[PATCH] Add a new tool, 'samba-tool domain clone'

Andrew Bartlett abartlet at samba.org
Wed Aug 19 02:21:06 UTC 2015 

On Tue, 2015-08-18 at 09:36 +0200, Stefan Metzmacher wrote:
> Hi Andrew,
> 
> > > Am 17.08.2015 um 05:56 schrieb Andrew Bartlett:
> > > > This patch adds and tests 'samba-tool domain clone' a way to 
> > > > clone 
> > > > an
> > > > AD domain without adding Samba as a DC.  This allows us to 
> > > > confirm 
> > > > we
> > > > can migrate to Samba without harming the source domain.
> > > 
> > > As that seems to be more like a developer tool,
> > > which can be very dangerous for a random admin to try,
> > > I don't want this to be part of "samba-tool domain".
> > 
> > Why is it dangerous?
> 
> Because if you accidently start it bad things happen,
> machine accounts may change their password here or there.

The secrets.ldb is not filled in, so the server cannot change it's own
password, nor accept kerberos binds.  I agree it could potentially
accept a bind for NTLM passwords however, if the new --include-secrets
option has been set. 

> > > I'd prefer a standalone script under source4/scripting/devel/.
> > > 
> > > Also from reading the patch it's not completely clear what
> > > part of the migration should be tested? Just the replication?
> 
> If you just want to test the replication you can use net rpc vampire 
> keytab,
> but I guess it's not just replication you want to test...

No, what I'm interested in is joining a domain without creating
objects, to confirm:
 - that we can indeed import the schema
 - that the import is correct (we can use tools like ldapcmp to verify)
 - that we support the functional levels etc

The idea is that we would encourage admins to run 'samba-tool domain
clone' as a discovery measure, before committing to having Samba
objects in their directory, that would have to be removed again. 

To make it even safer, I've extended the tool to have a --include
-secrets option that asks the Windows 2008 or later server not to send
us the secret values, and to make decrypting them fail if we get them
regardless.  This would allow us as developers to obtain a copy of a
failing Samba domain from production sites for analysis, without
risking the most private values. 

> > > What is the desired result of this having an exact copy of the
> > > other DC? Including the same name, ntds guid and it's original 
> > > invocationID?
> 
> But the ipaddress will be different?
> 
> What is the desired action an admin would like to do with the result 
> of
> this operation?

- Know that DRS replication to Samba is possible - Hold a copy of the Windows/Samba AD database for analysis. - Permit the above with redaction of secrets.
See attached (with the other patches from my domain-clone branch)
Please review/push
Thanks,
Andrew Bartlett-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba




-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dsdb-Add-functional-levels-for-2012-and-2012R2.patch
Type: text/x-patch
Size: 1300 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150819/ef3c2c99/0001-dsdb-Add-functional-levels-for-2012-and-2012R2.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-provision-Allow-more-OS-levels-in-sambadns.patch
Type: text/x-patch
Size: 1307 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150819/ef3c2c99/0002-provision-Allow-more-OS-levels-in-sambadns.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-samba-tool-Add-new-command-samba-tool-domain-clone.patch
Type: text/x-patch
Size: 17411 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150819/ef3c2c99/0003-samba-tool-Add-new-command-samba-tool-domain-clone.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-repl-Give-an-error-if-we-get-a-secret-when-not-expec.patch
Type: text/x-patch
Size: 6531 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150819/ef3c2c99/0004-repl-Give-an-error-if-we-get-a-secret-when-not-expec.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-samba-tool-domain-clone-Add-include-secrets-option.patch
Type: text/x-patch
Size: 6165 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150819/ef3c2c99/0005-samba-tool-domain-clone-Add-include-secrets-option.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-repl-Use-DSDB_REPL_FLAG_PRIORITISE_INCOMING-in-samba.patch
Type: text/x-patch
Size: 1035 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150819/ef3c2c99/0006-repl-Use-DSDB_REPL_FLAG_PRIORITISE_INCOMING-in-samba.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150819/ef3c2c99/signature.sig>

More information about the samba-technical mailing list