[Samba] domain online backup

L.P.H. van Belle belle at bazuin.nl
Tue Jun 18 09:05:05 UTC 2019 

Hi M-J.

SeBackupPrivilege only give access to read all files. 
You also need to set: SeRestorePrivilege to allow restoring.
And it does not say anything about the ACLs needed in the AD-DB. 

Increase the debug level and find out where its giving this messages.
On which object, if you know that, then you might find what is missing or if you found a bug ;-) 
(i think last) 

Running this on samba 4.10.4 on my DC.  ( knit Administrator first ), I noticed this. 

Im running: ( from DC1, backuping DC2 ) 
samba-tool domain backup online --server=dc2 --targetdir=/tmp -k yes
.. yes /tmp, i know its just a test.. 

Which runs fine, then just at the end of the backup.. 
Its asking again for a password?? 
Password for [Administrator at REALM.FQDN]:
After typing the pass, the backup was correctly made. 

Tested backup from DC1, backuping DC1.
samba-tool domain backup online --server=dc1 --targetdir=/tmp -k yes
Same result. 

#Destroy kerberos ticket for Administrator
kdestroy

samba-tool domain backup online --server=dc1 --targetdir=/tmp -Uadministrator
Works, but no need to re-enter the password. ! 

And DC2. ( from DC1 backuped) 
samba-tool domain backup online --server=dc1 --targetdir=/tmp -Uadministrator

Also same, correct backup. Again no need to re-enter passwords. 

So it looks like the you found a bug, and when i look at my output.

Its somewhere in this part, after 
/usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain

Password for [Administrator at REALM.FQDN]:

And before 
/usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124:

So run a new backup with a higher debug level, on in NTLM auth and one Kerberos should show whats going one.

Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> lists via samba
> Verzonden: dinsdag 18 juni 2019 10:36
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] domain online backup
> 
> Hi,
> 
> A question on the (for us: new) online backup functionality. 
> I created a 
> backup of our domain successfully with:
> 
> samba-tool domain backup online --server=dc3 --targetdir=/backup 
> -Umyusername at samba.domain.com
> 
> Next, to be able to schedule an automatic daily backup job, I 
> created a 
> specific user (member of Domain Admins) to run the backup. 
> But then the 
> backup fails:
> 
> > Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] 
> objects[196/196] linked_values[0/0]
> > Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
> > Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] 
> objects[25/25] linked_values[0/0]
> > Committing SAM database
> > Setting isSynchronized and dsServiceName
> > Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
> > ERROR(runtime): uncaught exception - (3221225506, '{Access 
> Denied} A process has requested access to an object but has 
> not been granted those access rights.')
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 178, in _run
> >     return self.run(*args, **kwargs)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.p
> y", line 243, in run
> >     backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 508, in backup_online
> >     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 331, in get_acl
> >     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
> 
> Having read the wiki, a cause could be that the backup tool 
> only works 
> over SMBv1. But then it would always fail, also with my own 
> myusername at samba.domain.com, so I guess that's not what is 
> causing this..?
> 
> So, other than being a member of the Domain Admin group, what else is 
> required for the user running the backup?
> 
> (I tried also granting the SeBackupPrivilege to the user, but 
> it makes 
> no difference)
> 
> This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.
> 
> MJ
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list