Add support for Samba AD Member Servers

[jochenwezel]

I wand to run my classic samba member server in a docker container.

Therefore, I configured ENV with

• SAMBA_CONF_SERVER_ROLE=member server
• SAMBA_CONF_WORKGROUP=MY-DOMAIN
• SAMBA_GLOBAL_CONFIG_security=ADS
• SAMBA_GLOBAL_CONFIG_realm=MY.DOMAIN.ORG
• ...

The issue starts with the point that no winbind binary is available in image.
Next things are related to private secrets file (usually at /var/lib/samba/private/secrets.ldb) and a missing domain join and/or persisting domain membership on a permanent volume.

It would be fantastic if you can provide with an extended image/solution for this.

Additional clarifications and proposal

Scope:

• This is explicitly NOT about running a Samba AD DC.
• The goal is a classic Samba file server acting as an AD domain member (security = ADS).
• No interactive setup, no domain management functionality.

Proposed solution:

• Provide an additional image variant (e.g. smbd-winbindd-latest),
  similar to existing variants like smbd-only or smbd-wsdd2.
• Default images and behavior remain unchanged (no breaking changes).

Technical requirements for AD member operation:

• winbindd must be available and started alongside smbd.
• Domain membership data must be persistent across container restarts.
  In particular:
  • /var/lib/samba/private (secrets.ldb, machine account data)
  • optionally winbind state/cache, depending on implementation
• Recommended usage: dedicated persistent volume for private secrets.

Idempotent startup behavior:

• On container start, check if the system is already joined to the domain.
• If joined: do nothing.
• If not joined and credentials are provided: perform domain join.
• If credentials are missing: fail fast with a clear error message.

Diagnostics / low-cost preflight checks:

• Optional DNS resolution check for the AD domain (e.g. via host or nslookup)
• Optional winbind health checks (wbinfo -p / wbinfo -t)
• Clear log output so users can easily report issues.

Secrets handling:

• Support for credentials via mounted files or *_FILE environment variables
  (to avoid plain-text secrets in environment variables).

This would enable a well-defined and commonly used Samba setup
(AD member file server) while keeping maintenance and support effort low,
as the image would still follow the existing release and build cadence.

[jochenwezel]

Additional background process vs supervisor mechanisms

• Running smbd and winbindd together is straightforward and does not require a supervisor.
• smbd can remain PID 1, while winbindd is started in the background.
• Process failures are handled via Docker healthchecks and container restarts, consistent with the existing image design.

Binaries installation

apk add --no-cache samba-winbind samba-winbind-clients krb5 # maybe: samba-common-tools

Additional commands incl. fail-fast-check (recommended: additional logging on fail-fast)

winbindd --foreground -d 1 &
sleep 1
wbinfo -p >/dev/null 2>&1 || exit 1

Diagnostics / extended logging

ps aux | grep [w]inbindd || true
command -v wbinfo
wbinfo -t || true
wbinfo -u | head || true

First ideas for start-up checks

nslookup -type=SRV _kerberos._tcp.{domain-dns-name} || true
nslookup -type=SRV _ldap._tcp.{domain-dns-name} || true

First ideas for health checks

wbinfo -p >/dev/null 2>&1 || exit 1
wbinfo -t >/dev/null 2>&1 || exit 1