[PATCH] Add a new tool, 'samba-tool domain clone'

Andrew Bartlett abartlet at samba.org
Wed Aug 19 22:07:16 UTC 2015 

On Wed, 2015-08-19 at 06:56 +0200, Stefan Metzmacher wrote:
> Hi Andrew,
> 
> > > > If you just want to test the replication you can use net rpc 
> > > > vampire 
> > > > keytab,
> > > > but I guess it's not just replication you want to test...
> > No, what I'm interested in is joining a domain without creating
> > objects, to confirm:
> >  - that we can indeed import the schema
> >  - that the import is correct (we can use tools like ldapcmp to 
> > verify)
> >  - that we support the functional levels etc
> > 
> > The idea is that we would encourage admins to run 'samba-tool 
> > domain
> > clone' as a discovery measure, before committing to having Samba
> > objects in their directory, that would have to be removed again. 
> > 
> > To make it even safer, I've extended the tool to have a --include
> > -secrets option that asks the Windows 2008 or later server not to 
> > send
> > us the secret values, and to make decrypting them fail if we get 
> > them
> > regardless.  This would allow us as developers to obtain a copy of 
> > a
> > failing Samba domain from production sites for analysis, without
> > risking the most private values. 
> 
> Ok.
> 
> I'm still not really happy with the name 'samba-tool domain clone'.
> I'd like to make it more obvious that this is just for 
> testing/simulating.
> Maybe something like 'samba-tool domain simulate-initial
> -replication',
> but that's a bit long. Any better ideas?

I understand your concerns, and I'll think about a better name.

> > > > > > > > What is the desired result of this having an exact copy 
> > > > > > > > of the
> > > > > > > > other DC? Including the same name, ntds guid and it's 
> > > > > > > > original 
> > > > > > > > invocationID?
> > > > 
> > > > But the ipaddress will be different?
> > > > 
> > > > What is the desired action an admin would like to do with the 
> > > > result 
> > > > of
> > > > this operation?
> > - Know that DRS replication to Samba is possible - Hold a copy of 
> > the Windows/Samba AD database for analysis. - Permit the above with 
> > redaction of secrets.
> > See attached (with the other patches from my domain-clone branch)
> 
> Ok.
> 
> > --- a/python/samba/netcmd/domain.py
> > +++ b/python/samba/netcmd/domain.py
> > @@ -657,6 +657,7 @@ class cmd_domain_clone(Command):
> >          Option("--server", help="DC to join", type=str),
> >          Option("--targetdir", help="where to store provision", 
> > type=str),
> 
> Can we make this argument mandatory, we should not write into the 
> system
> prefix.

Certainly.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150820/09131be7/signature.sig>

More information about the samba-technical mailing list