├── README.md
├── avahi
    └── Dockerfile
└── samba
    └── Dockerfile


/README.md:
--------------------------------------------------------------------------------
  1 | # Samba 4 + Alpine Linux Docker Image
  2 | 
  3 | This repository contains a basic Dockerfile for installing Samba 4
  4 | on Alpine Linux.
  5 | 
  6 | This is a solution for network filesharing. I use it on my self-built,
  7 | zfs-based NAS server and connect up OSX, Linux, and Windows clients.
  8 | 
  9 | I was previously running Netatalk for Apple AFP support, however
 10 | I've found that Samba works reasonably well for me and it appears
 11 | that [Apple may start prefering Samba over AFP](http://appleinsider.com/articles/13/06/11/apple-shifts-from-afp-file-sharing-to-smb2-in-os-x-109-mavericks).
 12 | 
 13 | ## Create Samba Configuration
 14 | 
 15 | Create the `smb.conf` configuration file. The following is an example:
 16 | 
 17 | ```
 18 | [global]
 19 |   workgroup = WORKGROUP
 20 |   server string = %h server (Samba, Alpine)
 21 |   security = user
 22 |   map to guest = Bad User
 23 |   encrypt passwords = yes
 24 |   load printers = no
 25 |   printing = bsd
 26 |   printcap name = /dev/null
 27 |   disable spoolss = yes
 28 |   disable netbios = yes
 29 |   server role = standalone
 30 |   server services = -dns, -nbt
 31 |   smb ports = 445
 32 |   ;name resolve order = hosts
 33 |   ;log level = 3
 34 | 
 35 | [Dozer]
 36 |   path = /dozer
 37 |   comment = ZFS
 38 |   browseable = yes
 39 |   writable = yes
 40 |   valid users = carol
 41 | 
 42 | [Shared]
 43 |   path = /share
 44 |   comment = Shared Folder
 45 |   browseable = yes
 46 |   read only = yes
 47 |   write list = carol
 48 |   guest ok = yes
 49 | ```
 50 | 
 51 | For added security, you can control which interfaces Samba binds to and
 52 | which networks are allowed access. This is important if you're using
 53 | `--net=host` because Samba will bind to all interfaces by default and may
 54 | bind to an interface you hadn't intended. Add to the `[global]` section:
 55 | 
 56 | ```
 57 |   hosts allow = 192.168.11.0/24 10.0.0.0/24
 58 |   hosts deny = 0.0.0.0/0
 59 |   interfaces = 192.168.11.0/24 10.0.0.0/24
 60 |   bind interfaces only = yes
 61 | ```
 62 | 
 63 | I'm experimenting with the following settings (in the `[global]` section)
 64 | to add default permissions for windows clients, to enable extended features
 65 | for OSX clients, to enable recycle bins, and to be able to use ZFS's
 66 | posix-style ACLs.:
 67 | 
 68 | ```
 69 |   create mask = 0664
 70 |   directory mask = 0775
 71 |   veto files = /.DS_Store/
 72 |   nt acl support = no
 73 |   inherit acls = yes
 74 |   ea support = yes
 75 |   vfs objects = catia fruit streams_xattr recycle
 76 |   acl_xattr:ignore system acls = yes
 77 |   recycle:repository = .recycle
 78 |   recycle:keeptree = yes
 79 |   recycle:versions = yes
 80 | ```
 81 | 
 82 | ## Running
 83 | 
 84 | Add/update the `-v` volumes below to match the shares defiend in your
 85 | `smb.conf` file and run:
 86 | 
 87 | ```
 88 | docker run -dt \
 89 |   -v $PWD/smb.conf:/etc/samba/smb.conf \
 90 |   -v $PWD/dozer:/dozer \
 91 |   -v $PWD/share:/share \
 92 |   -p 445:445 \
 93 |   --name samba \
 94 |   --restart=always \
 95 |   stanback/alpine-samba
 96 | ```
 97 | 
 98 | You can replace `-p 445:445` with `--net=host` above if you want to use your
 99 | host's networking stack instead of Docker's proxy but it's not necessary. You
100 | can append additional arguments for `smbd` or append `--help` for a list of
101 | options.
102 | 
103 | ## Add Users
104 | 
105 | Once the server is running, you can add your users using the following:
106 | 
107 | ```
108 | docker exec -it samba adduser -s /sbin/nologin -h /home/samba -H -D carol
109 | docker exec -it samba smbpasswd -a carol
110 | ```
111 | 
112 | ## Check Status
113 | 
114 | Check the logs for startup errors (adjust log level in `smb.conf` if needed),
115 | then connect a client and check the status:
116 | 
117 | ```
118 | docker logs -f --tail=100 samba
119 | docker exec -it samba smbstatus
120 | ```
121 | 
122 | ## SSDP / ZeroConf Service Discovery
123 | 
124 | For auto-discovery on Linux and OSX machines, we can use the
125 | multicast-based mDNS and DNS-SD protocls (also known as Bonjour) using
126 | Avahi daemon.
127 | 
128 | The main use-case for this project is for a standalone, personal or small
129 | workgroup file server with a majority of clients on OSX or Linux. I've
130 | made a choice to not support legacy protocols, including NetBIOS, WINS,
131 | and the old Samba port `139`. Some of the issues with NetBIOS include
132 | excessive broadcast packets, lack of IPV6 support, and easy spoofing.
133 | 
134 | Because of this, it means:
135 | 
136 | * For Windows clients, your Samba server won't be shown under network
137 |   browsing. Microsoft has been adding support for DNS-SD functionality
138 |   recently, so it's possible they will eventually support finding Samba
139 |   shares using mDNS and DNS-SD. In the meantime, you can still connect
140 |   directly to the IP or hostname to use the shares.
141 | 
142 | * Samba can act as a domain controller or join an NT domain but that is not
143 |   supported with this configuration. I may put together a separate
144 |   project that supports NetBIOS/WINS and can either join or act as a domain
145 |   controller.
146 | 
147 | ### Configuring Avahi Services
148 | 
149 | To announce Samba on your network, setup a file called `smb.services`
150 | (below) in a new folder `services/`. You can announce more services
151 | here, such as SSH or SFTP.
152 | 
153 | ```
154 | <?xml version="1.0" standalone='no'?>
155 | <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
156 | <service-group>
157 |  <name replace-wildcards="yes">%h</name>
158 |  <service>
159 |    <type>_smb._tcp</type>
160 |    <port>445</port>
161 |  </service>
162 |  <service>
163 |    <type>_device-info._tcp</type>
164 |    <port>0</port>
165 |    <txt-record>model=RackMac</txt-record>
166 |  </service>
167 | </service-group>
168 | ```
169 | 
170 | ### Running
171 | 
172 | ```
173 | docker run -d \
174 |   -v $PWD/services:/etc/avahi/services \
175 |   --net=host \
176 |   --name=avahi \
177 |   --restart=always \
178 |   stanback/alpine-avahi
179 | ```
180 | 
181 | It's possible to not use `--net=host`, and instead specify the port mapping
182 | `-p 5353:5353/udp` and optionally giving your Docker container a hostname
183 | with `--hostname=myhostname` but I haven't gotten it to work correctly.
184 | 
185 | ## Client Configuration
186 | 
187 | Nothing special should need to happen on your clients, below are some
188 | settings that may be tweaked.
189 | 
190 | ### OSX
191 | 
192 | Disable writing .DS_Store files on network shares:
193 | 
194 |     defaults write com.apple.desktopservices DSDontWriteNetworkStores true
195 | 
196 | Disable netbios (be careful with this one):
197 | 
198 |     sudo launchctl disable system/netbiosd
199 | 
200 | 
201 | 


--------------------------------------------------------------------------------
/avahi/Dockerfile:
--------------------------------------------------------------------------------
 1 | #
 2 | # Dockerfile for avahi
 3 | #
 4 | 
 5 | FROM alpine:edge
 6 | 
 7 | RUN apk add --update avahi && \
 8 |     sed -i 's/#enable-dbus=yes/enable-dbus=no/g' /etc/avahi/avahi-daemon.conf && \
 9 |     rm -rf /var/cache/apk/*
10 | 
11 | VOLUME /etc/avahi/services
12 | EXPOSE 5353/udp
13 | 
14 | ENTRYPOINT ["avahi-daemon"]
15 | CMD []
16 | 


--------------------------------------------------------------------------------
/samba/Dockerfile:
--------------------------------------------------------------------------------
 1 | #
 2 | # Dockerfile for samba (without netbios)
 3 | #
 4 | 
 5 | FROM alpine:edge
 6 | 
 7 | RUN apk add --update \
 8 |     samba-common-tools \
 9 |     samba-client \
10 |     samba-server \
11 |     && rm -rf /var/cache/apk/*
12 | 
13 | EXPOSE 445/tcp
14 | 
15 | ENTRYPOINT ["smbd", "--foreground", "--log-stdout"]
16 | CMD []
17 | 


--------------------------------------------------------------------------------