DEVHIDE
Login Or Sign up

Issue getting credential spec (gMSA) working in docker-compose

972 Views Asked by At

I have a gMSA credential spec working with docker run but not with docker-compose. Details for the compose file and the docker run command are below. I'm completely lost as to what I'm missing. I did a lot of googling and I'm not sure what's going on. My primary thoughts is that something with the docker-compose file is off, but I'm not sure.

Docker-compose

version: '3.3'

services:
  basic:
    image: mcr.microsoft.com/windows/servercore:ltsc2019
    entrypoint: ping -t localhost
    hostname: server01
    security_opt:
      - credentialspec=file://server01.json
    dns:
      - "192.168.43.2"
    user: "NT AUTHORITY\\NETWORK SERVICE"

networks:
  default:
    external:
      name: "Net"

After running docker-compose up

C:\Users\administrator> docker exec -it b9e2a783ab09 powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\> ipconfig

Windows IP Configuration


Ethernet adapter vEthernet (Ethernet) 10:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4416:3381:8d1a:122a%43
   Autoconfiguration IPv4 Address. . : 169.254.18.42
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
PS C:\> ipconfig /renew

Windows IP Configuration


Ethernet adapter vEthernet (Ethernet) 10:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::4416:3381:8d1a:122a%43
   IPv4 Address. . . . . . . . . . . : 192.168.43.198
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
PS C:\> nslookup testdomain.local
Server:  UnKnown
Address:  192.168.43.2

Name:    testdomain.local
Addresses:  192.168.43.2
          192.168.52.133

PS C:\> nltest /sc_verify:testdomain.local
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED

docker run

docker run -it --security-opt "credentialspec=file://server01.json" --user="nt authority\system" --hostname="server01" --network="Net" --dns="192.168.43.2" mcr.microsoft.com/windows/servercore:ltsc2019 powershell

PS C:\> nslookup testdomain.local
Server:  UnKnown
Address:  192.168.43.2

Name:    testdomain.local
Addresses:  192.168.43.2
          192.168.52.133

PS C:\> nltest /sc_verify:testdomain.local
Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\dc01.testdomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\>
docker docker-compose gmsa
Original Q&A
2

There are 2 best solutions below

0
On

Use double-quoted:

security_opt:
  - "credentialspec=file://server01.json"
0
On

Hey so I'm leaving this up as a mark of shame.

Notice that I used different users? Turns out I needed to use system and not the network service account. That fixed it.

Related Questions in DOCKER

Related Questions in DOCKER-COMPOSE

Related Questions in GMSA

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.