How to setup local samba SMB server

justinc1 · justinc1 · commit 11867835b1e9 · 2025-09-08T21:46:12.000+02:00
Signed-off-by: Justin Cinkelj &lt;justin.cinkelj@xlab.si&gt;
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -109,6 +109,38 @@ Details:
 - IP 10.5.11.39 (see `tests/integration/integration_config.yml.j2`)
 - CI tests should use only `/cidata` and subdirectories
 
+#### Local SMB server
+
+Use `ci-infra/smb-server/compose.yml` to start a local SMB server.
+The HyperCore cluster needs to have access to the SMB server.
+Execute the commands on machine that is accessible to HyperCore cluster -
+e.g. VM on the HyperCore NUC.
+
+Usage:
+
+```bash
+cd ci-infra/smb-server/
+docker compose up
+
+# test it works
+smbclient "//IP_ADDRESS/Home" -U "alice%alipass" -D "/" -c "ls"
+smbclient "//IP_ADDRESS/Home" -U "alice%alipass" -D "/" -c "put compose.yml"
+smbclient "//IP_ADDRESS/Home" -U "alice%alipass" -D "/" -c "ls"
+```
+
+To use this SMB server in `ansible-test integration ...`,
+set in `tests/integration/integration_config.yml`:
+
+```yaml
+smb_server: "IP_ADDRESS"
+smb_share: "/home"
+smb_username: "alice"
+smb_password: "alipass"
+```
+
+Notice - windows SMB server username is `;administrator`, it starts with `;`.
+This Samba SMB server username does not start with `;`.
+
 ### CI NTP server
 
 NTP server is running on VM with github runner.
diff --git a/ci-infra/smb-server/compose.yml b/ci-infra/smb-server/compose.yml
@@ -0,0 +1,75 @@
+---
+# docker-compose.yml example for https://github.com/ServerContainers/samba
+
+services:
+  samba:
+    # build: .
+    # image: ghcr.io/servercontainers/samba
+    image: servercontainers/samba:smbd-only-a3.22.1-s4.21.4-r4
+    restart: always
+    # note that this network_mode makes it super easy (especially for zeroconf) but is not as safe as exposing ports directly
+    # more about that here: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#hostnetwork
+    network_mode: host
+    # uncomment to solve bug: https://github.com/ServerContainers/samba/issues/50 - wsdd2 only - not needed for samba
+    #cap_add:
+    #  - CAP_NET_ADMIN
+    environment:
+      # uncomment to enable fail fast (currently only fails fast if there are conflicts/errors during user/group creation)
+      #FAIL_FAST: 1
+
+      MODEL: 'TimeCapsule'
+      AVAHI_NAME: StorageServer
+
+      SAMBA_CONF_LOG_LEVEL: 3
+
+      # uncomment to disable optional services
+      WSDD2_DISABLE: 1
+      AVAHI_DISABLE: 1
+      NETBIOS_DISABLE: 1
+
+      GROUP_family: 1500
+
+      ACCOUNT_alice: alipass
+      UID_alice: 1000
+      GROUPS_alice: family
+
+      ACCOUNT_bob: bobpass
+      UID_bob: 1001
+      GROUPS_bob: family
+
+      # example for hashed password (user: foo | password: bar) - generated using create-hash.sh script.
+      ACCOUNT_foo: "foo:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:86C156FC198B358CCCF6278D8BD49B6A:[U          ]:LCT-61B0859A:"
+      # example for password hashes in the list format:
+      # - "ACCOUNT_foo=foo:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:8846F7EAEE8FB117AD06BDD830B7586C:[U          ]:LCT-5FE1F7DF:"
+      UID_foo: 1002
+      GROUPS_foo: family
+
+      SAMBA_VOLUME_CONFIG_shared_home: "[Home]; path=/shares/homes/%U; valid users = alice, bob, foo; guest ok = no; read only = no; browseable = yes"
+
+#      SAMBA_VOLUME_CONFIG_aliceonly: "[Alice Share]; path=/shares/alice; valid users = alice; guest ok = no; read only = no; browseable = yes"
+#      SAMBA_VOLUME_CONFIG_alicehidden: "[Alice Hidden Share]; path=/shares/alice-hidden; valid users = alice; guest ok = no; read only = no; browseable = no"
+
+#      SAMBA_VOLUME_CONFIG_bobonly: "[Bob Share]; path=/shares/bob; valid users = bob; guest ok = no; read only = no; browseable = yes"
+
+#      SAMBA_VOLUME_CONFIG_public: "[Public]; path=/shares/public; valid users = alice, bob, foo; guest ok = no; read only = no; browseable = yes; force group = family"
+#      SAMBA_VOLUME_CONFIG_public_ro: "[Public ReadOnly]; path=/shares/public; guest ok = yes; read only = yes; browseable = yes; force group = family"
+
+#      SAMBA_VOLUME_CONFIG_timemachine: "[TimeMachine]; path=/shares/timemachine/%U; valid users = alice, bob, foo; guest ok = no; read only = no; browseable = yes; fruit:time machine = yes; fruit:time machine max size = 500G"
+
+#      SAMBA_VOLUME_CONFIG_guestmultilineexample: |
+#        [Guest Share]
+#         path = /shares/guest
+#         guest ok = yes
+#         browseable = yes
+
+    volumes:
+#      - /etc/avahi/services/:/external/avahi
+
+      # avoid loops when mounting folders to /shares (I'd recommend explicit mapping for each share)
+#      - ./shares/alice:/shares/alice
+#      - ./shares/alice-hidden:/shares/alice-hidden
+#      - ./shares/bob:/shares/bob
+#      - ./shares/public:/shares/public
+#      - ./shares/homes:/shares/homes
+#      - ./shares/timemachine:/shares/timemachine
+      - ./shares-homes:/shares/homes
