How to backup samba4

Andrew Bartlett abartlet at samba.org
Thu Aug 23 15:08:48 MDT 2012 

On Thu, 2012-08-23 at 15:54 -0500, Ricky Nance wrote:
> - What do I have to backup from samba (byside the data on the shares) to
> restore the whole AD if neccessary? (/usr/local/samba/private|etc|**var +
> sysvol + netlogon folder?
> 
> Lets say you have your samba4 install at /usr/local/samba, you will need to
> backup (at a minimum) /usr/local/samba/etc, /usr/local/samba/private
> and /usr/local/samba/sysvol (which has been moved in later release
> to /usr/local/samba/var/locks/sysvol). Its really important to ensure that
> you backup ACL's as they are stored on the filesystem not in a tdb or ldb
> (unless you have this in your config, again not recommended). If you don't
> get the ACL's backed up, then you are in for a LONG restore, however I
> think Andrew is working on some samba-tool commands to make this a bit
> easier for future installs, but even then it will not know what you have on
> your current install, so at best it will only do defaults. Currently in the
> master git there is a way to restore your sysvol ACL's to default, this is
> part of a patch for Domain Admins being able to modify/create GPO's, but
> this code could be (and I think will be at some point) expanded to work
> with other shares.

What I have is a tool to reset the GPO and sysvol permissions to the
defaults (samba-tool ntacl sysvolreset) which should be helpful.  It
isn't possible to make this tool generic (because what permissions do
you want!), but what we can do is write a tool to migrate ntacls between
xattr and database formats, which could ease backup/restore in some
situations (ie put it in a tdb just before the backup).

It is better if your backup can preserve the file system extended
attributes however. 

> By the way, the sysvol directory by default has all the GPO's and your
> netlogon info, so there is no need to backup sysvol and netlogon. I have
> not seen any case where var, include, share, lib, bin or sbin need to be
> backed up, but if you are paranoid, they normally aren't too large. I have
> a couple of large msi files (around 350mb) sitting in my GPO's and my
> entire samba directory is only 605mb. I have around 350 users and 250
> machines. It is also worth mentioning if you are using bind9 dlz, you need
> to backup the symlinks exactly in private/dns, otherwise your restore will
> work fine, but your zones won't update with your AD.
> 
> Hope this has answered your questions,
> Ricky

Thanks for the extra hints!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list