[PATCH: Domain backup samba-tool command]

[Stefan Metzmacher]

Am 23.03.2018 um 05:59 schrieb Aaron Haslett via samba-technical:
> The exists shell script for backing up a domain doesn't lock things
> properly while doing the backup and could end up with a corrupt backup
> or cause a lockup.  Here's a new python script that actually works,
> along with tests and required fixes.

I haven't looked into this in detail, but I have a few questions/comments:

- Can you write down in words would the new command is supposed to do?

- The most important part of a backup is always the restore!
  I come across a few sites already, which tried to restore
  DCs from a VM snapshot and corrupted the replication state.

  I think we really need a corresponding restore command
  and make it relatively hard to restore the backup without
  using the restore command.

  The restore command should also do this on the backup databases:
  - reset highestCommittedUSN to 1 and invent a new invocationID
    that will be used for further replPropertyMetaData stamps
  - samba-tool domain demote --remove-other-dead-server for all
    servers
  - create a new machine account and NTDSDsa object (with the new
    invocationID)
  - samba-tool fsmo seize for all roles
  - change the krbtgt passwords twice
  So that the restored domain will never replicate with any existing
  DC, as it's only a last resort if really all DCs are broken.

Can you please read through the C related patches and fix
tab vs. whitespaces or missing whitespaces.

Thanks!
metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180323/cc7bb9cc/signature.sig>