[PATCH] Add a new tool, 'samba-tool domain clone'
metze at samba.org
Wed Aug 19 04:56:38 UTC 2015
>> > If you just want to test the replication you can use net rpc vampire
>> > keytab,
>> > but I guess it's not just replication you want to test...
> No, what I'm interested in is joining a domain without creating
> objects, to confirm:
> - that we can indeed import the schema
> - that the import is correct (we can use tools like ldapcmp to verify)
> - that we support the functional levels etc
> The idea is that we would encourage admins to run 'samba-tool domain
> clone' as a discovery measure, before committing to having Samba
> objects in their directory, that would have to be removed again.
> To make it even safer, I've extended the tool to have a --include
> -secrets option that asks the Windows 2008 or later server not to send
> us the secret values, and to make decrypting them fail if we get them
> regardless. This would allow us as developers to obtain a copy of a
> failing Samba domain from production sites for analysis, without
> risking the most private values.
I'm still not really happy with the name 'samba-tool domain clone'.
I'd like to make it more obvious that this is just for testing/simulating.
Maybe something like 'samba-tool domain simulate-initial-replication',
but that's a bit long. Any better ideas?
>>>> > > > What is the desired result of this having an exact copy of the
>>>> > > > other DC? Including the same name, ntds guid and it's original
>>>> > > > invocationID?
>> > But the ipaddress will be different?
>> > What is the desired action an admin would like to do with the result
>> > of
>> > this operation?
> - Know that DRS replication to Samba is possible - Hold a copy of the Windows/Samba AD database for analysis. - Permit the above with redaction of secrets.
> See attached (with the other patches from my domain-clone branch)
> --- a/python/samba/netcmd/domain.py
> +++ b/python/samba/netcmd/domain.py
> @@ -657,6 +657,7 @@ class cmd_domain_clone(Command):
> Option("--server", help="DC to join", type=str),
> Option("--targetdir", help="where to store provision", type=str),
Can we make this argument mandatory, we should not write into the system
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: OpenPGP digital signature
More information about the samba-technical