How to get a [global] option into smb.conf?

[martinpitt]

I am trying to get ldapmodify to work in the quay.io/samba.org/samba-ad-server container (after installing /usr/bin/ldapmodify). For that I need to set ldap server require strong auth = no option in smb.conf's [global] section. But despite https://github.com/samba-in-kubernetes/sambacc/blob/master/docs/configuration.md and various examples, it just doesn't seem to stick:

my ~/samba-ad.json:

{
  "samba-container-config": "v0",
  "configs": {
    "demo": {
      "instance_features": ["addc"],
      "domain_settings": "sink",
      "instance_name": "f0",
      "globals": ["default"]
    }
  },
  "domain_settings": {
    "sink": {
      "realm": "COCKPIT.LAN",
      "short_domain": "COCKPIT",
      "admin_password": "foobarFoo123"
    }
  },
  "globals": {
    "default": {
      "options": {
        "ldap server require strong auth": "no"
      }
    }
  }
}

podman run -it --rm --name samba     --privileged --network=host     -v /root/samba-ad.json:/etc/samba/container.json     -h f0.cockpit.lan  quay.io/samba.org/samba-ad-server

And yet there's no sign of it:

# podman exec -it samba cat /etc/samba/smb.conf
# Global parameters
[global]
	dns forwarder = 127.0.0.53
	netbios name = F0
	realm = COCKPIT.LAN
	server role = active directory domain controller
	workgroup = COCKPIT
	idmap_ldb:use rfc2307 = yes

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/cockpit.lan/scripts
	read only = No

I also tried other options, like "guest ok": "no" which is from /usr/share/sambacc/examples/example1.json

How does this work?

Thanks in advance!

[martinpitt]

For the record: What I really want is to add an userCertificate to a created user. At least in the past this wasn't possible with samba-tool user add, but had to happen through something like

samba-tool user add alice ALICE_PASS
printf "version: 1\ndn: cn=alice,cn=users,dc=cockpit,dc=lan\nchangetype: modify\nadd: userCertificate\nuserCertificate: CERTIFICATE\n" | \
        ldapmodify -v -U Administrator -w ADMIN_PASS'

... perhaps this is easier these days?

[martinpitt]

I found a way to avoid calling ldapmodify (which isn't present in the samba-ad-server container, and also fails to authenticate):

printf '#!/bin/sh\nsed -i "/^$/d" "$1"\necho "userCertificate: abc123" >> "$1"\n' > /tmp/edit
chmod 755 /tmp/edit
samba-tool user edit --editor=/tmp/edit alice

This is much easier already. Still, I'm interested in how to add smb.conf options via container.json.

[phlogistonjohn]

I thought that I had fixed this issue with samba-in-kubernetes/sambacc#85. If you view that issue I even used "ldap server require strong auth" in my testing.

What version of the samba-container were you using? Perhaps you're using a release tag - this fix has not made it into a release yet.

We can also consider adding a tool like ldapmodify to the container image too, especially if samba-tool does not cover enough use cases. It's a pretty standard tool and I don't think it would be considered too much "bloat"

[martinpitt]

@phlogistonjohn ah thanks, I didn't realize that I was looking at documentation of the master branch. But looking at https://quay.io/repository/samba.org/samba-ad-server?tab=history it seems that latest gets released fairly often? I lost yesterday's VM image where I pulled the container version that I reported this on (sorry, should have noted the SHA), but it was very plausibly 6e4a642059a7

[martinpitt]

Specifically, I did not pull the v0.3 tag, but just :latest

[phlogistonjohn]

OK, in that case I would have expected it to work, but the possibility of a new bug or something else is real. I will try to reproduce the error later myself, but knowing what exact sha you used would certainly help.

FWIW the latest tag should be updated "nightly".

[phlogistonjohn]

I think I know what is happening. It appears that COPR that is supposed to automatically build sambacc isn't. The only package in the COPR right now is the last released sambacc version. I'm looking into it now.

[phlogistonjohn]

It seems that I misconfigured the webhook for github to trigger a COPR build. I kicked off a build manually and now there should be a 0.4~38.gdb27013-1 version of sambacc in the repo for the next time the samba-container images get build. I will try to remember to check it myself but feel free to ping me here if the next build of the container image lacks that version of sambacc.

I have attempted to fix the webhook and will monitor it more closely now - maybe I'll do a trivial PR just to try and check it soon so I don't forget.

[phlogistonjohn]

$ podman run --rm -it --entrypoint bash  quay.io/samba.org/samba-ad-server:latest
[root@e99a1cac3c79 /]# rpm -qi python3-sambacc
Name        : python3-sambacc
Version     : 0.4~38.gdb27013
Release     : 1.fc38
Architecture: noarch
Install Date: Thu Nov 16 02:41:35 2023
Group       : Unspecified
Size        : 560230
License     : GPLv3+
Signature   : RSA/SHA256, Wed Nov 15 16:00:41 2023, Key ID ca1350677018d54a
Source RPM  : python-sambacc-0.4~38.gdb27013-1.fc38.src.rpm
Build Date  : Wed Nov 15 16:00:12 2023
Build Host  : copr-hv-x86-64-02-prod-13539822-20231115-155353
Vendor      : Fedora Copr - user phlogistonjohn
URL         : https://github.com/samba-in-kubernetes/sambacc
Summary     : Samba Container Configurator
Description :
A Python library and set of CLI tools intended to act as a bridge between a container
environment and Samba servers and utilities. It aims to consolidate, coordinate and
automate all of the low level steps of setting up smbd, users, groups, and other
supporting components.
[root@e99a1cac3c79 /]# 

The latest images should now contain the latest versions of sambacc. Please try setting global options again. Don't hesitate to let us know if it still doesn't work as expected or you see any other issues.

[martinpitt]

Amazing, thanks for fixing that! I'm glad that it was useful for something after all 😁

I re-confirmed the bug on our current "services" VM image with the reproducer in the description, on this container image:

quay.io/samba.org/samba-ad-server latest 15e3e41c5dfc 34 hours ago 417 MB

I pulled the latest one:

quay.io/samba.org/samba-ad-server latest aab5bf1125c0 11 hours ago 433 MB

et voilà:

# podman exec -it samba cat /etc/samba/smb.conf

[global]
	dns forwarder = 127.0.0.53
	netbios name = f0
	realm = COCKPIT.LAN
	server role = active directory domain controller
	workgroup = COCKPIT
	idmap_ldb:use rfc2307 = yes
	ldap server require strong auth = no

[...]

Cheers! 👍