[Samba] backup of tdb files
Andrew Bartlett
abartlet at samba.org
Mon Sep 24 07:14:48 UTC 2018
On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote:
> Hi Andrew,
>
> thanks for addressing all my points. This is rather helpful.
>
> -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Friday, 2018-09-
> 21 08:23:26 AM |>-
> >
> > On Fri, 2018-09-21 at 11:29 +0200, Philipp Gesang via samba wrote:
> > >
> > > how would I go about dumping tdb files in a “neutral” format,
> > > preferably JSON?
> > >
> > > The goal is to have a domain member functional after restoring
> > > from a backup without re-joining.
> > Do take care that the password is changed by winbindd regularly.
> > It
> > might not work any more.
> The most common scenario for restoring a backup would be inside
> the “window of opportunity” when the current password is still
> valid. Besides, knowing our customers I expect a significant
> number of users to disable password rotation for machine accounts
> in the GPO …
Samba doesn't honour that (yet). It is controlled in the smb.conf.
> >
> > >
> > > By trial and error I determined that
> > > /var/lib/samba/private/{netlogon_creds_cli,secrets}.tdb are the
> > > only files from whose removal smbd can’t recover, so those are
> > > the files I’m currently concerned with.
> > It should be only secrets.tdb. The netlogon_creds_cli.tdb can be
> > re-
> > built from the domain member password.
> You’re right, I just ran the test again. Probably a fluke in my
> tests last week.
>
> >
> > A long time ago I posted a script to dump the machine password to
> > stdout for the benifit of an 802.1x client, but it never had tests
> > so
> > didn't get in.
> >
> > I could see JSON working well for this also. Perhaps extend either
> > samba-tool or net to print out the domain SID, local SID, domain
> > member
> > password and hostname?
> Sounds promising. I’ll look into that.
Thanks.
> >
> > (There are other elements of state, like idmap values, but how far
> > you
> > go depends on the local configuration needs, but these would be the
> > four most critical items).
> >
> > >
> > > What about portability? Are tdb contents platform independent? Is
> > > a secrets.tdb created with 32 bit Samba usable on a 64 bit build
> > > and vice versa?
> > Yes, tdb files are portable.
> Just to be absolutely sure: This is true of both the tdb format
> and the binary data stored in the values?
That is the design goal.
Thanks for your continued work to improve Samba!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list