[Samba] domain online backup

[lists]

Hi,

A question on the (for us: new) online backup functionality. I created a 
backup of our domain successfully with:

samba-tool domain backup online --server=dc3 --targetdir=/backup 
-Umyusername at samba.domain.com

Next, to be able to schedule an automatic daily backup job, I created a 
specific user (member of Domain Admins) to run the backup. But then the 
backup fails:

> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] objects[196/196] linked_values[0/0]
> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] objects[25/25] linked_values[0/0]
> Committing SAM database
> Setting isSynchronized and dsServiceName
> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
> ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 178, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line 243, in run
>     backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508, in backup_online
>     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331, in get_acl
>     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)

Having read the wiki, a cause could be that the backup tool only works 
over SMBv1. But then it would always fail, also with my own 
myusername at samba.domain.com, so I guess that's not what is causing this..?

So, other than being a member of the Domain Admin group, what else is 
required for the user running the backup?

(I tried also granting the SeBackupPrivilege to the user, but it makes 
no difference)

This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.

MJ