smb.conf must define a member server

join domain also using "net ads join"
Service start commands.

entrypoint.sh

@@ -31,7 +31,7 @@ if [ ! -f /etc/samba/krb5.keytab ]; then
   # realm join is broken as it requires --privileged but difficult to add for swarm
   # so it can execute /usr/sbin/adcli. Therefore we execute it directly and create
   # the /etc/krb5.conf and /etc/sssd/sssd.conf manually
-  # echo $ADMIN_PASSWORD|realm join -v $REALM --user=Administrator
+  # echo $ADMIN_PASSWORD|realm join -v $REALM --user=$ADMIN_ACCOUNT
   echo $ADMIN_PASSWORD|/usr/sbin/adcli join --verbose --domain $DOMAIN --domain-realm $REALM --login-type user --login-user $ADMIN_ACCOUNT --stdin-password
   mv /etc/krb5.keytab /etc/samba/
 
@@ -105,6 +105,16 @@ fi
 
 pam-auth-update
 
+if [ ! -f /var/lib/samba/private/secrets.tdb ]; then
+  if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
+    echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
+    exit 1
+  fi
+  ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
+
+  net ads join -U"$ADMIN_ACCOUNT"%"$ADMIN_PASSWORD"
+fi
+
 echo 'Restarting Samba using supervisord'
 /etc/init.d/winbind stop
 /etc/init.d/nmbd stop

smb.conf.j2

@@ -4,7 +4,11 @@
 [global]
 	netbios name = {{ NETBIOS_NAME }}
 	realm = {{ REALM }}
-	server role = active directory domain controller
+	server role = member server
+      security = ads
+      local master = no
+      dedicated keytab file = /etc/samba/krb5.keytab
+      kerberos method = secrets and keytab
 	workgroup = {{ WORKGROUP }}
 
 	add machine script = /usr/sbin/adduser -D -H -G users -s /bin/false %u

supervisord.conf

@@ -3,7 +3,7 @@ nodaemon=true
 loglevel=info
 
 [program:smbd]
-command=/usr/sbin/smbd --daemon --foreground --log-stdout
+command=/usr/sbin/smbd --interactive
 redirect_stderr=true
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
@@ -11,9 +11,9 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 
 [program:nmbd]
-command=/usr/sbin/nmbd --daemon --foreground --log-stdout
+command=/usr/sbin/nmbd --interactive
 redirect_stderr=true
 
 [program:winbind]
-command=/usr/sbin/winbindd --daemon --foreground --stdout
+command=/usr/sbin/winbindd
 redirect_stderr=true