[Samba] backup AD content

Rowland penny rpenny at samba.org
Sat Aug 31 13:09:19 UTC 2019


On 30/08/2019 10:31, Rowland penny via samba wrote:
> On 30/08/2019 10:27, Andrew Bartlett wrote:
>> On Fri, 2019-08-30 at 10:20 +0100, Rowland penny via samba wrote:
>>> On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote:
>>>> On 30.08.19 11:01, Andrew Bartlett wrote:
>>>>> On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba
>>>>> wrote:
>>>>>> I happily and trustfully use Louis' backup-script from
>>>>>>
>>>>>> https://github.com/thctlo/samba4
>>>>>>
>>>>>> to dump AD content via cronjob.
>>>>>>
>>>>>> Is it necessary/recommended to do that on *each* samba DC? Is there
>>>>>> something server-specific in the dump(s) or is it enough to do that
>>>>>> once
>>>>>> per domain?
>>>>> I'm very sorry to advise that this script is not race-free in the
>>>>> locking done on the AD databases, which is why we have written the
>>>>> 'samba-tool domain backup offline' tool which holds the correct 
>>>>> locks.
>>>> Thanks for the info, I will write another cronjob using that tool.
>>> Be prepared to put your administrators password in the cronjob
>> The offline backup does not require a password, only root privileges.
>
> OH yes it does, I found this out yesterday, running as root with 
> kerberos:
>
> Committing SAM database
> INFO 2019-08-29 16:56:10,650 pid:16393 
> /usr/lib/python3/dist-packages/samba/join.py #1643: Setting 
> isSynchronized and dsServiceName
> INFO 2019-08-29 16:56:10,747 pid:16393 
> /usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain 
> SAMDOM (SID S-1-5-21-1768301897-3342589593-1064908849)
> Password for [Administrator at SAMDOM.EXAMPLE.COM]:
> INFO 2019-08-29 16:56:34,573 pid:16393 
> /usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124: 
> Creating backup file 
> /root/samba-backup-samdom.example.com-2019-08-29T16-56-34.378389.tar.bz2...
>
>>
>> While not tested or intended, it would not shock me if the online tool
>> operated successfully with --machine-pass set, to use the DC's own
>> password (assuming running on a DC).
>
> Cannot speak for the online tool (never tried it, yet), but it doesn't 
> work for the offline tool.
>

Mea culpa, I got them the wrong way around :-(

It is the online tool that asks for the Administrator password.

if you kinit as Administrator, then run as root:

samba-tool domain backup online --targetdir=/root/ --server=dc1 -k yes

Towards the end of the output, you get this:

INFO 2019-08-29 16:56:10,650 pid:16393 
/usr/lib/python3/dist-packages/samba/join.py #1643: Setting 
isSynchronized and dsServiceName
INFO 2019-08-29 16:56:10,747 pid:16393 
/usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain SAMDOM 
(SID S-1-5-21-1768301897-3342589593-1064908849)
Password for [Administrator at SAMDOM.EXAMPLE.COM]:
INFO 2019-08-29 16:56:34,573 pid:16393 
/usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124: 
Creating backup file 
/root/samba-backup-samdom.example.com-2019-08-29T16-56-34.378389.tar.bz2...

Which, on the face of it, is asking for the Administrator password, but 
after carrying out a few tests, it turns out just pressing 'Enter' is 
sufficient. Knowing this, the workaround is fairly obvious, run the 
command like this:

echo | samba-tool domain backup online --targetdir=/root/ --server=dc1 
-k yes

Rowland





More information about the samba mailing list