[Samba] GPO backup/restore questions
Kees van Vloten
keesvanvloten at gmail.com
Thu Sep 7 08:04:22 UTC 2023
On 07-09-2023 07:03, Anton Shevtsov via samba wrote:
> Hi all,
>
> I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore ,
> but I have two questions
>
> Q1)
>
> I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB
>
> On ABC.XYZ i make a backup
>
> [root at dc.abc.xyz ~]# samba-tool gpo backup
> --tmpdir=/root/gpo/computer/ --generalize
> --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
> '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}'
> GPO copied to
> /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}
>
> Attempting to generalize XML entities:
> Entities successfully written to
> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>
> [root at dc.abc.xyz ~]# cat
> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>
> <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__
> "machine-startup-script.sh
> ">
>
> Go to AAA.BBB and try restore
>
> [root at dc.aaa.bbb ~]# samba-tool gpo restore StartUp-Script
> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
> --use-kerberos=required
> --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
> ERROR: Entities file does not appear to conform to format
> e.g. <!ENTITY entity "value">
>
> I must replace ENTITY SAMBA__NETWORK_PATH__ in the
> /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? Replace
> for what?
>
> Q2) I don't understand why Kerberos ticket is not used.
>
> I specified --use-kerberos=required
>
> [user at dc.aaa.bbb ~]$ kinit administrator
> Password for administrator at AAA.BBB:
> Warning: Your password will expire in 27 days on Чт 05 окт 2023 09:44:26
> [user at dc.aaa.bbb ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: administrator at AAA.BBB
>
> Valid starting Expires Service principal
> 07.09.2023 09:53:08 07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
> renew until 08.09.2023 09:53:05
>
> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
> --use-kerberos=required
> Using temporary directory /tmp/.private/user/tmpstcd1nbi (use --tmpdir
> to change)
> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>
> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
> --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
> Using temporary directory /tmp/.private/user/tmptj4bgfkf (use --tmpdir
> to change)
> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>
> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
> --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
> Using temporary directory /tmp/.private/user/tmp271bduk7 (use --tmpdir
> to change)
> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>
> --
>
> Anton
I had the same issue some 1,5 year ago. I worked back then with David
Mulder on an alternative solution, which is finally released as part of
4.19.
Instead of backup/restore, I keep the GPOs as source code (json files
for the regpol GPOs) and generate them in each domain from the source code.
In 4.19 there is "samba-tool gpo load --content <json-file>" to load the
json into an existing GPO. There is also "samba-tool gpo create" to
initially create one.
And there is the reverse operation to show the json content of a regpol
GPO: "samba-tool gpo show". Now you can store everything in git and
manage it with a set of scripts.
- Kees.
More information about the samba
mailing list