[Samba] backup of tdb files

Andrew Bartlett abartlet at samba.org
Mon Sep 24 07:14:48 UTC 2018 

On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote:
> Hi Andrew,
> 
> thanks for addressing all my points. This is rather helpful.
> 
> -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Friday, 2018-09-
> 21 08:23:26 AM |>-
> > 
> > On Fri, 2018-09-21 at 11:29 +0200, Philipp Gesang via samba wrote:
> > > 
> > > how would I go about dumping tdb files in a “neutral” format,
> > > preferably JSON?
> > > 
> > > The goal is to have a domain member functional after restoring
> > > from a backup without re-joining. 
> > Do take care that the password is changed by winbindd regularly.
> >  It
> > might not work any more.
> The most common scenario for restoring a backup would be inside
> the “window of opportunity” when the current password is still
> valid. Besides, knowing our customers I expect a significant
> number of users to disable password rotation for machine accounts
> in the GPO …

Samba doesn't honour that (yet).  It is controlled in the smb.conf.

> > 
> > > 
> > > By trial and error I determined that
> > > /var/lib/samba/private/{netlogon_creds_cli,secrets}.tdb are the
> > > only files from whose removal smbd can’t recover, so those are
> > > the files I’m currently concerned with.
> > It should be only secrets.tdb.  The netlogon_creds_cli.tdb can be
> > re-
> > built from the domain member password.
> You’re right, I just ran the test again. Probably a fluke in my
> tests last week.
> 
> > 
> > A long time ago I posted a script to dump the machine password to
> > stdout for the benifit of an 802.1x client, but it never had tests
> > so
> > didn't get in.  
> > 
> > I could see JSON working well for this also.  Perhaps extend either
> > samba-tool or net to print out the domain SID, local SID, domain
> > member
> > password and hostname?
> Sounds promising. I’ll look into that.

Thanks.

> > 
> > (There are other elements of state, like idmap values, but how far
> > you
> > go depends on the local configuration needs, but these would be the
> > four most critical items). 
> > 
> > > 
> > > What about portability? Are tdb contents platform independent? Is
> > > a secrets.tdb created with 32 bit Samba usable on a 64 bit build
> > > and vice versa?
> > Yes, tdb files are portable.
> Just to be absolutely sure: This is true of both the tdb format
> and the binary data stored in the values?

That is the design goal.

Thanks for your continued work to improve Samba!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list