[Samba] Samba 4 DC backups

Tue Sep 1 04:08:53 UTC 2015

Here's what I do before tar'ring:

find / -mount -type d -path /etc/samba-JMF -prune -o -name \*.tdb -exec tdbbackup {} \;
find / -mount -name \*.tdb.bak -exec ls -l {} \;   # (log .bak updates)

This gets all the tdb files on the root filesystem, excluding mounted drived
(-mount) and excluding tdb files I have in /etc/samba-JMF which is an old
installation folder that I should probably delete anyway. Still, the example
would show you what to do if you *don't* want to back up some tdb's.

The 2nd find just logs the date/time of the tdb.bak files to the tarfile job
log.

For good measure, I also stop samba during the tar backup, which only takes 18
minutes (differential) on my system. But, I understand this is not necessary
(though it might spare me from having to actually apply the tdb.bak files should
I need to restore?)

Also don't forget to backup ACLs and ATTRs unless your version of tar preserves
these. Mine does not:

getfattr -dR /redirectedFolders /var/lib/samba/sysvol /var/lib/samba/share
getfacl -R /redirectedFolders /var/lib/samba/sysvol /var/lib/samba/share 

--Mark

-----Original Message-----
> Date: Tue, 01 Sep 2015 14:59:20 +1200
> From: "Brady, Mike" <mike.brady at devnull.net.nz>
> To: samba at lists.samba.org
> Subject: [Samba] Samba 4 DC backups
>
> I have a few Samba 4.2 DC in production now and figured that I should do 
> something about backups.
>
> I have read 
> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC and 
> had a look through the samba_backup script and have a few questions.
>
> Firstly I am using the Sernet packages on Centos7.
>
> I am assuming the following mappings from the script for my set up
> /usr/local/samba/etc is /etc/samba
> /usr/local/samba/private is /var/lib/samba/private
> /usr/local/samba/sysvol is /var/lib/samba/sysvol
>
> Does this look correct?
>
> The samba_backup script does a tdbbackup of ldb files.  In my case that 
> would be the following:
> [root at dc02 ~]# cd /var/lib/samba/
> [root at dc02 samba]# find . -name "*.ldb"
> ./private/sam.ldb
> ./private/privilege.ldb
> ./private/share.ldb
> ./private/idmap.ldb
> ./private/sam.ldb.d/DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/sam.ldb.d/DC=FORESTDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/sam.ldb.d/CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/dns/sam.ldb
> ./private/dns/sam.ldb.d/DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/dns/sam.ldb.d/DC=FORESTDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/dns/sam.ldb.d/CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/dns/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
> ./private/hklm.ldb
> ./private/secrets.ldb
>
> The script then does a tar of the /usr/local/samba (/var/lib/samba in my 
> case) excluding the *.ldb files, but including the *.ldb.bak files, 
> which all makes sense.
>
> But there are also the following tdb files in the /var/lib/samba 
> directory.
> [root at dc02 ~]# cd /var/lib/samba/
> [root at dc02 samba]# find . -name "*.tdb"
> ./share_info.tdb
> ./private/randseed.tdb
> ./private/sam.ldb.d/metadata.tdb
> ./private/dns/sam.ldb.d/metadata.tdb
> ./private/secrets.tdb
> ./private/smbd.tmp/msg/names.tdb
> ./private/netlogon_creds_cli.tdb
> ./private/schannel_store.tdb
> ./registry.tdb
> ./winbindd_cache.tdb
> ./account_policy.tdb
>
> The script will include these in the backup without doing a tdbback 
> which I would not have thought was safe?  Should these files be excluded 
> or have a tdbbackup done like the ldb files, or am I totally missing 
> something?
>
> Regards
>
> Mike
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>