[Samba] backup AD content
rpenny at samba.org
Fri Aug 30 09:31:37 UTC 2019
On 30/08/2019 10:27, Andrew Bartlett wrote:
> On Fri, 2019-08-30 at 10:20 +0100, Rowland penny via samba wrote:
>> On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote:
>>> On 30.08.19 11:01, Andrew Bartlett wrote:
>>>> On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba
>>>>> I happily and trustfully use Louis' backup-script from
>>>>> to dump AD content via cronjob.
>>>>> Is it necessary/recommended to do that on *each* samba DC? Is there
>>>>> something server-specific in the dump(s) or is it enough to do that
>>>>> per domain?
>>>> I'm very sorry to advise that this script is not race-free in the
>>>> locking done on the AD databases, which is why we have written the
>>>> 'samba-tool domain backup offline' tool which holds the correct locks.
>>> Thanks for the info, I will write another cronjob using that tool.
>> Be prepared to put your administrators password in the cronjob
> The offline backup does not require a password, only root privileges.
OH yes it does, I found this out yesterday, running as root with kerberos:
Committing SAM database
INFO 2019-08-29 16:56:10,650 pid:16393
/usr/lib/python3/dist-packages/samba/join.py #1643: Setting
isSynchronized and dsServiceName
INFO 2019-08-29 16:56:10,747 pid:16393
/usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain SAMDOM
Password for [Administrator at SAMDOM.EXAMPLE.COM]:
INFO 2019-08-29 16:56:34,573 pid:16393
Creating backup file
> While not tested or intended, it would not shock me if the online tool
> operated successfully with --machine-pass set, to use the DC's own
> password (assuming running on a DC).
Cannot speak for the online tool (never tried it, yet), but it doesn't
work for the offline tool.
More information about the samba