+    path: /samba/foo-baz
+    browsable: yes
+    readonly: no
+    guestok: no
+    validusers: foo,baz
+    writelist: foo,baz
+    veto: no

Issue 6

Missing explanation veto in config.yml. What is the purpose of this setting?

Issue 7

The network is exposed to the host in docker-compose.yml with network_mode: host. However, port 445 for SMB3 is sufficient as NetBIOS ports / multicast are no longer used. Proposal to change to:

version: "3.5"

services:
  samba:
    image: registry.mydomain.com/erriez/docker-samba-cm:latest
    container_name: samba
    restart: always
-    network_mode: host
+    ports:
+      - 445:445

Configuration

Docker version (type docker --version) : Not relevant.
Docker compose version if applicable (type docker-compose --version) : Not relevant.
Platform (Debian 9, Ubuntu 18.04, ...) : Ubuntu 20.04 server ARM64 (Samba Server), Windows 10 client, Ubuntu 20.04 client
System info (type uname -a) : Not relevant.
Include all necessary configuration files : docker-compose.yml, .env, ...

Issue with samba permissions

Hi
Currently need to configure a docker samba for a printer which only has smbv1 to scan
i was reading the read me but cant seem to get it working
as the printer needs one user called scanner with full access and other user to only read that folder

so this is what i have so far but currently seem to be a permission issue this is my docker config

version: "3.5"
 
services:
  samba:
    image: crazymax/samba
    container_name: samba
    network_mode: host
    volumes:
      - "./data:/data"
      - "./scan:/scan"
    environment:
      - "TZ=Europe/Paris"
      - "SAMBA_LOG_LEVEL=0"
    restart: always

and the
config for the permissions

auth:
  - user: scanner
    group: scanner
    uid: 1000
    gid: 1000
    password: mypass
  - user: client
    group: client
    uid: 1100
    gid: 1200
    password: mypass

global:
  - "force user = scanner"
  - "force group = scanner"

share:
  - name: scannfiles
    path: /scan
    browsable: yes
    readonly: no
    guestok: no
    validusers: scanner,client
    writelist: scanner
    veto: no

but when the user scanner tries to login and create a folder it says denied not sure why

Thank you

Instructions for a not so experienced user

I am trying to create my own Samba container from your image, but some things on the instruction page are not clear to me, especially the user management.
(forgive the trivial questions!)

In the config.yml file there is the possibility of using a file for the user's password (password_file: /run/secrets/baz_password). In this case, the relevant secrets commands in the docker-compose.yml file is no missing?
I am referring to this page in the official documentation, especially the section 'Use Secrets in Compose'.
The users specified in the config.yml file must also be users of the host system and have the appropriate permissions to access the files to be shared as in a "normal" Samba installation, is that correct?

force user / group by share

Description

Hello,

Is it possible to have force user / group by share.
I saw that a user made some code, but unfortunately removed it.
It could be usefull, as the only solution by now is global.
Unless you have one share, it is not a sustainable solution.

Thanks in advance,
Best regards

Container fails to start when running on Mac - bind failed: Operation not permitted

Behaviour

I am trying to run this container on Mac and the container immediately exits. Enabling a higher log level, I get the following:

added interface eth0 ip=172.17.0.2 bcast=172.17.255.255 netmask=255.255.0.0
smbd version 4.15.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
uid=0 gid=0 euid=0 egid=0
messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted

Steps to reproduce this issue

 docker run -p 445:445 -v "$(pwd)/data:/data" -e SAMBA_LOG_LEVEL=3 --name samba-test crazymax/samba

config.yml

auth:
  - user: foo
    group: foo
    uid: 1000
    gid: 1000
    password: bar
  - user: baz
    group: xxx
    uid: 1100
    gid: 1200
    password_file: /run/secrets/baz_password

global:
  - "force user = foo"
  - "force group = foo"

share:
  - name: public
    comment: Public
    path: /samba/public
    browsable: yes
    readonly: yes
    guestok: yes
    veto: no
  - name: share
    path: /samba/share
    browsable: yes
    readonly: no
    guestok: yes
    writelist: foo
    veto: no

Expected behaviour

Container should run and be able to bind.

Actual behaviour

Container immediately exits

messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted

Configuration

Docker version 20.10.17, build 100c701
macOS Monterey Version 12.4 (21F79)

Docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.8.2)
  compose: Docker Compose (Docker Inc., v2.6.1)
  extension: Manages Docker extensions (Docker Inc., v0.2.7)
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 5
  Running: 3
  Paused: 0
  Stopped: 2
 Images: 36
 Server Version: 20.10.17
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc version: v1.1.2-0-ga916309
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.10.104-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 5
 Total Memory: 15.6GiB
 Name: docker-desktop
 ID: DJYW:4L2Q:KQKY:SJEN:3O4X:XDDL:VAMW:I5U4:YOS7:WLIC:YPFA:ZJOV
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5000
  127.0.0.0/8
 Live Restore Enabled: false

Logs

Setting timezone to UTC
Initializing files and folders
Setting global configuration
Creating user foo/foo (1000:1000)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/tdbsam.so' loaded
Forcing Primary Group to 'Domain Users' for foo
Creating user baz/xxx (1100:1200)
No builtin backend found, trying to load plugin
load_module_absolute_path: Module '/usr/lib/samba/pdb/tdbsam.so' loaded
Forcing Primary Group to 'Domain Users' for baz
Add global option: force user = foo
Add global option: force group = foo
Creating share public
Creating share share
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

# Global parameters
[global]
	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Docker Samba Server
	smb ports = 445
	unix extensions = No
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	force group = foo
	force user = foo
	hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes


[public]
	comment = Public
	delete veto files = Yes
	guest ok = Yes
	path = /samba/public
	veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/


[share]
	delete veto files = Yes
	guest ok = Yes
	path = /samba/share
	read only = No
	veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
	write list = foo
added interface eth0 ip=172.17.0.2 bcast=172.17.255.255 netmask=255.255.0.0
smbd version 4.15.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
uid=0 gid=0 euid=0 egid=0
messaging_dgm_init: bind failed: Operation not permitted
messaging_dgm_ref failed: Operation not permitted

Can't rename/move/delete files over SMB on macOS Ventura

Behaviour

I have set up the container on an Intel Mac (macOS Ventura 13.2), and I am able to share a folder (public) to other macs on the network. However, while a client (macOS 13.2 or macOS 10.15) can mount and write to files, they cannot move or rename files (in Finder or from terminal) and when copying files from Finder, an error is generated resulting in a zero bytes file of the correct name (which can subsequently be opened and written to).

If I have the shared folder within the docker container itself, then the share works as expected and I can rename/move/delete files as expected.

Is this container expected to work when running on a macOS host?

Steps to reproduce this issue

start Docker container on server
mount share public on client mac
go to /Volumes/public in terminal on client mac
touch test.txt; mv test.txt test2.txt

Expected behaviour

File test2.txt should be created in public share.

Actual behaviour

File test.txt is created and error given:
mv: rename test.txt to test2.txt: Operation not supported

Configuration

Docker version (type docker --version) : Docker version 20.10.22, build 3a2c30b
Docker compose version if applicable (type docker-compose --version) : Docker Compose version v2.15.1
Platform (Debian 9, Ubuntu 18.04, ...) : macOS Ventura 13.2
System info (type uname -a) : Darwin 22.3.0 Darwin Kernel Version 22.3.0: Thu Jan 5 20:53:49 PST 2023; root:xnu-8792.81.2~2/RELEASE_X86_64 x86_64
Include all necessary configuration files : docker-compose.yml, .env, ...

docker-compose.yml:

version: '3.5'
services:
  samba:
    image: crazymax/samba 
    container_name: samba
    ports:
      - 139:139
      - 445:445
    volumes:
      - ./data:/data
      - ./public:/samba/public
    environment:
      - TZ=Europe/London
      - SAMBA_LOG_LEVEL=1
    restart: always

config.yml:

auth:
  - user: mark
    group: mark    
    uid: 501
    gid: 501
    password: test

global:
  - "log level = 3"
  - "fruit:aapl = yes"
  - "fruit:resource = xattr"
  - "fruit:nfs_aces = no"
  - "min protocol = SMB2_10"
  - "max protocol = SMB2_10"
  - "ea support = yes"

share:
  - name: public
    path: /samba/public
    browsable: yes
    readonly: no
    guestok: no
    writelist: mark

Admin user account on server mac is mark uid 501.
Same results with protocol = SMB3_11

Docker info

Client:
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.10.0)
  compose: Docker Compose (Docker Inc., v2.15.1)
  dev: Docker Dev Environments (Docker Inc., v0.0.5)
  extension: Manages Docker extensions (Docker Inc., v0.2.17)
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
  scan: Docker Scan (Docker Inc., v0.23.0)

Server:
 Containers: 5
  Running: 2
  Paused: 0
  Stopped: 3
 Images: 7
 Server Version: 20.10.22
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 9ba4b250366a5ddde94bb7c9d1def331423aa323
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.15.49-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.842GiB
 Name: docker-desktop
 ID: PS4U:WDPK:GI5T:OULQ:7ZPB:2CFA:ZAHE:2EIN:ET6N:D4AX:OFJS:GFHN
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5000
  127.0.0.0/8
 Live Restore Enabled: false

Enable legacy protocol version (NT1)

This not really an issue, rather a question:

For a special use case, in a production environment, I need to provide SMB1.0 Services to an IOT device running windows XP.

How can I set the "min protocol" variable to support this?

(Yes, I know about all the security issues, but this will be run on a small server on an isolated network segment)

BR
Yonz

Container goes into restart loop immediately upon being started

docker logs shows me this:

Setting timezone to UTC
Initializing files and folders
Setting global configuration
Creating user nobody/nobody (1000:1000)
Add global option: force user = nobody
Add global option: force group = nobody
Creating share centauri
Creating share magellan
Creating share orion
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

Global parameters

[global]
disable netbios = Yes
disable spoolss = Yes
dns proxy = No
local master = No
map to guest = Bad User
.
.
.
.
[orion]
delete veto files = Yes
guest ok = Yes
path = /nfs/orion
read only = No
veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
vfs objects = recycle
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle
smbd version 4.18.2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023

Looks like great work

Haven't tried this out yet, but it looks like a pretty solid way to run an ephemeral containerized samba server and definitely an evolution from how it was done in dperson/samba. I really like the idea of defining the shares configuration in a separate, static yaml file that gets parsed by the entrypoint script. Only suggestion would be that some method be exposed for easy user configuration of the default [global] section. Right now it looks like you can only add global options, not override the defaults.

newbies question of getting start

Behaviour

Hello, there! I have a question of starting the container

I can't access this samba server

Steps to reproduce this issue

mkdir /samba/ and mkdir /data/
touch /data/config.yml

auth:
  - user: foo
    group: foo
    uid: 1000
    gid: 1000
    password: bar

global:
  - "force user = foo"
  - "force group = foo"

share:
  - name: foo
    path: /samba/foo
    browsable: yes
    readonly: no
    guestok: no
    validusers: foo
    writelist: foo
    veto: no
    hidefiles: /_*/

run docker with follow command
docker run -d -p 445:445 -v /samba/:/samba/ -v /data/:/data/ --name samba crazymax/samba

Expected behaviour

That I can't access this server, it throwing an error of Unspecified error 80004005

Configuration

Docker version (type docker --version) : Docker version 20.10.12, build 20.10.12-0ubuntu2~20.04.1
Platform (Debian 9, Ubuntu 18.04, ...) : Ubuntu server 20.04
System info (type uname -a) : Linux ramiubuntutest 5.4.0-120-generic #136-Ubuntu SMP Fri Jun 10 13:40:48 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Docker info

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 1
 Server Version: 20.10.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: 
 init version: 
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-120-generic
 Operating System: Ubuntu 20.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 7.741GiB
 Name: ramiubuntutest
 ID: KVZQ:P5F2:7TBD:C5CY:6IJW:XXDW:NI5L:MGYY:LHX3:7YSD:HOJB:7356
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Logs

root@ramiubuntutest:/home/rami# docker logs samba
Setting timezone to UTC
Initializing files and folders
Setting global configuration
Creating user foo/foo (1000:1000)
Added user foo.
Add global option: force user = foo
Add global option: force group = foo
Creating share foo
Load smb config files from /etc/samba/smb.conf
# Global parameters
[global]
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Docker Samba Server
	smb ports = 445
	unix extensions = No
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	force group = foo
	force user = foo
	hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes


[foo]
	delete veto files = Yes
	hide files = /_*/
	path = /samba/foo
	read only = No
	valid users = foo
	veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
	write list = foo
smbd version 4.15.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
Setting timezone to UTC
Initializing files and folders
Setting global configuration
Creating user foo/foo (1000:1000)
Add global option: force user = foo
Add global option: force group = foo
Creating share foo
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

# Global parameters
[global]
Server role: ROLE_STANDALONE

	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Docker Samba Server
	smb ports = 445
	unix extensions = No
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	force group = foo
	force user = foo
	hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes


[foo]
	delete veto files = Yes
	hide files = /_*/
	path = /samba/foo
	read only = No
	valid users = foo
	veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
	write list = foo
smbd version 4.15.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021

Container keep restarting

Hi, I am having issues running this image. I tried to follow the compose provided by others in issues section but still unable to figure it out what I am doing wrong.

compose

  samba:
    image: ghcr.io/crazy-max/samba:latest
    hostname: ${DOCKERHOSTNAME}
    container_name: samba
    environment:
      - PGID=${PGID}
      - PUID=${PUID}
      - TZ=${TZ}
      - SAMBA_LOG_LEVEL=1
    ports:
      - 445:445
    restart: unless-stopped
    volumes:
      - ${DOCKERCONFDIR}/samba:/data
      - ${DOCKERSTORAGEDIR}:/storage

config.yml

auth:
  - user: ubuntu
    group: ubuntu
    uid: 1000
    gid: 1000
    password: 1234

global:
  - "force user = ubuntu"
  - "force group = ubuntu"

share:
  - name: storage
    comment: Storage
    path: /storage
    browsable: yes
    readonly: no
    guestok: yes
    veto: no

folder structure

ubuntu@ubuntu:~$ ls -alh ~/.docker/appdata/samba/
total 20K
drwxr-xr-x  5 ubuntu ubuntu 4.0K Jun 26 14:33 .
drwxrwxr-x 12 ubuntu ubuntu 4.0K Jun 26 14:32 ..
drwxr-xr-x  2 ubuntu ubuntu 4.0K Jun 26 14:32 cache
drwxrwxr-x  2 ubuntu ubuntu 4.0K Jun 26 14:38 data
drwxr-xr-x  5 ubuntu ubuntu 4.0K Jun 26 14:32 lib

Log

Copyright Andrew Tridgell and the Samba Team 1992-2021
Setting timezone to Europe/London
Initializing files and folders
Setting global configuration
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
parse error: Invalid numeric literal at line 1, column 6
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

# Global parameters
[global]
        disable netbios = Yes
        disable spoolss = Yes
        dns proxy = No
        local master = No
        map to guest = Bad User
        pam password change = Yes
        printcap name = /dev/null
        security = USER
        server role = standalone server
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        server string = Docker Samba Server
        smb ports = 445
        unix extensions = No
        usershare allow guests = Yes
        winbind scan trusted domains = Yes
        fruit:time machine = yes
        fruit:delete_empty_adfiles = yes
        fruit:wipe_intentionally_left_blank_rfork = yes
        fruit:veto_appledouble = no
        fruit:posix_rename = yes
        fruit:model = MacSamba
        fruit:metadata = stream
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0775
        force create mode = 0664
        force directory mode = 0775
        hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
        hosts deny = 0.0.0.0/0
        printing = bsd
        strict locking = No
        vfs objects = fruit streams_xattr
        wide links = Yes
smbd version 4.15.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021

Need to add "bind interfaces only = no" to config for Podman

Behaviour

I'm not sure if this is specific to Podman, but I'm getting an issue when running this container with a config file that resembles the example in this repo.

When starting the container under Podman, and ensuring that the port is appropriately forwarded with --publish, I find that I can't connect to the SMB server, even though I can see the conmon service listening on the port when using ss on the host.

Running a cat /etc/samba/smb.conf inside the container shows that Samba is configuring itself to listen only on certain interfaces, but the list of interfaces is empty for whatever reason:

hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
hosts deny = 0.0.0.0/0
interfaces = 
bind interfaces only = yes

I found that I could fix this and make the container work by adding this to the config.yml:

global:
  - "bind interfaces only = no"

Expected behaviour

I'm not sure if this is specific to Podman as I don't really have Docker available to test with, but it seems like the "bind interfaces only" setting isn't going to add any security inside a container so it should probably be set to "no" by default.

Configuration

podman version 3.3.1
RHEL 8.5

Logs

Container starts fine on host when checking with podman logs samba, but this is what I see from a remote host:

# smbclient -L 10.10.10.10                                                                                                                                                                              
protocol negotiation failed: NT_STATUS_IO_TIMEOUT

And a remote nmap run shows the ports as listening even when the service isn't working, but I think this is a bit of a red herring caused by the way conmon works with Podman. The server is "listening" on 445 because I told it to with the --publish flag, but this doesn't indicate that the app inside the container is actually listening.

# sudo nmap 10.10.10.10                                                                                                                                                                                     
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-26 21:03 GMT
Nmap scan report for nas.home.arpa (10.10.10.10)
Host is up (0.0018s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
445/tcp open  microsoft-ds

How to set up the create mask for each shared area?

Trouble making a shared space

I'm trying to set this up so user1, and user2 both have their own shares, whilst they can both read/write to a public shared space, when belonging to a shared group:

When trying to list /mnt/shared I get this:

NT_STATUS_ACCESS_DENIED listing \*

Here's my docker-compose.yml

services:
  samba:
    image: crazymax/samba
    container_name: samba
    hostname: samba.internal
    networks:
      external_v3:
        ipv4_address: 192.168.3.132
    volumes:
      - "/mnt/data/container_data/samba:/data"
      - "/home/user1:/home/user1"
      - "/home/user2:/home/user2"
      - "/mnt/data/shared:/mnt/shared"
    environment:
      - "TZ=UTC"
      - "SAMBA_LOG_LEVEL=0"
    restart: always

and my data/config.yml

auth:
  - user: user1
    group: user1
    uid: 1000
    gid: 1000
    password: {{ password }}
  - user: user2
    group: user2
    uid: 1001
    gid: 1001
    password: {{ password }}

global:
  - "force user = shared"
  - "force group = shared"

share:
  - name: shared
    path: /mnt/shared
    browsable: yes
    readonly: no
    guestok: no
    validusers: user1
    writelist: user1
    veto: no
  - name: user1
    path: /home/user1
    browsable: yes
    readonly: no
    guestok: no
    validusers: user1
    writelist: user1
    veto: no
  - name: user2
    path: /home/user2
    browsable: yes
    readonly: no
    guestok: no
    validusers: user2
    writelist: user2
    veto: no

Normally this is what i have in my /etc/smb.conf (in my old setup)

[user1]
   comment = user1's directory
   path = /home/user1
   valid users = user1
   public = no
   writable = yes
   printable = no
[user2]
   comment = user1's directory
   path = /home/user2
   valid users = user2
   public = no
   writable = yes
   printable = no
[public]
   comment = Public Stuff
   path = /mnt/data/shared
   public = yes
   writable = no
   printable = no
   write list = @shared

The shared group exists on the host as well, and users in it can write to /mnt/data/shared.

How to join an existing domain - winbindd not found

We would like to be able to configure samba as a ROLE_DOMAIN_MEMBER. I have the correct parameters set and can can enter the shell and "net join ads" with proper credentials, but there is no winbindd process and so clients cannot properly authenticate using ADS credentials from an external server.

Where is winbindd?

Container is causing mount point 'Deactivated successfully' spam in systemd log

Support guidelines

I've read the support guidelines

I've found a bug and checked that ...

... the documentation does not mention anything about my problem
... there are no open or closed issues that are related to my problem

Description

When running the container this error is being spammed in my systemd log.

Expected behaviour

The error should not occur and be spammed at all.

Actual behaviour

This error is happening

Feb 29 13:40:38 server systemd[1]: run-docker-runtime\x2drunc-moby-52b515d4abad93429b47d31f6ae761627d3a9eaa2ce778b83705badc1af7a2d8-runc.jRgWsb.mount: Deactivated successfully.
Feb 29 13:44:39 server systemd[1]: run-docker-runtime\x2drunc-moby-52b515d4abad93429b47d31f6ae761627d3a9eaa2ce778b83705badc1af7a2d8-runc.b18vgx.mount: Deactivated successfully.
Feb 29 13:46:09 server systemd[1]: run-docker-runtime\x2drunc-moby-52b515d4abad93429b47d31f6ae761627d3a9eaa2ce778b83705badc1af7a2d8-runc.1A6mVn.mount: Deactivated successfully.
Feb 29 13:47:09 server systemd[1]: run-docker-runtime\x2drunc-moby-52b515d4abad93429b47d31f6ae761627d3a9eaa2ce778b83705badc1af7a2d8-runc.NlQ1g3.mount: Deactivated successfully.
Feb 29 13:47:39 server systemd[1]: run-docker-runtime\x2drunc-moby-52b515d4abad93429b47d31f6ae761627d3a9eaa2ce778b83705badc1af7a2d8-runc.yd3WZV.mount: Deactivated successfully.
Feb 29 13:48:10 server systemd[1]: run-docker-runtime\x2drunc-moby-52b515d4abad93429b47d31f6ae761627d3a9eaa2ce778b83705badc1af7a2d8-runc.orGghr.mount: Deactivated successfully.
Feb 29 13:48:40 server systemd[1]: run-docker-runtime\x2drunc-moby-52b515d4abad93429b47d31f6ae761627d3a9eaa2ce778b83705badc1af7a2d8-runc.i3LSQU.mount: Deactivated successfully.

This keeps happening 24/7 at random intervals.

Steps to reproduce

Run the container
Wait, and check sudo journalctl -n 50 -f

Docker info

Client: Docker Engine - Community
 Version:    25.0.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.5
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 19
  Running: 18
  Paused: 0
  Stopped: 1
 Images: 22
 Server Version: 25.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: local
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-18-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.633GiB
 Name: server
 ID: REDACTED
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

...
  samba:
    image: crazymax/samba
    container_name: samba
    network_mode: host
    mem_limit: 512m
    environment:
      - TZ=${TZ}
      - SAMBA_LOG_LEVEL=0
      - LOG_LEVEL=debug
    volumes:
      - ${APP_CONF}/samba:/data
      - /home/aciel:/samba/server/aciel
      - /app_conf:/samba/server/app_conf
      - ${WDC}:/samba/server/WDC
      - ${MEDIA}:/samba/server/Media
    restart: always

Logs

Can't get debug log

Additional info

I have same setup on a Raspberry Pi 4 8GB, it does the exact same thing as well.

mkdir failed on directory /var/lib/samba/private/msg.sock: No such file or directory

Behaviour

I've been using this docker image for a while and it has worked great. When I pulled the last update, the container no longer starts. I tried to revert to some previous versions of the container, but I'm experiencing the same issues.

I believe the problem is related to these lines in the entrypoint.sh. On the created container, these lines seem to symlink /data/lib to /var/lib/samba/lib when it appears the symlink should be to /var/lib/samba. However the commands themselves appear correct, so I'm not sure why this started happening.

Steps to reproduce this issue

Follow setup instructions in readme for use with docker compose, using example docker compose and config.yml in the repo
Make sure directories public, share, foo, foo-baz are present.
Run docker-compose up

Expected behaviour

Tell me what should happen

Container should start samba and samba should run.

Actual behaviour

Tell me what happens instead

Samba does not start, failing with the message:

directory_create_or_exist: mkdir failed on directory /var/lib/samba/private/msg.sock: No such file or directory

Configuration

Docker version (type docker --version) : Docker version 20.10.23, build 715524332f
Docker compose version if applicable (type docker-compose --version) : Docker Compose version 2.15.1
Platform (Debian 9, Ubuntu 18.04, ...) : Arch
System info (type uname -a) : Linux cubert 5.15.83-1-pve #1 SMP PVE 5.15.83-1 (2022-12-15T00:00Z) x86_64 GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ...

I only used the files provided here: https://github.com/crazy-max/docker-samba/tree/master/examples/compose

Docker info

> Output of command `docker info`
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  compose: Docker Compose (Docker Inc., 2.15.1)

Server:
 Containers: 7
  Running: 6
  Paused: 0
  Stopped: 1
 Images: 8
 Server Version: 20.10.23
 Storage Driver: overlay2
  Backing Filesystem: zfs
  Supports d_type: true
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 31aa4358a36870b21a992d3ad2bef29e1d693bec.m
 runc version:
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.15.83-1-pve
 Operating System: Arch Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 8GiB
 Name: cubert
 ID: NZEN:TFZ2:AQOZ:PCJZ:B6UV:JHO7:2XXB:XVWK:UICP:DNLL:NYBH:N2UZ
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Logs

> Container logs (set LOG_LEVEL to debug if applicable)
samba  | Setting global configuration
samba  | Creating user foo/foo (1000:1000)
samba  | Failed to open /var/lib/samba/private/secrets.tdb
samba  | Creating user baz/xxx (1100:1200)
samba  | addgroup: group 'xxx' in use
samba  | Failed to open /var/lib/samba/private/secrets.tdb
samba  | Add global option: force user = foo
samba  | Add global option: force group = foo
samba  | Creating share public
samba  | Creating share share
samba  | Creating share foo
samba  | Creating share foo-baz
samba  | Load smb config files from /etc/samba/smb.conf
samba  | Loaded services file OK.
samba  | Weak crypto is allowed
samba  |
samba  | WARNING: some services use vfs_fruit, others don't. Mounting them in conjunction on OS X clients results in undefined behaviour.
samba  |
samba  | Server role: ROLE_STANDALONE
samba  |
samba  | # Global parameters
samba  | [global]
samba  |        disable netbios = Yes
samba  |        disable spoolss = Yes
samba  |        dns proxy = No
samba  |        local master = No
samba  |        map to guest = Bad User
samba  |        pam password change = Yes
samba  |        printcap name = /dev/null
samba  |        security = USER
samba  |        server role = standalone server
samba  |        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
samba  |        server string = Docker Samba Server
samba  |        smb ports = 445
samba  |        unix extensions = No
samba  |        usershare allow guests = Yes
samba  |        winbind scan trusted domains = Yes
samba  |        fruit:time machine = yes
samba  |        fruit:delete_empty_adfiles = yes
samba  |        fruit:wipe_intentionally_left_blank_rfork = yes
samba  |        fruit:veto_appledouble = no
samba  |        fruit:posix_rename = yes
samba  |        fruit:model = MacSamba
samba  |        fruit:metadata = stream
samba  |        idmap config * : backend = tdb
samba  |        create mask = 0664
samba  |        directory mask = 0775
samba  |        force create mode = 0664
samba  |        force directory mode = 0775
samba  |        force group = foo
samba  |        force user = foo
samba  |        hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
samba  |        hosts deny = 0.0.0.0/0
samba  |        printing = bsd
samba  |        strict locking = No
samba  |        vfs objects = fruit streams_xattr
samba  |        wide links = Yes
samba  |
samba  |
samba  | [public]
samba  |        comment = Public
samba  |        delete veto files = Yes
samba  |        guest ok = Yes
samba  |        path = /samba/public
samba  |        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
samba  |        vfs objects = recycle
samba  |        recycle:versions = yes
samba  |        recycle:keeptree = yes
samba  |        recycle:repository = .recycle
samba  |
samba  |
samba  | [share]
samba  |        delete veto files = Yes
samba  |        guest ok = Yes
samba  |        path = /samba/share
samba  |        read only = No
samba  |        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
samba  |        write list = foo
samba  |
samba  |
samba  | [foo]
samba  |        delete veto files = Yes
samba  |        hide files = /_*/
samba  |        path = /samba/foo
samba  |        read only = No
samba  |        valid users = foo
samba  |        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
samba  |        write list = foo
samba  |
samba  |
samba  | [foo-baz]
samba  |        delete veto files = Yes
samba  |        path = /samba/foo-baz
samba  |        read only = No
samba  |        valid users = foo baz
samba  |        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
samba  |        write list = foo baz
samba  | smbd version 4.16.8 started.
samba  | Copyright Andrew Tridgell and the Samba Team 1992-2022
samba  | directory_create_or_exist: mkdir failed on directory /var/lib/samba/private/msg.sock: No such file or directory
samba exited with code 1

Blocking anonymous access with "restrict anonymous = 2" causes the healthcheck to fail

Support guidelines

I've read the support guidelines

I've found a bug and checked that ...

... the documentation does not mention anything about my problem
... there are no open or closed issues that are related to my problem

Description

global:
  - "restrict anonymous = 2"

in the config file works as intended and blocks anonymous users from seeing the shares on the server, but because the healthcheck seems to be based on an anonymous login with

            "Healthcheck": {
                "Test": [
                    "CMD-SHELL",
                    "smbclient -L \\\\localhost -U % -m SMB3"

it too fails in this config.

Expected behaviour

Restricting anonymous access should not prevent a healthcheck of the container. Maybe having a "healthcheck account" that is baked into the container could solve this problem.

Actual behaviour

see above

Steps to reproduce

see above

Docker info

not required

Docker Compose config

No response

Logs

not required

Additional info

No response

Server role 'member server' not supported?

At least the configuration is overwritten with role "ROLE_STANDALONE".

Any ideas?

Consider moving the config to a different location

Hi,

I'm trying to switch from the popular dperson/samba image to your image and had some issues while trying to deploy it to Kubernetes.

I'm using a ConfigMap to configure the Pod that is mounted to /data and I'm not really sure why, but it causes that /data is read-only, and the container won't start due to read-only filesystem.

Logs

$ kubectl logs samba-868fc6579-g4ncd -n storage
Setting timezone to Europe/Berlin
Initializing files and folders
mkdir: cannot create directory ‘/data/cache’: Read-only file system
mkdir: cannot create directory ‘/data/lib’: Read-only file system
ls: cannot access '/data/lib': No such file or directory
cp: target '/data/lib/' is not a directory
Setting global configuration
Creating user niklas/users (1000:100)
Failed to open /var/lib/samba/private/secrets.tdb
Creating user eltern/users (2000:100)
Failed to open /var/lib/samba/private/secrets.tdb
Add global option: socket options = TCP_NODELAY IPTOS_LOWDELAY
Add global option: getwd cache = yes
Creating share 4all
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

WARNING: The 'netbios name' is too long (max. 15 chars).

ERROR: state directory /var/lib/samba does not exist

Server role: ROLE_STANDALONE

# Global parameters
[global]
        bind interfaces only = Yes
        disable netbios = Yes
        disable spoolss = Yes
        dns proxy = No
        local master = No
        map to guest = Bad User
        pam password change = Yes
        printcap name = /dev/null
        security = USER
        server role = standalone server
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        server string = Docker Samba Server
        smb ports = 445
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        unix extensions = No
        usershare allow guests = Yes
        winbind scan trusted domains = Yes
        fruit:time machine = yes
        fruit:delete_empty_adfiles = yes
        fruit:wipe_intentionally_left_blank_rfork = yes
        fruit:veto_appledouble = no
        fruit:posix_rename = yes
        fruit:model = MacSamba
        fruit:metadata = stream
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0775
        force create mode = 0664
        force directory mode = 0775
        hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
        hosts deny = 0.0.0.0/0
        printing = bsd
        strict locking = No
        vfs objects = fruit streams_xattr
        wide links = Yes


[4all]
        delete veto files = Yes
        path = /mnt/4all
        read only = No
        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
smbd version 4.15.2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
directory_create_or_exist: mkdir failed on directory /var/lib/samba/private/msg.sock: No such file or directory

Pod Info

$  kubectl describe pod samba-868fc6579-l279l -n storage
Name:         samba-868fc6579-l279l
Namespace:    storage
Priority:     0
Node:         amy/192.168.178.5
Start Time:   Fri, 24 Dec 2021 13:48:10 +0100
Labels:       app.kubernetes.io/instance=generic-service-samba
              app.kubernetes.io/managed-by=Terraform
              app.kubernetes.io/name=samba
              app.kubernetes.io/version=latest
              pod-template-hash=868fc6579
Annotations:  configmap/checksum: 67de0719c0bd8d4ee8072d427c9551ff16d0e245cf2e12f0a17d2727691d8a49
              kubernetes.io/psp: 00-k0s-privileged
Status:       Running
IP:           10.244.0.65
IPs:
  IP:           10.244.0.65
Controlled By:  ReplicaSet/samba-868fc6579
Containers:
  samba:
    Container ID:   containerd://e61b10650ae84a040d78fe4a04db340d738e65101079dc2249722cc9266cc87e
    Image:          ghcr.io/crazy-max/samba:latest
    Image ID:       ghcr.io/crazy-max/samba@sha256:16ffff6ff59bd75748945901c044428ce03961b31b3b02a75d800459954dab17
    Port:           445/TCP
    Host Port:      445/TCP
    State:          Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Fri, 24 Dec 2021 13:49:05 +0100
      Finished:     Fri, 24 Dec 2021 13:49:07 +0100
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Fri, 24 Dec 2021 13:48:35 +0100
      Finished:     Fri, 24 Dec 2021 13:48:37 +0100
    Ready:          False
    Restart Count:  3
    Liveness:       tcp-socket :main delay=0s timeout=1s period=10s #success=1 #failure=12
    Readiness:      tcp-socket :main delay=0s timeout=1s period=10s #success=1 #failure=3
    Startup:        tcp-socket :main delay=0s timeout=1s period=5s #success=1 #failure=24
    Environment:
      TZ:  Europe/Berlin
    Mounts:
      /data from config-map (rw)
      /mnt/4all from 4all (rw)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  4all:
    Type:          HostPath (bare host directory volume)
    Path:          /srv/nvme/4all
    HostPathType:  Directory
  config-map:
    Type:        ConfigMap (a volume populated by a ConfigMap)
    Name:        samba
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason            Age                From               Message
  ----     ------            ----               ----               -------
  Warning  FailedScheduling  59s                default-scheduler  0/1 nodes are available: 1 node(s) didn't have free ports for the requested pod ports.
  Normal   Scheduled         56s                default-scheduler  Successfully assigned storage/samba-868fc6579-l279l to amy
  Normal   Pulled            2s (x4 over 56s)   kubelet            Container image "ghcr.io/crazy-max/samba:latest" already present on machine
  Normal   Created           2s (x4 over 56s)   kubelet            Created container samba
  Normal   Started           2s (x4 over 56s)   kubelet            Started container samba
  Warning  BackOff           0s (x10 over 52s)  kubelet            Back-off restarting failed container

The thing that confuses me is that the Mount is listed as rw in Kubernetes yet the container fails to write to /data. Furthermore, there are other paths that fail to write, which is really weird since I don't use "Read-Only filesystem" option in Kubernetes.

"ERROR: state directory /var/lib/samba does not exist"
"Failed to open /var/lib/samba/private/secrets.tdb"

Consider allowing env vars in config.yml with envsubst

Hello! Thank you for your work for this image.

I have a feature request: I use this image in a docker-compose.yml file next to many other services, all using the uid and gid of the main user. All services allow configuring this via env vars (e.g. linux-server.io images use PUID and PGID).

To the best of my knowledge it appears that isn't possible with your image.

Browsing the source it appears you use yq to parse the yml file.

It appears that yq allows for doing environment variable substitution uisng envsubst.

Allowing the ability to use environment variable substitution in the yaml file would allow my config to be portable, so that all I need to do is change the .env file in the docker-compose directory.

auth:
  - user: chris
    group: chris
    uid: ${UID}
    gid:  ${GID}
    password_file: /run/secrets/chris_samba_password

One might even be able to use it like this

auth:
  - user: chris
    group: chris
    uid: ${UID}
    gid:  ${GID}
    password: ${CHRIS_PASSWORD}

Please consider allowing this! Thank you 🙂

Error on start: what's the problem?

I am trying to start Samba in a container using the latest version of your image, but I have an unexpected error.
Here are my configuration files and the log I saved.
If there is an error on my side, I cannot find it.
Thanks for your help!

docker-compose.yml

version: "3.5"

services:
  samba:
    image: crazymax/samba
    container_name: samba
    network_mode: host
    volumes:
      - "./data:/data"
      - "/mnt:/samba/share"
    environment:
      - "TZ=Europe/Rome"
      - "SAMBA_LOG_LEVEL=0"
    restart: always

config.yml

auth:
  - user: myuser
    group: mygroup
    uid: 1000
    gid: 1000
    password: mypwd

global:
  - "force user = myuser"
  - "force group = mygroup"

share:
  - name: pxv
    path: /samba/share
    browsable: yes
    readonly: no
    guestok: no
    validusers: myuser
    writelist: myuser
    veto: no

log

samba  | Setting timezone to Europe/Rome
samba  | Initializing files and folders
samba  | Setting global configuration
samba  | Creating user myuser/mygroup (1000:1000)
samba  | Added user myuser.
samba  | Add global option: force user = myuser
samba  | Add global option: force group = mygroup
samba  | Creating share pxv
samba  | Load smb config files from /etc/samba/smb.conf
samba  | Loaded services file OK.
samba  | Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
samba  | 
samba  | 
samba  | Server role: ROLE_STANDALONE
samba  | 
samba  | 
samba  | # Global parameters
samba  | [global]
samba  |        disable netbios = Yes
samba  |        disable spoolss = Yes
samba  |        dns proxy = No
samba  |        local master = No
samba  |        map to guest = Bad User
samba  |        pam password change = Yes
samba  |        printcap name = /dev/null
samba  |        security = USER
samba  |        server role = standalone server
samba  |        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
samba  |        server string = Docker Samba Server
samba  |        smb1 unix extensions = No
samba  |        smb ports = 445
samba  |        usershare allow guests = Yes
samba  |        winbind scan trusted domains = Yes
samba  |        fruit:time machine = yes
samba  |        fruit:delete_empty_adfiles = yes
samba  |        fruit:wipe_intentionally_left_blank_rfork = yes
samba  |        fruit:veto_appledouble = no
samba  |        fruit:posix_rename = yes
samba  |        fruit:model = MacSamba
samba  |        fruit:metadata = stream
samba  |        idmap config * : backend = tdb
samba  |        create mask = 0664
samba  |        directory mask = 0775
samba  |        force create mode = 0664
samba  |        force directory mode = 0775
samba  |        force group = mygroup
samba  |        force user = myuser
samba  |        hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
samba  |        hosts deny = 0.0.0.0/0
samba  |        printing = bsd
samba  |        strict locking = No
samba  |        vfs objects = fruit streams_xattr
samba  |        wide links = Yes
samba  | 
samba  | 
samba  | 
samba  | 
samba  | [pxv]
samba  |        delete veto files = Yes
samba  |        path = /samba/share
samba  |        read only = No
samba  |        valid users = myuser
samba  |        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
samba  |        write list = myuser
samba  | smbd version 4.18.3 started.
samba  | Copyright Andrew Tridgell and the Samba Team 1992-2023
samba  | ===============================================================
samba  | INTERNAL ERROR: sys_setgroups failed in pid 271 (4.18.3)
samba  | If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
samba  | ===============================================================
samba  | PANIC (pid 271): sys_setgroups failed in 4.18.3
samba  | unable to produce a stack trace on this platform
samba  | dumping core in /var/log/samba/cores/smbd
samba  | ===============================================================
samba  | INTERNAL ERROR: sys_setgroups failed in pid 280 (4.18.3)
samba  | If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
samba  | ===============================================================
samba  | PANIC (pid 280): sys_setgroups failed in 4.18.3
samba  | unable to produce a stack trace on this platform
samba  | dumping core in /var/log/samba/cores/smbd
samba  | ===============================================================

help with fileshare defs?

btw, thanks for picking up the baton for dperson/samba. I just tried this out, but couldn't get it to work.

Behaviour

Creating a yml file as documented doesn't yield fileshares. Also, could you write some doc explaining how to disable the other services listed in the log? all I need is a authless smb fileshare, nothing for time machine, print, KDCs, etc.

Steps to reproduce this issue

create config.yml per directions. Same result if I include an auth section or not.
Run the container:
sudo podman run --ip 192.168.1.193 --network services -v /filesrv:/data:Z -d crazymax/samba
network is macvlan.
verify a test file from the mounted volume is seen by the container:

sudo podman exec b7bfa436d124 /bin/ls /data/media/music
test.mp3

Expected behaviour

In windows file explorer, \\<ip>\music shows me test.mp3
get more logs given log level = 3

Actual behaviour

when container is off, nmap <ip> yields "Host seems down"
When on:

Global settings seem to be read in fine, except no interesting logs.
nmap <ip> yields 445 open
\\<ip> yields an empty directory of files and folders
\\<ip>\music yields "windows cannot access \\music"

Configuration

Docker version (type docker --version) : podman 3.0.1
Docker compose version if applicable (type docker-compose --version) : n/a
Platform (Debian 9, Ubuntu 18.04, ...) : debian 11, all recently updated
System info (type uname -a) : 5.15.32-v8+
Include all necessary configuration files : docker-compose.yml, .env, ...

config.yml:

global:
  - "min protocol = smb3"
  - "disable spoolss = yes"
  - "load printers = no"
  - "log level = 3"
  - "printing = bsd"
  - "printcap name = /dev/null"

share:
  - name: music
    path: /data/media/music
    browsable: yes
    readonly: no
    guestok: yes

Docker info

> Output of command `docker info`

n/a in podman, but if you tell me what else would be important, I can probably find it.

Logs

> Container logs (set LOG_LEVEL to debug if applicable)

Setting timezone to UTC
Initializing files and folders
Setting global configuration
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

Global parameters

[global]
disable netbios = Yes
disable spoolss = Yes
dns proxy = No
local master = No
map to guest = Bad User
pam password change = Yes
printcap name = /dev/null
security = USER
server role = standalone server
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
server string = Docker Samba Server
smb ports = 445
unix extensions = No
usershare allow guests = Yes
winbind scan trusted domains = Yes
fruit:time machine = yes
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:veto_appledouble = no
fruit:posix_rename = yes
fruit:model = MacSamba
fruit:metadata = stream
idmap config * : backend = tdb
create mask = 0664
directory mask = 0775
force create mode = 0664
force directory mode = 0775
hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
hosts deny = 0.0.0.0/0
printing = bsd
strict locking = No
vfs objects = fruit streams_xattr
wide links = Yes
smbd version 4.15.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021

Use "Secrets"

Nice work with this. I particularly like how config.yml is abstracted from the main docker-compose.yml.

I think however storing passwords in there might not be a good idea, and should look at "secrets".

Here is an example we did, for a docker-openvpn client. wfg/docker-openvpn-client@a6f6fbb

Container enter infinite restart loop upon start

When starting the container, it keeps restarting in an infinite loop (--restart always). Without the --restart always, it just exits with error code 1.

Steps to reproduce this issue

docker run -d --network host -p 445:445 -v "/docker-data/samba:/data" --name samba --restart always crazymax/samba

root@cetus:/# cat /docker-data/samba/config.yml
auth:

user: nobody
group: nobody
uid: 1000
gid: 1000
password: nobody

global:

"force user = nobody"
"force group = nobody"

name: centauri
comment: centauri
path: /nfs/centauri
browsable: yes
readonly: no
guestok: yes
veto: no
recycle: no
name: magellan
path: /nfs/magellan
browsable: yes
readonly: no
guestok: yes
veto: no
recycle: no
name: orion
path: /nfs/orion
browsable: yes
readonly: no
guestok: yes
veto: no
recycle: no

Expected behaviour

3 shares: magellan, centauri and orion should be available

Actual behaviour

Container continuously restarts

Configuration

Docker version (type docker --version) : Docker version 24.0.0, build 98fdcd7
Docker compose version if applicable (type docker-compose --version) : n/a
Platform (Debian 9, Ubuntu 18.04, ...) : Debian 11
System info (type uname -a) : Linux cetus 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ...

Docker info

Client: Docker Engine - Community
 Version:    24.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.3
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 3
  Running: 2
  Paused: 0
  Stopped: 1
 Images: 5
 Server Version: 24.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
 runc version: v1.1.7-0-g860f061
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.10.0-23-amd64
 Operating System: Debian GNU/Linux 11 (bullseye)
 OSType: linux
 Architecture: x86_64
 CPUs: 40
 Total Memory: 125.9GiB
 Name: cetus
 ID: 5e398c17-3056-4a9f-9d5c-97757323f500
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Logs

Setting timezone to UTC
Initializing files and folders
Setting global configuration
Creating user nobody/nobody (1000:1000)
Add global option: force user = nobody
Add global option: force group = nobody
Creating share centauri
Creating share magellan
Creating share orion
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

# Global parameters
[global]
        disable netbios = Yes
        disable spoolss = Yes
        dns proxy = No
        local master = No
        map to guest = Bad User
        pam password change = Yes
        printcap name = /dev/null
        security = USER
        server role = standalone server
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        server string = Docker Samba Server
        smb1 unix extensions = No
        smb ports = 445
        usershare allow guests = Yes
        winbind scan trusted domains = Yes
        fruit:time machine = yes
        fruit:delete_empty_adfiles = yes
        fruit:wipe_intentionally_left_blank_rfork = yes
        fruit:veto_appledouble = no
        fruit:posix_rename = yes
        fruit:model = MacSamba
        fruit:metadata = stream
        idmap config * : backend = tdb
        create mask = 0664
        directory mask = 0775
        force create mode = 0664
        force directory mode = 0775
        force group = nobody
        force user = nobody
        hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
        hosts deny = 0.0.0.0/0
        printing = bsd
        strict locking = No
        vfs objects = fruit streams_xattr
        wide links = Yes


[centauri]
        comment = centauri
        delete veto files = Yes
        guest ok = Yes
        path = /nfs/centauri
        read only = No
        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
        vfs objects = recycle
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle


[magellan]
        delete veto files = Yes
        guest ok = Yes
        path = /nfs/magellan
        read only = No
        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
        vfs objects = recycle
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle


[orion]
        delete veto files = Yes
        guest ok = Yes
        path = /nfs/orion
        read only = No
        veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
        vfs objects = recycle
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle
smbd version 4.18.2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023

Update Samba Release to latest stable release

Hi @crazy-max thank you for your work on this container, I have been using it successfully for a long time!

In February the latest stable release of the Samba 4.16 release series came out: https://www.samba.org/samba/history/samba-4.16.9.html

Also, from march 08, 2023 the first stable release of the Samba 4.18 release series is available https://www.samba.org/samba/history/samba-4.18.0.html that comes with SMB Server performance improvements.

Shall I open a new PR to upgrade to one of these versions? Would you rather stay in the 4.16 branch?

Thanks again

Add ZeroConf Service Discovery

As this image drops support for legacy protocols including NetBIOS, WINS, and Samba port 139 for security purposes, for Windows clients, Samba won't be shown under network browsing. We could use mDNS and DNS-SD with Samba using Avahi daemon for that but it only works on Linux and OSX machines afaik.

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
 <name replace-wildcards="yes">%h</name>
 <service>
   <type>_smb._tcp</type>
   <port>445</port>
 </service>
 <service>
   <type>_device-info._tcp</type>
   <port>0</port>
   <txt-record>model=RackMac</txt-record>
 </service>
 <service>
   <type>_adisk._tcp</type>
   <txt-record>sys=waMa=0,adVF=0x100</txt-record>
   <txt-record>dk0=adVN=TimeMachine,adVF=0x82</txt-record>
 </service>
</service-group>

crazy-max / docker-samba Goto Github PK

docker-samba's Introduction

About

Features

Build locally

Image

Environment variables

Volumes

Ports

Configuration

veto

hidefiles

recycle

Usage

Docker Compose

Command line

Upgrade

Notes

Variable interpolation

Status

Service discovery for Windows

Contributing

License

docker-samba's People

Contributors

Stargazers

Watchers

Forkers

docker-samba's Issues

Support guidelines

I've found a bug and checked that ...

Description

Expected behaviour

Actual behaviour

Steps to reproduce

Docker info

Docker Compose config

Logs

Additional info

Behaviour

Steps to reproduce this issue

Configuration

Logs

Description

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Docker info

Logs

Support guidelines

I've found a bug and checked that ...

Description

Expected behaviour

Actual behaviour

Steps to reproduce

Docker info

Docker Compose config

Logs

Additional info

Behaviour

Docker info

Global parameters

Description

Behaviour

Configuration

Description

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Docker info

Logs

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

`veto`

`hidefiles`

`recycle`