[Samba] GPO backup/restore questions

Kees van Vloten keesvanvloten at gmail.com
Thu Sep 7 08:45:31 UTC 2023 

On 07-09-2023 10:34, Anton Shevtsov via samba wrote:
>
> 07.09.2023 13:04, Kees van Vloten via samba пишет:
>> On 07-09-2023 07:03, Anton Shevtsov via samba wrote:
>>> Hi all,
>>>
>>> I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore 
>>> , but I have two questions
>>>
>>> Q1)
>>>
>>> I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB
>>>
>>> On ABC.XYZ i make a backup
>>>
>>> [root at dc.abc.xyz ~]#  samba-tool gpo backup 
>>> --tmpdir=/root/gpo/computer/ --generalize 
>>> --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent 
>>> '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}'
>>> GPO copied to 
>>> /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}
>>>
>>> Attempting to generalize XML entities:
>>> Entities successfully written to 
>>> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>>>
>>> [root at dc.abc.xyz ~]# cat 
>>> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>>>
>>> <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ 
>>> "machine-startup-script.sh
>>> ">
>>>
>>> Go to AAA.BBB and try restore
>>>
>>> [root at dc.aaa.bbb ~]#  samba-tool gpo restore StartUp-Script 
>>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
>>> --use-kerberos=required 
>>> --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
>>> ERROR: Entities file does not appear to conform to format
>>> e.g. <!ENTITY entity "value">
>>>
>>> I must replace ENTITY SAMBA__NETWORK_PATH__  in the 
>>> /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? 
>>> Replace for what?
>>>
>>> Q2) I don't understand why Kerberos ticket is not used.
>>>
>>> I specified --use-kerberos=required
>>>
>>> [user at dc.aaa.bbb ~]$  kinit administrator
>>> Password for administrator at AAA.BBB:
>>> Warning: Your password will expire in 27 days on Чт 05 окт 2023 
>>> 09:44:26
>>> [user at dc.aaa.bbb ~]$ klist
>>> Ticket cache: FILE:/tmp/krb5cc_500
>>> Default principal: administrator at AAA.BBB
>>>
>>> Valid starting       Expires              Service principal
>>> 07.09.2023 09:53:08  07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
>>>        renew until 08.09.2023 09:53:05
>>>
>>> [user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
>>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
>>> --use-kerberos=required
>>> Using temporary directory /tmp/.private/user/tmpstcd1nbi (use 
>>> --tmpdir to change)
>>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>>
>>> [user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
>>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
>>> --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
>>> Using temporary directory /tmp/.private/user/tmptj4bgfkf (use 
>>> --tmpdir to change)
>>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>>
>>> [user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
>>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
>>> --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
>>> Using temporary directory /tmp/.private/user/tmp271bduk7 (use 
>>> --tmpdir to change)
>>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>>
>>> -- 
>>>
>>> Anton
>>
>> I had the same issue some 1,5 year ago. I worked back then with David 
>> Mulder on an alternative solution, which is finally released as part 
>> of 4.19.
>>
>> Instead of backup/restore, I keep the GPOs as source code (json files 
>> for the regpol GPOs) and generate them in each domain from the source 
>> code.
>>
>> In 4.19 there is "samba-tool gpo load --content <json-file>" to load 
>> the json into an existing GPO. There is also "samba-tool gpo create" 
>> to initially create one.
>>
>> And there is the reverse operation to show the json content of a 
>> regpol GPO: "samba-tool gpo show". Now you can store everything in 
>> git and manage it with a set of scripts.
>>
>> - Kees.
>>
>>
> I use samba-4.16.11 (no more modern version in my repo)
Would you be interested, I have patches for previous versions (it was 
developed by David on 4.15). Since it is all in python code you can 
simply replace some python files to get this functionality.
>
> I fix entity xml
>
> cat /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>
> <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ 
> "machine-startup-script.sh
> ">
>
> pay attention to "> in new line. If fix it - import successfully (or 
> not?)
>
> sed -r ':a;N;$!ba;s/\n//g;s/">/">\n/' 
> /tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
>
> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script2 
> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
> --use-kerberos=required 
> --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
> Using temporary directory /tmp/.private/user/tmpl22krcs3 (use --tmpdir 
> to change)
> Password for [administrator at TEST.ALT]:
> GPO 'StartUp-Script2' created as {D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
> WARNING: No such parser for machine-startup-script.sh
> WARNING: Falling back to simple copy-restore.
>
> But kerberos ticket not used (why?)
>
> [user at dc.aaa.bbb ~]$ samba-tool gpo listall --use-kerberos=required | 
> grep -A 2 '{D83FB52C-FEDB-4599-82BC-7D67E942AB4E}'
> GPO          : {D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
> display name : StartUp-Script2
> path         : 
> \\test.alt\sysvol\test.alt\Policies\{D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
> dn           : 
> CN={D83FB52C-FEDB-4599-82BC-7D67E942AB4E},CN=Policies,CN=System,DC=test,DC=alt 
>
> version      : 0
> flags        : NONE
>
> For samba-tool gpo listallkerberos ticket is used (no password prompt)
>
> -- 
> Anton

More information about the samba mailing list