Avoid realm join and use adcli join directly.

Dockerfile

@@ -3,6 +3,7 @@ FROM debian:bookworm
 MAINTAINER Roman VANICEK <roman.vanicek@ivasoft.cz>
 
 ENV ADMIN_PASSWORD_SECRET=samba-admin-password \
+    ADMIN_ACCOUNT=Administrator
     BIND_INTERFACES_ONLY=yes \
     INTERFACES="lo eth0" \
     LOG_LEVEL=1 \

entrypoint.sh

@@ -24,18 +24,35 @@ if [ ! -f /var/lib/samba/private/secrets.tdb ]; then
     exit 1
   fi
   ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
-  if [ "$BIND_INTERFACES_ONLY" == "yes" ]; then
-    INTERFACE_OPTS="--option=\"bind interfaces only=yes\" \
-      --option=\"interfaces=$INTERFACES\""
-  fi
-  PROVISION_OPTS="$REALM MEMBER -UAdministrator --password='$ADMIN_PASSWORD'"
 
   rm -f /etc/samba/smb.conf /etc/krb5.conf
   mkdir -p /var/lib/samba/private
 
-  # This step is required for INTERFACE_OPTS to work as expected
+  # realm join is broken as it requires --privileged but difficult to add for swarm
-  #echo "samba-tool domain join $PROVISION_OPTS $INTERFACE_OPTS" | sh
+  # so it can execute /usr/sbin/adcli. Therefore we execute it directly and create
-  echo $ADMIN_PASSWORD|realm join -v $REALM --user=Administrator
+  # the /etc/sssd/sssd.conf manually
+  # echo $ADMIN_PASSWORD|realm join -v $REALM --user=Administrator
+  echo $ADMIN_PASSWORD|/usr/sbin/adcli join --verbose --domain $DOMAIN --domain-realm $REALM --login-type user --login-user $ADMIN_ACCOUNT --stdin-password
+  echo -e "[sssd] \n\
+domains = $DOMAIN \n\
+config_file_version = 2 \n\
+services = nss, pam \n\
+\n\
+[domain/$DOMAIN] \n\
+default_shell = /bin/bash \n\
+krb5_store_password_if_offline = True \n\
+cache_credentials = True \n\
+krb5_realm = $REALM \n\
+realmd_tags = manages-system joined-with-adcli \n\
+id_provider = ad \n\
+fallback_homedir = /home/%u@%d \n\
+ad_domain = $DOMAIN \n\
+use_fully_qualified_names = True \n\
+ldap_id_mapping = True \n\
+access_provider = ad" > /etc/sssd/sssd.conf
+
+  # SSSD is picky about the mask and fails to start otherwise
+  chmod 600 /etc/sssd/sssd.conf
 
   mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
   echo 'root = administrator' > /etc/samba/smbusers