What is the General Hospital Lab?
The General Hospital Lab is a self-contained Active Directory domain running on Samba, in
Docker Compose, driven entirely from a .env file. It exists to be a realistic
target for testing anything that integrates with Active Directory: directory
reads, Kerberos and LDAP binds, SMB file access with group-based permissions, an
AD-published print server, and service-account delegation.
It is themed as General Hospital (GH), a small-city hospital that owns a set of specialty clinics. That theme is not decoration. A hospital is the kind of organisation that genuinely needs layered, group-based access control: clinicians who can see patient records, back-office staff who cannot, shared folders per clinic, and an all-staff space everyone reads but few can write. The lab uses that scenario to exercise real Samba access control end to end.
Why it exists
Section titled “Why it exists”The lab started as a target for faxart, a fax broker that needs a domain to authenticate against, fax mailboxes to deliver to, and a print server to spool through. Rather than mock those one at a time, the lab provides the real wire protocols so the broker (and anything like it) can be tested against behaviour that matches production, not a stub.
That goal shapes every decision here. Where a shortcut would change the observable behaviour, the lab takes the longer path so the thing under test sees what it would see against a real Windows environment.
The cast
Section titled “The cast”The directory is populated with a memorable cast so you can reason about access without memorising UUIDs.
- The ER (TV show) cast are the clinical staff: doctors and nurses seeded
into
OU=Clinicalwith a role and a clinic, for examplejohn.carterin Cardiology ordoug.rossin Pediatrics. - An 80s movie and music cast are the back-office admin staff:
ellen.ripleyandpeter.venkmanin Administration,madonnaandtommy.tutonein Billing,princeandcyndi.lauperin Medical Records,marty.mcflyandjohn.mcclanein IT. They carry memorable phone and fax numbers (yes,tommy.tutoneis reachable at 867-5309).
A third bench of famous movie and TV doctors (House, Bones McCoy, Doc Brown in Radiology, Doc Holliday in Dentistry, and the questionable-doctor lineup of Nick Riviera, Zoidberg, and Leo Spaceman in Urgent Care) staffs the expanded specialty model across eight towns. The full roster is in the cast reference and the famous-doctor cast.
What is inside
Section titled “What is inside”| Component | What it is | Role in the lab |
|---|---|---|
samba-dc (dc1) | Writable Samba AD domain controller | DNS, Kerberos, LDAP, SMB, the domain itself |
| Hospital layer | OUs, managers, security groups, gated shares | The access-control scenario |
print-server (print1) | Samba member server + CUPS | Windows-print-server stand-in (77 queues) |
print-snmp / print-ipp | snmpsim + ippeveprinter sidecars | The printer device side (status, supplies, IPP) |
rodc (rodc1) | Read-only domain controller | Exercising write-referral and credential chaining |
Everything is disposable: all state lives in named Docker volumes, provisioning
is idempotent, and make nuke resets the whole domain when you want to start
over.
Where to go next
Section titled “Where to go next”- Never run it before? Start with the tutorial: Stand up the lab.
- Want the shape of the system first? Read Architecture at a glance.
- Looking for a specific command? Jump to the
maketarget reference.