[Samba] backup AD content
Rowland penny
rpenny at samba.org
Sat Aug 31 13:09:19 UTC 2019
On 30/08/2019 10:31, Rowland penny via samba wrote:
> On 30/08/2019 10:27, Andrew Bartlett wrote:
>> On Fri, 2019-08-30 at 10:20 +0100, Rowland penny via samba wrote:
>>> On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote:
>>>> On 30.08.19 11:01, Andrew Bartlett wrote:
>>>>> On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba
>>>>> wrote:
>>>>>> I happily and trustfully use Louis' backup-script from
>>>>>>
>>>>>> https://github.com/thctlo/samba4
>>>>>>
>>>>>> to dump AD content via cronjob.
>>>>>>
>>>>>> Is it necessary/recommended to do that on *each* samba DC? Is there
>>>>>> something server-specific in the dump(s) or is it enough to do that
>>>>>> once
>>>>>> per domain?
>>>>> I'm very sorry to advise that this script is not race-free in the
>>>>> locking done on the AD databases, which is why we have written the
>>>>> 'samba-tool domain backup offline' tool which holds the correct
>>>>> locks.
>>>> Thanks for the info, I will write another cronjob using that tool.
>>> Be prepared to put your administrators password in the cronjob
>> The offline backup does not require a password, only root privileges.
>
> OH yes it does, I found this out yesterday, running as root with
> kerberos:
>
> Committing SAM database
> INFO 2019-08-29 16:56:10,650 pid:16393
> /usr/lib/python3/dist-packages/samba/join.py #1643: Setting
> isSynchronized and dsServiceName
> INFO 2019-08-29 16:56:10,747 pid:16393
> /usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain
> SAMDOM (SID S-1-5-21-1768301897-3342589593-1064908849)
> Password for [Administrator at SAMDOM.EXAMPLE.COM]:
> INFO 2019-08-29 16:56:34,573 pid:16393
> /usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124:
> Creating backup file
> /root/samba-backup-samdom.example.com-2019-08-29T16-56-34.378389.tar.bz2...
>
>>
>> While not tested or intended, it would not shock me if the online tool
>> operated successfully with --machine-pass set, to use the DC's own
>> password (assuming running on a DC).
>
> Cannot speak for the online tool (never tried it, yet), but it doesn't
> work for the offline tool.
>
Mea culpa, I got them the wrong way around :-(
It is the online tool that asks for the Administrator password.
if you kinit as Administrator, then run as root:
samba-tool domain backup online --targetdir=/root/ --server=dc1 -k yes
Towards the end of the output, you get this:
INFO 2019-08-29 16:56:10,650 pid:16393
/usr/lib/python3/dist-packages/samba/join.py #1643: Setting
isSynchronized and dsServiceName
INFO 2019-08-29 16:56:10,747 pid:16393
/usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain SAMDOM
(SID S-1-5-21-1768301897-3342589593-1064908849)
Password for [Administrator at SAMDOM.EXAMPLE.COM]:
INFO 2019-08-29 16:56:34,573 pid:16393
/usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124:
Creating backup file
/root/samba-backup-samdom.example.com-2019-08-29T16-56-34.378389.tar.bz2...
Which, on the face of it, is asking for the Administrator password, but
after carrying out a few tests, it turns out just pressing 'Enter' is
sufficient. Knowing this, the workaround is fairly obvious, run the
command like this:
echo | samba-tool domain backup online --targetdir=/root/ --server=dc1
-k yes
Rowland
More information about the samba
mailing list