[Samba] sambatool online backups

Matt Ivie Matt.Ivie at IONData.Systems
Tue Nov 2 19:48:22 UTC 2021 

On Tue, 2021-11-02 at 19:34 +0000, Rowland Penny via samba wrote:
> On Tue, 2021-11-02 at 12:00 -0700, Matt Ivie via samba wrote:
> > I'm running samba 4.9.5 on Debian Buster and trying to use samba-
> > tool
> > to do an online backup of the domain. I'm not having very good
> > luck.
> 
> I would suggest you upgrade Samba, there have been quite a few
> updates
> to the online backup tool since 4.9.5
> 
> > I'm running into an error which has been on this mailing list
> > previously.
> > 
> > Here is the error:
> > 
> > Cloned domain ------ (SID S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-
> > xxxxxxxxxx)
> > ERROR(runtime): uncaught exception - (3221225506, '{Access Denied}
> > A
> > process has requested access to an object but has not been granted
> > those access
> > rights.')                                                    
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 177, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-
> > packages/samba/netcmd/domain_backup.py", line 243, in run
> >     backup_online(smb_conn, sysvol_tar,
> > remote_sam.get_domain_sid())
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line
> > 499,
> > in
> > backup_online
> >     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line
> > 322,
> > in
> > get_acl
> >     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
> > 
> > The solution given in those threads was to do an offline backup
> > using
> > samba 4.10. I will likely upgrade to samba 4.10 at some point in
> > the
> > future but not at the moment. My question is whether anyone has
> > come
> > up
> > with a way to resolve this issue, or if there is a different way I
> > can
> > backup.
> 
> It works for myself (on a later Samba version).
> 
> > Shouldn't I be able to shut down my samba service and make a full
> > backup of the /var/run/samba directory?
> 
> No, do not do that, you backup the domain, not the DC and that will
> backup the DC.
> 
Thanks for the quick response.

The reason I proposed that is that I can have bareos run a command to
stop my DC, backup the dir, then restart it. Primarily for system
failure restorations.

> What is the actual command you ran ?
> 
samba-tool domain backup online --targetdir=smb-ad-online-backup --
server=Harveydc0 -UAdministrator
> Rowland
> 
> 
> 
> 
-- 
Matt Ivie
ION Data Systems
Sent Using Debian GNU/Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20211102/24962517/signature.sig>

More information about the samba mailing list