.env variables
The entire lab is configured through .env (copied from .env.example). The
tables below group the variables by concern.
Active Directory identity
Section titled “Active Directory identity”| Variable | Default | Purpose |
|---|---|---|
COMPOSE_PROJECT_NAME | samba-dc | Container and volume namespace, so this stack does not clash with others |
SAMBA_REALM | ad.example.com | DNS realm, upper-cased internally for Kerberos. Use a subdomain you control, never your bare public domain |
SAMBA_DOMAIN | AD | NetBIOS short name. 15 chars or fewer, no dots, conventionally upper-case |
SAMBA_ADMIN_PASSWORD | ChangeMe123! | Domain Administrator password. Must meet AD complexity: 8+ chars with three of upper, lower, digit, symbol |
| Variable | Default | Purpose |
|---|---|---|
SAMBA_DNS_BACKEND | SAMBA_INTERNAL | SAMBA_INTERNAL (recommended) or BIND9_DLZ if you run BIND |
SAMBA_DNS_FORWARDER | 1.1.1.1 | Upstream resolver for everything outside the AD zone |
Host binding
Section titled “Host binding”| Variable | Default | Purpose |
|---|---|---|
SAMBA_HOST_IP | (blank) | The LAN IP the DC advertises in SRV/A records and referrals. Strongly recommended on a multi-homed host |
SAMBA_INTERFACES | (blank) | Bind the DC to only these interfaces plus loopback, space-separated. Keeps Samba off port 53 on a bridge another resolver owns |
SAMBA_HOSTNAME | dc1 | The DC’s machine name; becomes dc1.<realm> |
Home directories
Section titled “Home directories”| Variable | Default | Purpose |
|---|---|---|
SAMBA_HOME_SHARE | home | Per-user home share name. Leave blank to disable home directories entirely |
SAMBA_HOME_DRIVE | H: | The Windows drive letter the home maps to |
Print server
Section titled “Print server”| Variable | Default | Purpose |
|---|---|---|
PRINT_HOSTNAME | print1 | The print server’s hostname |
PRINT_NETBIOS | PRINT1 | The print server’s NetBIOS name |
PRINT_LAN_IP | 10.0.0.23 | Static macvlan IP. Must be free and outside your DHCP pool |
PRINT_LAN_PARENT | br0 | The real LAN interface macvlan attaches to (e.g. br0, eth0, enp3s0) |
PRINT_LAN_SUBNET | 10.0.0.0/24 | The LAN subnet the print server lives on |
PRINT_LAN_GATEWAY | 10.0.0.1 | The LAN gateway |
Read-only domain controller
Section titled “Read-only domain controller”| Variable | Default | Purpose |
|---|---|---|
RODC_HOSTNAME | rodc1 | The RODC’s hostname |
RODC_LAN_IP | 10.0.0.24 | Static macvlan IP for the RODC. Reuses the PRINT_LAN_* parent, subnet, and gateway |
Printer device sidecars
Section titled “Printer device sidecars”| Variable | Default | Purpose |
|---|---|---|
SNMP_LAN_IP | 10.0.0.25 | Static macvlan IP for the SNMP sidecar |
IPP_LAN_IP | 10.0.0.26 | Static macvlan IP for the IPP sidecar |
SNMP_COMMUNITY | public | SNMPv2c community for the default device. Per-device communities are the lowercased queue names (e.g. bmh12-plab) |
Miscellaneous
Section titled “Miscellaneous”| Variable | Default | Purpose |
|---|---|---|
TZ | UTC | Container timezone |
SAMBA_LDAP_REQUIRE_STRONG_AUTH | yes | Require transport encryption for LDAP simple binds. Set no only if a sibling must bind read-only over plaintext LDAP on the private bridge |