[Samba] domain backup online

Joachim Lindenberg samba at lindenberg.one
Thu Jul 18 06:59:52 UTC 2019


Hi Tim,
thanks for the clarification. I am wondering why that statement is not prominently on the wiki page you reference.
Ivan,
online backup of linux systems (without LVM snapshots) is imho a disaster of its own (unless you tweak your installation to use LVM snapshots), as is full system encryption (at least if you don´t like to enter passphrases during every restart). Therefore I am running my DCs as virtual machines on Hyper-VM which supports encryption via Bitlocker and consistent backup (using my own software) of the entire Hyper-V including all virtual machines. For windows guest this triggers the standard VSS integration, for linux guests it is only fsync, but that is actually more likely consistent than most linux backup tools.
Best Regards, Joachim

-----Ursprüngliche Nachricht-----
Von: Tim Beale <timbeale at catalyst.net.nz> 
Gesendet: Thursday, 18 July 2019 04:50
An: Joachim Lindenberg <samba at lindenberg.one>; 'Ivan Jurišić' <ivan at jurisic.org>; samba at lists.samba.org
Betreff: Re: [Samba] domain backup online

Hi,

Just to reiterate an important point, the 'domain backup' command is there to backup your domain information, not your DC.

If you still have a working domain, then you can recover any DC by simply rejoining it to the domain. Do not use backup/restore to recover an individual DC.

If you want to recover your entire domain (i.e. power off all your DCs and start again from scratch), then that's when you restore from a backup file.

So yes, it's still a good idea to do backups regardless of how many DCs you have running.

However, in this case, the backup file from only one of the DCs would ever be used to restore the domain. It's still fine to backup every DC, but the only real point of doing so is extra insurance in case the first backup file doesn't recover the domain properly.

See also:
https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC

Cheers,
Tim

On 18/07/19 12:32 AM, Joachim Lindenberg via samba wrote:
> Afaik one is not supposed to ever restore a DC in case you are running multiple. Thus I am wondering why you want to do (online or not) backups at all.
> Or did that rule change?
> Regards, Joachim
>
> -----Ursprüngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Ivan Jurišic 
> via samba
> Gesendet: Wednesday, 17 July 2019 13:39
> An: samba at lists.samba.org
> Betreff: [Samba] domain backup online
>
> On my primary Samba AD DC server all work ok when doing online backup, but on my secudary server I have error:
>
> ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of range
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> line 237, in run
>     new_sid = get_sid_for_restore(remote_sam)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> line 73, in get_sid_for_restore
>     rid = int(res[0].get('rIDNextRID')[0])
>
>
> How to fix?
>
> Complete output:
>
> root at dc2:/var/log# samba-tool domain backup online 
> --server=dc2.intra.mydomain.com --targetdir=/media/backup 
> -Uadministrator at intra.mydomain.com
> workgroup is MYDOMAIN
> realm is intra.mydomain.com
> Calling bare provision
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE 
> Pre-loading the Samba 4 and AD schema Unable to determine the 
> DomainSID, can not enforce uniqueness constraint on local domainSIDs
>
> A Kerberos configuration suitable for Samba AD has been generated at 
> /media/backup/tmphyBvX0/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
> Provision OK for domain DN DC=intra,DC=mydomain,DC=com Starting 
> replication Using DS_BIND_GUID_W2K3 
> Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[402/1618] linked_values[0/0]
> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[804/1618] linked_values[0/0]
> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[1206/1618] linked_values[0/0]
> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[1608/1618] linked_values[0/0]
> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com]
> objects[1618/1618] linked_values[30/30] Replicating critical objects 
> from the base DN of the domain Partition[DC=intra,DC=mydomain,DC=com] 
> objects[98/98] linked_values[24/24] 
> Partition[DC=intra,DC=mydomain,DC=com] objects[385/287] 
> linked_values[28/28] Done with always replicated NC (base, config, 
> schema) Replicating DC=DomainDnsZones,DC=intra,DC=mydomain,DC=com
> Partition[DC=DomainDnsZones,DC=intra,DC=mydomain,DC=com] 
> objects[42/42] linked_values[0/0] Replicating 
> DC=ForestDnsZones,DC=intra,DC=mydomain,DC=com
> Partition[DC=ForestDnsZones,DC=intra,DC=mydomain,DC=com] 
> objects[19/19] linked_values[0/0] Committing SAM database Setting 
> isSynccomonized and dsServiceName Cloned domain MYDOMAIN (SID 
> S-1-5-21-1643297388-1269305111-252802184)
> ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of range
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> line 237, in run
>     new_sid = get_sid_for_restore(remote_sam)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> line 73, in get_sid_for_restore
>     rid = int(res[0].get('rIDNextRID')[0])
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>




More information about the samba mailing list