[Samba] GPO backup/restore questions
Anton Shevtsov
shevtsovay at basealt.ru
Mon Sep 11 04:18:40 UTC 2023
Hi
To summarize all of the above.
Do I understand correctly that gpo backup/restore will not work
correctly in 4.16 and there is no point in working with this version?
Does it work in 4.19 (or maybe 4.17? 4.18?)?
07.09.2023 13:04, Kees van Vloten via samba пишет:
> On 07-09-2023 07:03, Anton Shevtsov via samba wrote:
>> Hi all,
>>
>> I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore ,
>> but I have two questions
>>
>> Q1)
>>
>> I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB
>>
>> On ABC.XYZ i make a backup
>>
>> [root at dc.abc.xyz ~]# samba-tool gpo backup
>> --tmpdir=/root/gpo/computer/ --generalize
>> --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>> '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}'
>> GPO copied to
>> /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}
>>
>> Attempting to generalize XML entities:
>> Entities successfully written to
>> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>>
>> [root at dc.abc.xyz ~]# cat
>> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>>
>> <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__
>> "machine-startup-script.sh
>> ">
>>
>> Go to AAA.BBB and try restore
>>
>> [root at dc.aaa.bbb ~]# samba-tool gpo restore StartUp-Script
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
>> --use-kerberos=required
>> --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
>> ERROR: Entities file does not appear to conform to format
>> e.g. <!ENTITY entity "value">
>>
>> I must replace ENTITY SAMBA__NETWORK_PATH__ in the
>> /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ?
>> Replace for what?
>>
>> Q2) I don't understand why Kerberos ticket is not used.
>>
>> I specified --use-kerberos=required
>>
>> [user at dc.aaa.bbb ~]$ kinit administrator
>> Password for administrator at AAA.BBB:
>> Warning: Your password will expire in 27 days on Чт 05 окт 2023 09:44:26
>> [user at dc.aaa.bbb ~]$ klist
>> Ticket cache: FILE:/tmp/krb5cc_500
>> Default principal: administrator at AAA.BBB
>>
>> Valid starting Expires Service principal
>> 07.09.2023 09:53:08 07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
>> renew until 08.09.2023 09:53:05
>>
>> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
>> --use-kerberos=required
>> Using temporary directory /tmp/.private/user/tmpstcd1nbi (use
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
>> --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
>> Using temporary directory /tmp/.private/user/tmptj4bgfkf (use
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
>> --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
>> Using temporary directory /tmp/.private/user/tmp271bduk7 (use
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> --
>>
>> Anton
>
> I had the same issue some 1,5 year ago. I worked back then with David
> Mulder on an alternative solution, which is finally released as part
> of 4.19.
>
> Instead of backup/restore, I keep the GPOs as source code (json files
> for the regpol GPOs) and generate them in each domain from the source
> code.
>
> In 4.19 there is "samba-tool gpo load --content <json-file>" to load
> the json into an existing GPO. There is also "samba-tool gpo create"
> to initially create one.
>
> And there is the reverse operation to show the json content of a
> regpol GPO: "samba-tool gpo show". Now you can store everything in git
> and manage it with a set of scripts.
>
> - Kees.
>
>
>
--
Anton
More information about the samba
mailing list