[Samba] Online backup of domain fails

Tim Beale timbeale at catalyst.net.nz
Thu Jan 10 20:57:58 UTC 2019


Oh sorry, I forgot that the offline option isn't in 4.9. It will be in
4.10 (release candidate should be available next week some time).
However, you have to run the offline command locally on the DC, and you
probably don't want to install a rc build on a production DC.

So when I set the DC's smb.conf debug level to 3, I see smbd logs like
the following when doing the sysvol portion of the backup:

smbd: call_nt_transact_query_security_desc: file =
addom.samba.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE,
info_wanted = 0xf
smbd: smbd_do_query_security_desc: sd_size = 272.

The last call_nt_transact_query_security_desc log you see may be the
file that it's failing on. If (for the last file) you see the first log
but not the second, then that narrows it down - it means
smbd_do_query_security_desc() is failing. If you use debug level 10 on
the server, it should display a smbd_do_query_security_desc() error
message pinpointing the problem.

You might want to double-check the smbd debug you got at level 10.
There's a lot of noise that comes out, so it's easy to miss things.

Cheers,
Tim

On 11/01/19 3:43 AM, Benedikt Kaleß via samba wrote:
> Hi,
>
> thanks for your hints!
>
> Am 10.01.19 um 03:46 schrieb Tim Beale via samba:
>
>> - As a sanity-check, you could run 'samba-tool ntacl sysvolcheck'
>> locally on your DC. It may tell you if there's an ACL problem.
> samba-tool ntacl sysvolcheck doesn't show any problems.
>
>> - Instead of an online backup, try running 'samba-tool domain backup
>> offline' locally on your DC. It creates a slightly different type of
>> backup, but how it backs up sysvol will work a bit different.
> I tried to do a "offline" backup. But I dont' find an option "offline"
>
> samba-tool domain backup --help
> Usage: samba-tool domain backup <subcommand>
>
> Create or restore a backup of the domain.
>
>
> Options:
>   -h, --help  show this help message and exit
>
>
> Available subcommands:
>   online   - Copy a running DC's current DB into a backup tar file.
>   rename   - Copy a running DC's DB to backup file, renaming the domain
> in the process.
>   restore  - Restore the domain's DB from a backup-file.
> For more help on a specific subcommand, please type: samba-tool domain
> backup <subcommand> (-h|--help)
>
>> - If you can work out the file it's failing on, then you could check if
>> 'samba-tool ntacl get' works for that file.
> We changed the loglevel to 10 and we didn't find any file with
> unsufficient permissions.
>
> Best
>
> Benedikt
>



More information about the samba mailing list