How to backup/restore in multipe DCs domain?

Stefan (metze) Metzmacher metze at samba.org
Mon Nov 4 00:40:57 MST 2013


Am 04.11.2013 07:53, schrieb Andrew Bartlett:
> On Sun, 2013-11-03 at 14:40 +0800, hyoscar wu wrote:
>> Hi list,
>>
>>   I refer https://wiki.samba.org/index.php/Backup_and_Recovery to do
>> backup/restore and my samba4 ADDC machine works well in single-DC doamin.
>>
>>   My multiple DCs domain test is as below:
>>
>>     machineA : samba-4.0.5 , create domain "abc.test"
>>     machineB : samba-4.0.5 , join "abc.test" as additional DC.
>>
>>     My scenario is machineA failed , I need to restore it.
>>
>>     1. After machineB joining, do backup in machineA.
>>     2. create some user accounts on machineA and machineB.
>>     3. A few minutes later, check database synchronized, both machine
>>       has same user accounts.
>>     4. restore machineA.
>>     5. A few minutes later, check database synchronized, both machine
>>       has same user accounts.
>>
>>   After these 5 steps, machineA gets user accounts from machineB but
>> machineA can not work well in many situation. For example, machineA can not
>> create user.
>>
>>     # /usr/local/samba/bin/samba-tool user add aaaq pass123 at aaaq
>>
>> ERROR(ldb): Failed to add user 'aaaq':  -
>> ../lib/ldb/ldb_tdb/ldb_index.c:1199: Failed to re-index objectSid in
>> CN=aaaq,CN=Users,DC=ggg,DC=org - ../lib/ldb/ldb_tdb/ldb_index.c:1131:
>> unique index violation on objectSid in CN=aaaq,CN=Users,DC=ggg,DC=org
>>
>>    I know that I can do seize role in machineB then machineA rejoin to
>> domain. I have some questions about samba4 backup/restore.
>>
>>     1. If samba4 backup/restore just for single DC domain?
>>     2. If not , how should I do in multiple DCs domain?
>>     3. If machineA failed, what is the best way to recover machineA? rejoin
>> domain , restore or any other way?
> 
> This is very serious.  It should not be possible to create duplicate
> SIDs, and this low-level check is the assertion that we have to ensure
> this really does not happen. 
> 
> Are you able to reproduce this at will?
> 
> My best guess is that that a RID set allocation was done, and that when
> machineA, the RID master was restored, the RID pool that was (in the
> future) allocated to machineB, was instead allocated to machineA.
> 
> If you allocated a lot of users, and used an earlier version of Samba
> 4.0 that had a bug around RID pool allocation (it requested them too
> often), then this could be even more likely to happen. 

In a multi dc environment you should *NEVER* ever restore from backup!
A backup is for an emergency case, where all dcs are destroyed.

You should just create a new dc.

It's the same reason why you should never restore vm snapshots of
(windows or samba)
domain controllers.

metze


More information about the samba-technical mailing list