[PATCH] Add a new tool, 'samba-tool domain clone'

Stefan Metzmacher metze at samba.org
Tue Sep 15 09:08:54 UTC 2015

Am 14.09.2015 um 01:47 schrieb Andrew Bartlett:
> On Thu, 2015-08-20 at 15:51 +1200, Andrew Bartlett wrote:
>> On Thu, 2015-08-20 at 10:07 +1200, Andrew Bartlett wrote:
>>> On Wed, 2015-08-19 at 06:56 +0200, Stefan Metzmacher wrote:
>>>> Hi Andrew,
>>>>>>> If you just want to test the replication you can use net 
>>>>>>> rpc 
>>>>>>> vampire 
>>>>>>> keytab,
>>>>>>> but I guess it's not just replication you want to test...
>>>>> No, what I'm interested in is joining a domain without creating
>>>>> objects, to confirm:
>>>>>  - that we can indeed import the schema
>>>>>  - that the import is correct (we can use tools like ldapcmp to 
>>>>> verify)
>>>>>  - that we support the functional levels etc
>>>>> The idea is that we would encourage admins to run 'samba-tool 
>>>>> domain
>>>>> clone' as a discovery measure, before committing to having 
>>>>> Samba
>>>>> objects in their directory, that would have to be removed 
>>>>> again. 
>>>>> To make it even safer, I've extended the tool to have a -
>>>>> -include
>>>>> -secrets option that asks the Windows 2008 or later server not 
>>>>> to 
>>>>> send
>>>>> us the secret values, and to make decrypting them fail if we 
>>>>> get 
>>>>> them
>>>>> regardless.  This would allow us as developers to obtain a copy 
>>>>> of 
>>>>> a
>>>>> failing Samba domain from production sites for analysis, 
>>>>> without
>>>>> risking the most private values. 
>>>> Ok.
>>>> I'm still not really happy with the name 'samba-tool domain 
>>>> clone'.
>>>> I'd like to make it more obvious that this is just for 
>>>> testing/simulating.
>>>> Maybe something like 'samba-tool domain simulate-initial
>>>> -replication',
>>>> but that's a bit long. Any better ideas?
>>> I understand your concerns, and I'll think about a better name.
>> What about online-export or (less preferred) drs-export?
> I realise this is what is stalling this patch, but I still can't come
> up with a name better than 'clone', or 'dc-clone' that describes what
> this does.  Export and import are problematic, as it is sort of an
> export from an existing AD, and an import into our own opaque(ish)
> database (rather than plain ldif or such).

Maybe 'samba-tool drs clone-dc-database' ? --target-dir
and the specific source dc should be required to be given by the admin.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150915/153bbbe6/signature.sig>

More information about the samba-technical mailing list