[Samba] backup AD content

Rowland penny rpenny at samba.org
Fri Aug 30 09:31:37 UTC 2019

On 30/08/2019 10:27, Andrew Bartlett wrote:
> On Fri, 2019-08-30 at 10:20 +0100, Rowland penny via samba wrote:
>> On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote:
>>> On 30.08.19 11:01, Andrew Bartlett wrote:
>>>> On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba
>>>> wrote:
>>>>> I happily and trustfully use Louis' backup-script from
>>>>> https://github.com/thctlo/samba4
>>>>> to dump AD content via cronjob.
>>>>> Is it necessary/recommended to do that on *each* samba DC? Is there
>>>>> something server-specific in the dump(s) or is it enough to do that
>>>>> once
>>>>> per domain?
>>>> I'm very sorry to advise that this script is not race-free in the
>>>> locking done on the AD databases, which is why we have written the
>>>> 'samba-tool domain backup offline' tool which holds the correct locks.
>>> Thanks for the info, I will write another cronjob using that tool.
>> Be prepared to put your administrators password in the cronjob
> The offline backup does not require a password, only root privileges.

OH yes it does, I found this out yesterday, running as root with kerberos:

Committing SAM database
INFO 2019-08-29 16:56:10,650 pid:16393 
/usr/lib/python3/dist-packages/samba/join.py #1643: Setting 
isSynchronized and dsServiceName
INFO 2019-08-29 16:56:10,747 pid:16393 
/usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain SAMDOM 
(SID S-1-5-21-1768301897-3342589593-1064908849)
Password for [Administrator at SAMDOM.EXAMPLE.COM]:
INFO 2019-08-29 16:56:34,573 pid:16393 
/usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124: 
Creating backup file 

> While not tested or intended, it would not shock me if the online tool
> operated successfully with --machine-pass set, to use the DC's own
> password (assuming running on a DC).

Cannot speak for the online tool (never tried it, yet), but it doesn't 
work for the offline tool.


More information about the samba mailing list