[Samba] Samba 4 DC backups

Brady, Mike mike.brady at devnull.net.nz
Tue Sep 1 21:43:29 UTC 2015 

On 2015-09-02 08:22, Mark Foley wrote:
> Mike,
> 
> I thought I pretty much did the same thing as the backup script: backup 
> ldb, do
> tar.  Also, I am stopping Samba for good measure, but I don't think I 
> need to.
> What makes you say I'm doing the "exact opposite" of what the samba 
> script does?
> Please explain, I want to be consistent with good practice.
> 
> --Mark
> 
> -----Original Message-----
>> Date: Tue, 01 Sep 2015 19:19:31 +1200
>> From: "Brady, Mike" <mike.brady at devnull.net.nz>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba 4 DC backups
>> 
>> Mark
>> 
>> Ok so you doing the exact opposite of what the samba_backup script 
>> does
>> with regards to ldb and tdb files, but then you are shutting down 
>> Samba
>> to do a backup anyway so it doesn't really matter what you are doing 
>> in
>> this regard.
>> 
>> I want a consistent backup while Samba is running.
>> 
>> Regards
>> 
>> Mike
>> 
>> On 2015-09-01 16:08, Mark Foley wrote:
>> > Here's what I do before tar'ring:
>> >
>> > find / -mount -type d -path /etc/samba-JMF -prune -o -name \*.tdb
>> > -exec tdbbackup {} \;
>> > find / -mount -name \*.tdb.bak -exec ls -l {} \;   # (log .bak updates)
>> >
>> > This gets all the tdb files on the root filesystem, excluding mounted
>> > drived
>> > (-mount) and excluding tdb files I have in /etc/samba-JMF which is an
>> > old
>> > installation folder that I should probably delete anyway. Still, the
>> > example
>> > would show you what to do if you *don't* want to back up some tdb's.
>> >
>> > The 2nd find just logs the date/time of the tdb.bak files to the
>> > tarfile job
>> > log.
>> >
>> > For good measure, I also stop samba during the tar backup, which only
>> > takes 18
>> > minutes (differential) on my system. But, I understand this is not
>> > necessary
>> > (though it might spare me from having to actually apply the tdb.bak
>> > files should
>> > I need to restore?)
>> >
>> > Also don't forget to backup ACLs and ATTRs unless your version of tar
>> > preserves
>> > these. Mine does not:
>> >
>> > getfattr -dR /redirectedFolders /var/lib/samba/sysvol
>> > /var/lib/samba/share
>> > getfacl -R /redirectedFolders /var/lib/samba/sysvol
>> > /var/lib/samba/share
>> >
>> > --Mark
>> >
>> > -----Original Message-----
>> >> Date: Tue, 01 Sep 2015 14:59:20 +1200
>> >> From: "Brady, Mike" <mike.brady at devnull.net.nz>
>> >> To: samba at lists.samba.org
>> >> Subject: [Samba] Samba 4 DC backups
>> >>
>> >> I have a few Samba 4.2 DC in production now and figured that I should
>> >> do
>> >> something about backups.
>> >>
>> >> I have read
>> >> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC and
>> >> had a look through the samba_backup script and have a few questions.
>> >>
>> >> Firstly I am using the Sernet packages on Centos7.
>> >>
>> >> I am assuming the following mappings from the script for my set up
>> >> /usr/local/samba/etc is /etc/samba
>> >> /usr/local/samba/private is /var/lib/samba/private
>> >> /usr/local/samba/sysvol is /var/lib/samba/sysvol
>> >>
>> >> Does this look correct?
>> >>
>> >> The samba_backup script does a tdbbackup of ldb files.  In my case
>> >> that
>> >> would be the following:
>> >> [root at dc02 ~]# cd /var/lib/samba/
>> >> [root at dc02 samba]# find . -name "*.ldb"
>> >> ./private/sam.ldb
>> >> ./private/privilege.ldb
>> >> ./private/share.ldb
>> >> ./private/idmap.ldb
>> >> ./private/sam.ldb.d/DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/sam.ldb.d/DC=FORESTDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/sam.ldb.d/CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/dns/sam.ldb
>> >> ./private/dns/sam.ldb.d/DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/dns/sam.ldb.d/DC=FORESTDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/dns/sam.ldb.d/CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/dns/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>> >> ./private/hklm.ldb
>> >> ./private/secrets.ldb
>> >>
>> >> The script then does a tar of the /usr/local/samba (/var/lib/samba in
>> >> my
>> >> case) excluding the *.ldb files, but including the *.ldb.bak files,
>> >> which all makes sense.
>> >>
>> >> But there are also the following tdb files in the /var/lib/samba
>> >> directory.
>> >> [root at dc02 ~]# cd /var/lib/samba/
>> >> [root at dc02 samba]# find . -name "*.tdb"
>> >> ./share_info.tdb
>> >> ./private/randseed.tdb
>> >> ./private/sam.ldb.d/metadata.tdb
>> >> ./private/dns/sam.ldb.d/metadata.tdb
>> >> ./private/secrets.tdb
>> >> ./private/smbd.tmp/msg/names.tdb
>> >> ./private/netlogon_creds_cli.tdb
>> >> ./private/schannel_store.tdb
>> >> ./registry.tdb
>> >> ./winbindd_cache.tdb
>> >> ./account_policy.tdb
>> >>
>> >> The script will include these in the backup without doing a tdbback
>> >> which I would not have thought was safe?  Should these files be
>> >> excluded
>> >> or have a tdbbackup done like the ldb files, or am I totally missing
>> >> something?
>> >>
>> >> Regards
>> >>
>> >> Mike
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
Mark,

As I understand it the samba_backup script is using tdbbackup to create 
a backup of each ldb file and then creates a tar of everything except 
the running ldb files but including the ldb.bak files and the running 
tdb  files (which is a no no).

 From what I understood from your previous email you are creating a 
tdbbackup of the tdb files and creating a tar of the running ldb files, 
except that you are actually shutting down the DC, so running tdbbackup 
in your case really isn't necessary.

tdbbackup is really only necessary if you are trying to backup a running 
DC.

But then maybe I am completely missing something.


Regards

Mike

More information about the samba mailing list