[PATCH] Add a new tool, 'samba-tool domain clone'
Stefan Metzmacher
metze at samba.org
Tue Sep 15 09:08:54 UTC 2015
Am 14.09.2015 um 01:47 schrieb Andrew Bartlett:
> On Thu, 2015-08-20 at 15:51 +1200, Andrew Bartlett wrote:
>> On Thu, 2015-08-20 at 10:07 +1200, Andrew Bartlett wrote:
>>> On Wed, 2015-08-19 at 06:56 +0200, Stefan Metzmacher wrote:
>>>> Hi Andrew,
>>>>
>>>>>>> If you just want to test the replication you can use net
>>>>>>> rpc
>>>>>>> vampire
>>>>>>> keytab,
>>>>>>> but I guess it's not just replication you want to test...
>>>>> No, what I'm interested in is joining a domain without creating
>>>>> objects, to confirm:
>>>>> - that we can indeed import the schema
>>>>> - that the import is correct (we can use tools like ldapcmp to
>>>>>
>>>>> verify)
>>>>> - that we support the functional levels etc
>>>>>
>>>>> The idea is that we would encourage admins to run 'samba-tool
>>>>> domain
>>>>> clone' as a discovery measure, before committing to having
>>>>> Samba
>>>>> objects in their directory, that would have to be removed
>>>>> again.
>>>>>
>>>>> To make it even safer, I've extended the tool to have a -
>>>>> -include
>>>>> -secrets option that asks the Windows 2008 or later server not
>>>>> to
>>>>>
>>>>> send
>>>>> us the secret values, and to make decrypting them fail if we
>>>>> get
>>>>> them
>>>>> regardless. This would allow us as developers to obtain a copy
>>>>>
>>>>> of
>>>>> a
>>>>> failing Samba domain from production sites for analysis,
>>>>> without
>>>>> risking the most private values.
>>>>
>>>> Ok.
>>>>
>>>> I'm still not really happy with the name 'samba-tool domain
>>>> clone'.
>>>> I'd like to make it more obvious that this is just for
>>>> testing/simulating.
>>>> Maybe something like 'samba-tool domain simulate-initial
>>>> -replication',
>>>> but that's a bit long. Any better ideas?
>>>
>>> I understand your concerns, and I'll think about a better name.
>>
>> What about online-export or (less preferred) drs-export?
>
> I realise this is what is stalling this patch, but I still can't come
> up with a name better than 'clone', or 'dc-clone' that describes what
> this does. Export and import are problematic, as it is sort of an
> export from an existing AD, and an import into our own opaque(ish)
> database (rather than plain ldif or such).
Maybe 'samba-tool drs clone-dc-database' ? --target-dir
and the specific source dc should be required to be given by the admin.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150915/153bbbe6/signature.sig>
More information about the samba-technical
mailing list