[Samba] Samba 4 DC backups

Brady, Mike mike.brady at devnull.net.nz
Tue Sep 1 08:00:01 UTC 2015 

On 2015-09-01 18:48, L.P.H. van Belle wrote:
> and most important...
> 
> If you have 2 DC's ...
> ! NEVER USE THE BACKUP SCRIPT TO RESTORE ONE OF THE DC's  !
> 
> This wil corrupt your AD databases..
> Just remove the old DC from the domain and add a new one if needed .
> 
> .. Rowland.
> This is also a nice to have in your backup script.
> Auto detect multiple DC's, we have that already in other scripts.
> In case of multple DC's, backup yes, restore no, display warning.. etc.
> something like that..
> 
> You can add it to the backup script "wishlist"  ;-)
> 
> Greetz,
> 
> Louis
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Brady, Mike
>> Verzonden: dinsdag 1 september 2015 04:59
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Samba 4 DC backups
>> 
>> I have a few Samba 4.2 DC in production now and figured that I
>> should do
>> something about backups.
>> 
>> I have read
>> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC and
>> had a look through the samba_backup script and have a few questions.
>> 
>> Firstly I am using the Sernet packages on Centos7.
>> 
>> I am assuming the following mappings from the script for my set up
>> /usr/local/samba/etc is /etc/samba
>> /usr/local/samba/private is /var/lib/samba/private
>> /usr/local/samba/sysvol is /var/lib/samba/sysvol
>> 
>> Does this look correct?
>> 
>> The samba_backup script does a tdbbackup of ldb files.  In my
>> case that
>> would be the following:
>> [root at dc02 ~]# cd /var/lib/samba/
>> [root at dc02 samba]# find . -name "*.ldb"
>> ./private/sam.ldb
>> ./private/privilege.ldb
>> ./private/share.ldb
>> ./private/idmap.ldb
>> ./private/sam.ldb.d/DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> ./private/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO
>> ,DC=NZ.ldb
>> ./private/sam.ldb.d/DC=FORESTDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO
>> ,DC=NZ.ldb
>> ./private/sam.ldb.d/CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,
>> DC=NZ.ldb
>> ./private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=COMP
>> ANY,DC=CO,DC=NZ.ldb
>> ./private/dns/sam.ldb
>> ./private/dns/sam.ldb.d/DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> ./private/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,D
>> C=CO,DC=NZ.ldb
>> ./private/dns/sam.ldb.d/DC=FORESTDNSZONES,DC=SAMBA,DC=COMPANY,D
>> C=CO,DC=NZ.ldb
>> ./private/dns/sam.ldb.d/CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC
>> =CO,DC=NZ.ldb
>> ./private/dns/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=
>> COMPANY,DC=CO,DC=NZ.ldb
>> ./private/hklm.ldb
>> ./private/secrets.ldb
>> 
>> The script then does a tar of the /usr/local/samba
>> (/var/lib/samba in my
>> case) excluding the *.ldb files, but including the *.ldb.bak files,
>> which all makes sense.
>> 
>> But there are also the following tdb files in the /var/lib/samba
>> directory.
>> [root at dc02 ~]# cd /var/lib/samba/
>> [root at dc02 samba]# find . -name "*.tdb"
>> ./share_info.tdb
>> ./private/randseed.tdb
>> ./private/sam.ldb.d/metadata.tdb
>> ./private/dns/sam.ldb.d/metadata.tdb
>> ./private/secrets.tdb
>> ./private/smbd.tmp/msg/names.tdb
>> ./private/netlogon_creds_cli.tdb
>> ./private/schannel_store.tdb
>> ./registry.tdb
>> ./winbindd_cache.tdb
>> ./account_policy.tdb
>> 
>> The script will include these in the backup without doing a tdbback
>> which I would not have thought was safe?  Should these files
>> be excluded
>> or have a tdbbackup done like the ldb files, or am I totally missing
>> something?
>> 
>> Regards
>> 
>> Mike
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 

Hi Louis

Yes I am aware of that.  As I said I have read the wiki page 
https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC which 
makes this quite clear.  Not that I needed to be told the consequences 
of copying a running database file :-)

But unless I am completely misreading the samba_backup script, that is 
exactly what it is doing for the *.tdb files that I have listed above.

So either the *.tdb files should be excluded or they need to backed 
using tdbbackup.  Either way the samba_backup script looks wrong to me.

Regards

Mike

More information about the samba mailing list