[Samba] Online backup of domain fails

Tim Beale timbeale at catalyst.net.nz
Thu Jan 10 02:46:43 UTC 2019 

Hi,

At the point it's failing, samba-tool is trying to backup your sysvol
share (preserving all the NTACLs as it goes). I'm not sure what exactly
is going wrong. It appears you don't have access rights to read an NTACL
for one of these files.

You could try increasing the debug-level on both the server and in the
samba-tool command to see if that tells you more, but it might be
quicker to try one of the following:
- As a sanity-check, you could run 'samba-tool ntacl sysvolcheck'
locally on your DC. It may tell you if there's an ACL problem.
- Instead of an online backup, try running 'samba-tool domain backup
offline' locally on your DC. It creates a slightly different type of
backup, but how it backs up sysvol will work a bit different.
- If you can work out the file it's failing on, then you could check if
'samba-tool ntacl get' works for that file.

Cheers,
Tim

On 10/01/19 12:59 AM, Benedikt Kaleß via samba wrote:
> Dear all,
>
> I use the Sernet Samba packages in version 4.9.3.
>
> I try to do an online-backup of my domain by:
>
>  samba-tool domain backup online --server=ad2 --targetdir=/root
> -Uadministrator
>
> and I get the following error:
>
> Committing SAM database
> Setting isSynchronized and dsServiceName
> Cloned domain DOMAIN (SID S-1-5-21-1996849263-3223042488-349429296)
> ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A
> process has requested access to an object but has not been granted those
> access rights.')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 177, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> line 243, in run
>     backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508, in
> backup_online
>     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331, in
> get_acl
>     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
>
>
> Does anyone has a trick for me?
>
> Best regards
> Benedikt
>

More information about the samba mailing list