samba on alpine
with timemachine, zeroconf (avahi
) and WSD (Web Services for Devices) (wsdd2
) support.
Note that there are issues regarding UID/GID Mapping on Docker Desktop - see: #125
New Registry: ghcr.io/servercontainers/samba
In March 2023 - Docker informed me that they are going to remove my
organizations servercontainers
and desktopcontainers
unless
I'm upgrading to a pro plan.
I'm not going to do that. It's more of a professionally done hobby then a professional job I'm earning money with.
In order to avoid bad actors taking over my org. names and publishing potenial
backdoored containers, I'd recommend to switch over to my new github registry: ghcr.io/servercontainers
.
You can specify DOCKER_REGISTRY
environment variable (for example my.registry.tld
)
and use the build script to build the main container and it's variants for x86_64, arm64 and arm
You'll find all images tagged like a3.15.0-s4.15.2
which means a<alpine version>-s<samba version>
.
This way you can pin your installation/configuration to a certain version. or easily roll back if you experience any problems.
To build a latest
tag run ./build.sh release
For builds without specified registry you can use the generate-variants.sh
script to generate
variations of this container and build the repos yourself.
all of those variants are automatically build and generated in one go
latest
ora<alpine version>-s<samba version>
- main version of this repo
- includes everything (smbd, avahi, wsdd2)
- not all services need to start/run -> use ENV variables to disable optional services
smbd-only-latest
orsmbd-only-a<alpine version>-s<samba version>
- this will only include smbd and my scripts - no avahi, wsdd2 installed
smbd-avahi-latest
orsmbd-avahi-a<alpine version>-s<samba version>
- this will only include smbd, my scripts and avahi
- optional service can still be disabled using ENV variables
smbd-wsdd2-latest
orsmbd-wsdd2-a<alpine version>-s<samba version>
- this will only include smbd, my scripts and wsdd2
- optional service can still be disabled using ENV variables
- 2024-09-22
- fixed filename handling for names with special chars
mangled names = no; dos charset = CP850; unix charset = UTF-8
- added new environment variable to
FAIL_FAST
on user/group creation/errors/conflicts (#139)
- fixed filename handling for names with special chars
- 2024-07-05
- improved github workflow - don't fail if it just skipped the build.
- sign images with cosign
- 2024-05-27
- added
.dockerignore
to exlcude unnecessary files and history
- added
- 2024-05-23
- updated github actions (see pull #131)
- fixed broken build/version
- 2024-04-16
- added
tzdata
package to support setting the timezone using an env- e.g.
TZ=Europe/Berlin
- e.g.
- added
- 2024-03-22
- merged pull request which fixed avahi on smbd-only and smbd-wsdd2 variants
- solution was to just deactivate the avahi service and not remove the config folder
- merged pull request which fixed avahi on smbd-only and smbd-wsdd2 variants
- 2024-03-11
- patch
host-name
in/etc/avahi/avahi-daemon.conf
ifAVAHI_NAME
env is set - fixed build - overwrite
latest
tag if there was a commit within last hour- the tagged version will remain unchanged to avoid problems for pinned container versions.
- patch
- 2024-01-08
- multiline config for shares available
- optional
- better readability
- merged important parts from pull request #60 by hand
- multiline config for shares available
- 2024-01-04
- fix for disabled nmbd #118
- 2023-12-01
- made
nmbd
optional useNETBIOS_DISABLE=true
to disable nmbd
- made
- 2023-10-08
- fixed avahi service config -
</service-group>
error (Issue #107)
- fixed avahi service config -
- 2023-09-24
- added
nmbd
service and increase compatibility - print
smb.conf
on initialization to maketestparm -s
problems visible - updated github build to fail if build/version combination already exists as tag
- added
- 2023-09-16
- implemented working version of pull #87
- fixed avahi model which now works without a single timemachine share
- avahi will now be configured without timemachine
- 2023-08-07
- create all groups, than create all users, and after that add users to groups - this gives a more clear and clean way to add users to different groups
- 2023-07-29
- added
vfs objects = catia fruit streams_xattr
to global config to improve macos compatibility - closes issue #93
- added
older changelogs -> CHANGELOGS.md
This is a Samba Server Container running on _/alpine
.
If you experience Problems, take a look at this file: TROUBLESHOOTING.md
-
SAMBA_GLOBAL_STANZA
- optional
- default not set
- use it to manage multiple global settings in one place
- separate multiple settings/lines using
;
which will be automatically translated to\n
-
SAMBA_GLOBAL_CONFIG_someuniquevalue
- add any global samba config to
smb.conf
- example value:
key = value
- important if the SAMBA key contains a
_SPACE_
- e.g.
foo_SPACE_bar
- e.g.
- important if the SAMBA key contains a
:
space replace it with_COLON_
- e.g.
foo_COLON_bar
- e.g.
- add any global samba config to
-
ACCOUNT_username
- multiple variables/accounts possible
- adds a new user account with the given username and the env value as password or samba hash
- either you add a simple plaintext password as value (can't start with
:
username:[0-9]*:
or it will be detected as hash) - to add a samba hash e.g.
user:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:8846F7EAEE8FB117AD06BDD830B7586C:[U ]:LCT-5FE1F7DF:
(user:user
/ password:password
) add the line from/var/lib/samba/private/smbpasswd
- create hash using this command
docker run -ti --rm --entrypoint create-hash.sh ghcr.io/servercontainers/samba
- see
docker-compose.yml
userfoo
for an example how it's used/configured. - the hashing script needs an all lowercase username - it will therefore automatically lowercase given username
- either you add a simple plaintext password as value (can't start with
- to restrict access of volumes you can add the following to your samba volume config:
valid users = alice; invalid users = bob;
-
UID_username
- optional
- specify the
uid
explicitly for each user account. - the
username
part must match to a specifiedACCOUNT_username
environment variable
-
GROUP_groupname
- optional
- value will be
gid
- example:
GROUP_devops=1500
will create groupdevops
with id1500
- do not use for the default user groups e.g.
GROUP_bob=1000
- those groups are automatically created for the user
-
GROUPS_username
- optional
- additional groups for the user
- to create groups look at
GROUP_groupname
or mount/inject /etc/groups file (can cause problems) - the
username
part must match to a specifiedACCOUNT_username
environment variable - one or more groups to add separated by a
,
- example:
GROUPS_johndoe=musican,devops
-
MODEL
- optional model value of avahi samba service
- default:
TimeCapsule
- some available options are
Xserve
,PowerBook
,PowerMac
,Macmini
,iMac
,MacBook
,MacBookPro
,MacBookAir
,MacPro
,MacPro6,1
,MacPro7,1
(Tower),MacPro7,1@ECOLOR=226,226,224
(Rack),TimeCapsule
,AppleTV1,1
andAirPort
.
-
FAIL_FAST
- optional currently only fails fast if there are conflicts/errors during user/group creation
- default not set - set to any value to enable
-
AVAHI_NAME
- optional name of avahi samba service
- default: hostname
-
AVAHI_DISABLE
- optional
- default not set - set to any value to disable avahi Service
-
SAMBA_CONF_SERVER_ROLE
- default: standalone server
- note:
$
is an invalid symbol in this env
-
SAMBA_CONF_LOG_LEVEL
- default: 1
-
SAMBA_CONF_WORKGROUP
- default: WORKGROUP
-
SAMBA_CONF_SERVER_STRING
- default: Samba Server
-
SAMBA_CONF_MAP_TO_GUEST
- default: Bad User
-
SAMBA_VOLUME_CONFIG_myconfigname
- adds a new samba volume configuration
- multiple variables/confgurations possible by adding unique configname to SAMBA_VOLUME_CONFIG_
- take a look at https://wiki.samba.org/index.php/Configure_Samba_to_Work_Better_with_Mac_OS_X -> EXPLANATION OF VOLUME PARAMETERS
- multiline support -> look into
docker-compose.yml
for example - separate multiple lines using
;
which will be automatically translated to\n
- if your path variable ends with
%U
e.g.path = /shares/homes/%U;
multi user mode gets activated and each user gets their own subdirectory for their own share. (great for timemachine - every user get's his own personal share) - for timemachine only add
fruit:time machine = yes
and all other needed settings are automatically added- you can also use
fruit:time machine max size = 500G;
to limit max size of time machine volume
- you can also use
-
WSDD2_DISABLE
- optional
- default not set - set to any value to disable wsdd2 Service
-
WSDD2_PARAMETERS
- optional specify parameters for wsdd2
- default not set - wsdd2 starts without any parameters
- e.g.
-l
-
NETBIOS_DISABLE
- optional
- default not set - set to any value to disable
nmbd
- not recommended - you should know that you want it disabled
-
your shares
- by default I recommend mounting all shares beneath
/shares
and configure them using thepath
property
- by default I recommend mounting all shares beneath
-
/external/avahi
- mount your avahi service folder e.g.
/etc/avahi/services/
to this spot - the container now maintains the service file
samba.service
for you - it will be overwritten! - when mounted, the internal avahi daemon will be disabled
- mount your avahi service folder e.g.
-
Samba
- https://github.com/willtho89/docker-samba-timemachine/
- https://github.com/sp00ls/SambaConfigs very interessting multi user timemachine setup
- https://wiki.samba.org/index.php/Configure_Samba_to_Work_Better_with_Mac_OS_X
- https://serverfault.com/questions/1010822/samba4-issues-with-time-machine-cannot-create-new-backup-on-samba-share
-
Avahi
You can't proxy the zeroconf inside the container to the outside, since this would need routing and forwarding to your internal docker0 interface from outside.
So you need to use the network=host
mode to enable zeroconf from within the container
You can just expose the needed Port 548 to the docker hosts port and install avahi. After that just add a new service which fits to your config.
If you have a more sophisticated network setup (vpn, different networks etc.) you might want to avoid using zeroconfig + avahi in combination with TimeMachine.
Zeroconf limits you to the autodiscovered mdns names ($AVAHI_NAME
+ .local
). So whenever your mac can't pic up this zeroconf configuration TimeMachine will not backup your machine.
This is not bad in a normal guy's personal homenetwork. Here it would backup everytime the user is at home and has all devices (and his backup nas) in one LAN.
To overcome this issue, I'd suggest to connect your NAS/Samba Server manually using Finder
-> Go -> Connect to Server (or shortcut ⌘k
).
Enter the FQDN or IP of the server and the path to your timemachine share you want to connect to and establish the connection.
Once the connection is established, you can open Settings
-> TimeMachine and add/choose this newly connected share as your place to store your backups. You'll notice that it now shows the FQDN or IP you choose.
If you already used this NAS but with zeroconf it should detect that there are already backups for your mac and asks/continues using them - so a full backup shouldn't be required if you switch your connection method.
After you made this more explicit network configuration it will backup as soon as your device is reachable - so if a connection via VPN or cause of network cascading is possible. this way you can backup from any network as long as routing works :)
For the Windows 10 Network Discovery the hostname
of the container is used.
If you use network_mode: host
then it's the docker-host hostname
.
If you use any other network_mode
and want to avoid the autogenerated cryptic hostname of the container, you can specify
a explicit hostname using: hostname: my-samba-containers-hostname
- WSD
Note: This wsdd2
service seems to need CAP_NET_ADMIN
as a capability. (more info: #50)
cap_add:
- CAP_NET_ADMIN