[Samba] domain online backup

lists lists at merit.unu.edu
Mon Jul 15 13:47:26 UTC 2019 

Hi,

Just to answer my own question from a month ago.

Today we upgraded from 4.9 to 4.10 (.6) and now the online backup 
functionality started working as expected.

Best regards to all, and enjoy your holidays if you are having it :-)

MJ

On 18-6-2019 10:36, lists via samba wrote:
> Hi,
> 
> A question on the (for us: new) online backup functionality. I created a 
> backup of our domain successfully with:
> 
> samba-tool domain backup online --server=dc3 --targetdir=/backup 
> -Umyusername at samba.domain.com
> 
> Next, to be able to schedule an automatic daily backup job, I created a 
> specific user (member of Domain Admins) to run the backup. But then the 
> backup fails:
> 
>> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] 
>> objects[196/196] linked_values[0/0]
>> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
>> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] objects[25/25] 
>> linked_values[0/0]
>> Committing SAM database
>> Setting isSynchronized and dsServiceName
>> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
>> ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A 
>> process has requested access to an object but has not been granted 
>> those access rights.')
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
>> line 178, in _run
>>     return self.run(*args, **kwargs)
>>   File 
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line 
>> 243, in run
>>     backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
>>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508, 
>> in backup_online
>>     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
>>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331, 
>> in get_acl
>>     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
> 
> Having read the wiki, a cause could be that the backup tool only works 
> over SMBv1. But then it would always fail, also with my own 
> myusername at samba.domain.com, so I guess that's not what is causing this..?
> 
> So, other than being a member of the Domain Admin group, what else is 
> required for the user running the backup?
> 
> (I tried also granting the SeBackupPrivilege to the user, but it makes 
> no difference)
> 
> This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.
> 
> MJ
>

More information about the samba mailing list