A simple domain controller using Samba
Some parts are collected from:
Created based on https://hub.docker.com/r/militellovinx/samba-ad and https://github.com/vmilitello/samba-ad
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Quick and dirty, without any config and thrown away when terminated:
docker run -it --rm \
--privileged \
-e SAMBA_ADMIN_PASSWORD=...secr3t... \
-e SAMBA_DOMAIN=local \
-e SAMBA_REALM=local.patodiaz.io \
-e LDAP_ALLOW_INSECURE=true \
-p 389:389 \
--name smb4ad \
padiazg/samba4dc:ubuntu
Environment variables are controlling the way how this image behaves therefore please check this list an explanation:
Variabale | Explanation | Default |
---|---|---|
SAMBA_DOMAIN |
The domain name used for Samba AD | SAMDOM |
SAMBA_REALM |
The realm for authentication (eg. Kerberos) | SAMDOM.EXAMPLE.COM |
LDAP_ALLOW_INSECURE |
Allow insecure LDAP setup, by using unecrypted password. Please use only in debug and non productive setups. | false |
SAMBA_ADMIN_PASSWORD |
The samba admin user password | set to $(pwgen -cny 10 1) |
KERBEROS_PASSWORD |
The kerberos password | set to $(pwgen -cny 10 1) |
Using (or reusing data) is done by providing
/etc/samba/smb.conf
/etc/krb5.conf
/usr/lib/samba/
/var/lib/krb5kdc/
as volumes to the docker container.
It's better if
/usr/lib/samba/
and/var/lib/krb5kdc/
are mounted using docker volumes to avoid permissions issues
mkdir ~/tmp/krb-conf
mkdir ~/tmp/smb-conf
touch /tmp/krb-conf/krb5.conf
docker volume create samba4ad-smb-data-ubuntu
docker volume create samba4ad-krb-data-ubuntu
docker run -it --rm \
-e SAMBA_ADMIN_PASSWORD=...secr3t... \
-e SAMBA_DOMAIN=local \
-e SAMBA_REALM=local.patodiaz.io \
-e LDAP_ALLOW_INSECURE=true \
--mount type=bind,source=$HOME/tmp/krb-conf/krb5.conf,target=/etc/krb5.conf \
--mount type=bind,source=$HOME/tmp/smb-conf,target=/etc/samba \
--mount type=volume,source=samba4ad-smb-data-ubuntu,target=/var/lib/samba \
--mount type=volume,source=samba4ad-krb-data-ubuntu,target=/var/lib/krb5kdc \
-p 389:389 \
--name smb4ad \
padiazg/samba4dc:ubuntu
For details how to store data in directories, containers etc. please check the Docker documentation for details.
Get the docker-compose.yaml
file from the github repo.
version: '3'
services:
samba:
image: padiazg/samba4dc:ubuntu
privileged: true
environment:
- SAMBA_DOMAIN=local
- SAMBA_REALM=local.patodiaz.io
- SAMBA_ADMIN_PASSWORD=secr3t*
- LDAP_ALLOW_INSECURE=true
volumes:
- ~/tmp/smb-conf:/etc/samba
- ~/tmp/krb-conf/krb5.conf:/etc/krb5.conf
- samba4ad-smb-data:/var/lib/samba
- samba4ad-krb-data:/var/lib/krb5kdc
ports:
# - "53:53" # dns
- "389:389" # ldap
# - "88:88" # kdc
# - "135:135" # rpc
# - "139:139" # smbd
# - "445:445" # smbd
# - "464:464" # kdc
- "3268:3268" # ldap
- "3269:3269" # ldap
volumes:
samba4ad-smb-data:
samba4ad-krb-data:
then run it
mkdir ~/tmp/krb-conf
mkdir ~/tmp/smb-conf
touch /tmp/krb-conf/krb5.conf
docker-compose up -d
Watch the logs via docker-compose logs -f
.
ldapsearch -x -W \
-D "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-b dc=local,dc=patodiaz,dc=io
ldapsearch -x -W \
-D "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-b dc=local,dc=patodiaz,dc=io \
"(objectClass=group)"
ldapsearch -x -W \
-D "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-b dc=local,dc=patodiaz,dc=io \
"(objectClass=organizationalUnit)"
ldapsearch -x -W \
-D "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-b dc=local,dc=patodiaz,dc=io \
"(|(objectClass=organizationalUnit)(objectClass=Group))"
First we create group.ldif file
dn: cn=team-a,cn=Users,dc=local,dc=patodiaz,dc=io
objectClass: top
objectClass: group
cn: team-a
gidNumber: 678
Then we create the group using this file
ldapadd -cxWD "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-f group.ldif
Check the group was created
ldapsearch -xWD "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-b dc=local,dc=patodiaz,dc=io "(&(objectClass=group)(cn=TeamA))"
Let's create a file named jhon.ldif
dn: cn=Jhon,cn=Users,dc=local,dc=patodiaz,dc=io
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Jhon
uid: jhon
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/jhon
loginShell: /bin/bash
gecos: jhon
userPassword: {crypt}x
Create the user
ldapadd -xWD "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-f jhon.ldif
Check that the user was created
ldapsearch -xWD "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-b dc=local,dc=patodiaz,dc=io \
"(&(objectClass=user)(cn=Jhon))"
Add a user to a group add-to-group.ldif
dn: cn=dbagrp,cn=Builtin,dc=local,dc=patodiaz,dc=io
changetype: modify
add: member
member: cn=Adam,cn=Users,dc=local,dc=patodiaz,dc=io
Add the user to the group
ldapmodify -xWD "cn=Administrator,cn=Users,dc=local,dc=patodiaz,dc=io" \
-f add-to-group.ldif