[PATCH] Add a new tool, 'samba-tool domain clone'
Andrew Bartlett
abartlet at samba.org
Wed Aug 19 22:07:16 UTC 2015
On Wed, 2015-08-19 at 06:56 +0200, Stefan Metzmacher wrote:
> Hi Andrew,
>
> > > > If you just want to test the replication you can use net rpc
> > > > vampire
> > > > keytab,
> > > > but I guess it's not just replication you want to test...
> > No, what I'm interested in is joining a domain without creating
> > objects, to confirm:
> > - that we can indeed import the schema
> > - that the import is correct (we can use tools like ldapcmp to
> > verify)
> > - that we support the functional levels etc
> >
> > The idea is that we would encourage admins to run 'samba-tool
> > domain
> > clone' as a discovery measure, before committing to having Samba
> > objects in their directory, that would have to be removed again.
> >
> > To make it even safer, I've extended the tool to have a --include
> > -secrets option that asks the Windows 2008 or later server not to
> > send
> > us the secret values, and to make decrypting them fail if we get
> > them
> > regardless. This would allow us as developers to obtain a copy of
> > a
> > failing Samba domain from production sites for analysis, without
> > risking the most private values.
>
> Ok.
>
> I'm still not really happy with the name 'samba-tool domain clone'.
> I'd like to make it more obvious that this is just for
> testing/simulating.
> Maybe something like 'samba-tool domain simulate-initial
> -replication',
> but that's a bit long. Any better ideas?
I understand your concerns, and I'll think about a better name.
> > > > > > > > What is the desired result of this having an exact copy
> > > > > > > > of the
> > > > > > > > other DC? Including the same name, ntds guid and it's
> > > > > > > > original
> > > > > > > > invocationID?
> > > >
> > > > But the ipaddress will be different?
> > > >
> > > > What is the desired action an admin would like to do with the
> > > > result
> > > > of
> > > > this operation?
> > - Know that DRS replication to Samba is possible - Hold a copy of
> > the Windows/Samba AD database for analysis. - Permit the above with
> > redaction of secrets.
> > See attached (with the other patches from my domain-clone branch)
>
> Ok.
>
> > --- a/python/samba/netcmd/domain.py
> > +++ b/python/samba/netcmd/domain.py
> > @@ -657,6 +657,7 @@ class cmd_domain_clone(Command):
> > Option("--server", help="DC to join", type=str),
> > Option("--targetdir", help="where to store provision",
> > type=str),
>
> Can we make this argument mandatory, we should not write into the
> system
> prefix.
Certainly.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150820/09131be7/signature.sig>
More information about the samba-technical
mailing list