[Samba] GPO backup/restore questions

Anton Shevtsov shevtsovay at basealt.ru
Thu Sep 7 08:34:45 UTC 2023 

07.09.2023 13:04, Kees van Vloten via samba пишет:
> On 07-09-2023 07:03, Anton Shevtsov via samba wrote:
>> Hi all,
>>
>> I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore , 
>> but I have two questions
>>
>> Q1)
>>
>> I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB
>>
>> On ABC.XYZ i make a backup
>>
>> [root at dc.abc.xyz ~]#  samba-tool gpo backup 
>> --tmpdir=/root/gpo/computer/ --generalize 
>> --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent 
>> '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}'
>> GPO copied to 
>> /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}
>>
>> Attempting to generalize XML entities:
>> Entities successfully written to 
>> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>>
>> [root at dc.abc.xyz ~]# cat 
>> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>>
>> <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ 
>> "machine-startup-script.sh
>> ">
>>
>> Go to AAA.BBB and try restore
>>
>> [root at dc.aaa.bbb ~]#  samba-tool gpo restore StartUp-Script 
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
>> --use-kerberos=required 
>> --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
>> ERROR: Entities file does not appear to conform to format
>> e.g. <!ENTITY entity "value">
>>
>> I must replace ENTITY SAMBA__NETWORK_PATH__  in the 
>> /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? 
>> Replace for what?
>>
>> Q2) I don't understand why Kerberos ticket is not used.
>>
>> I specified --use-kerberos=required
>>
>> [user at dc.aaa.bbb ~]$  kinit administrator
>> Password for administrator at AAA.BBB:
>> Warning: Your password will expire in 27 days on Чт 05 окт 2023 09:44:26
>> [user at dc.aaa.bbb ~]$ klist
>> Ticket cache: FILE:/tmp/krb5cc_500
>> Default principal: administrator at AAA.BBB
>>
>> Valid starting       Expires              Service principal
>> 07.09.2023 09:53:08  07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
>>        renew until 08.09.2023 09:53:05
>>
>> [user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
>> --use-kerberos=required
>> Using temporary directory /tmp/.private/user/tmpstcd1nbi (use 
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> [user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
>> --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
>> Using temporary directory /tmp/.private/user/tmptj4bgfkf (use 
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> [user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
>> --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
>> Using temporary directory /tmp/.private/user/tmp271bduk7 (use 
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> -- 
>>
>> Anton
>
> I had the same issue some 1,5 year ago. I worked back then with David 
> Mulder on an alternative solution, which is finally released as part 
> of 4.19.
>
> Instead of backup/restore, I keep the GPOs as source code (json files 
> for the regpol GPOs) and generate them in each domain from the source 
> code.
>
> In 4.19 there is "samba-tool gpo load --content <json-file>" to load 
> the json into an existing GPO. There is also "samba-tool gpo create" 
> to initially create one.
>
> And there is the reverse operation to show the json content of a 
> regpol GPO: "samba-tool gpo show". Now you can store everything in git 
> and manage it with a set of scripts.
>
> - Kees.
>
>
I use samba-4.16.11 (no more modern version in my repo)

I fix entity xml

cat /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent

<!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ 
"machine-startup-script.sh
">

pay attention to "> in new line. If fix it - import successfully (or not?)

sed -r ':a;N;$!ba;s/\n//g;s/">/">\n/' 
/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent

[user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script2 
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
--use-kerberos=required 
--entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
Using temporary directory /tmp/.private/user/tmpl22krcs3 (use --tmpdir 
to change)
Password for [administrator at TEST.ALT]:
GPO 'StartUp-Script2' created as {D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
WARNING: No such parser for machine-startup-script.sh
WARNING: Falling back to simple copy-restore.

But kerberos ticket not used (why?)

[user at dc.aaa.bbb ~]$ samba-tool gpo listall --use-kerberos=required | 
grep -A 2 '{D83FB52C-FEDB-4599-82BC-7D67E942AB4E}'
GPO          : {D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
display name : StartUp-Script2
path         : 
\\test.alt\sysvol\test.alt\Policies\{D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
dn           : 
CN={D83FB52C-FEDB-4599-82BC-7D67E942AB4E},CN=Policies,CN=System,DC=test,DC=alt 

version      : 0
flags        : NONE

For samba-tool gpo listallkerberos ticket is used (no password prompt)

--
Anton

More information about the samba mailing list