[PATCH] Add a new tool, 'samba-tool domain clone'

Stefan Metzmacher metze at samba.org
Wed Aug 19 04:56:38 UTC 2015

Hi Andrew,

>> > If you just want to test the replication you can use net rpc vampire 
>> > keytab,
>> > but I guess it's not just replication you want to test...
> No, what I'm interested in is joining a domain without creating
> objects, to confirm:
>  - that we can indeed import the schema
>  - that the import is correct (we can use tools like ldapcmp to verify)
>  - that we support the functional levels etc
> The idea is that we would encourage admins to run 'samba-tool domain
> clone' as a discovery measure, before committing to having Samba
> objects in their directory, that would have to be removed again. 
> To make it even safer, I've extended the tool to have a --include
> -secrets option that asks the Windows 2008 or later server not to send
> us the secret values, and to make decrypting them fail if we get them
> regardless.  This would allow us as developers to obtain a copy of a
> failing Samba domain from production sites for analysis, without
> risking the most private values. 


I'm still not really happy with the name 'samba-tool domain clone'.
I'd like to make it more obvious that this is just for testing/simulating.
Maybe something like 'samba-tool domain simulate-initial-replication',
but that's a bit long. Any better ideas?

>>>> > > > What is the desired result of this having an exact copy of the
>>>> > > > other DC? Including the same name, ntds guid and it's original 
>>>> > > > invocationID?
>> > 
>> > But the ipaddress will be different?
>> > 
>> > What is the desired action an admin would like to do with the result 
>> > of
>> > this operation?
> - Know that DRS replication to Samba is possible - Hold a copy of the Windows/Samba AD database for analysis. - Permit the above with redaction of secrets.
> See attached (with the other patches from my domain-clone branch)


> --- a/python/samba/netcmd/domain.py
> +++ b/python/samba/netcmd/domain.py
> @@ -657,6 +657,7 @@ class cmd_domain_clone(Command):
>          Option("--server", help="DC to join", type=str),
>          Option("--targetdir", help="where to store provision", type=str),

Can we make this argument mandatory, we should not write into the system


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150819/b66d8d7b/signature.sig>

More information about the samba-technical mailing list