[Samba] domain online backup
Rowland penny
rpenny at samba.org
Tue Jun 18 09:21:48 UTC 2019
On 18/06/2019 09:36, lists via samba wrote:
> Hi,
>
> A question on the (for us: new) online backup functionality. I created
> a backup of our domain successfully with:
>
> samba-tool domain backup online --server=dc3 --targetdir=/backup
> -Umyusername at samba.domain.com
>
> Next, to be able to schedule an automatic daily backup job, I created
> a specific user (member of Domain Admins) to run the backup. But then
> the backup fails:
>
>> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com]
>> objects[196/196] linked_values[0/0]
>> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
>> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com]
>> objects[25/25] linked_values[0/0]
>> Committing SAM database
>> Setting isSynchronized and dsServiceName
>> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
>> ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A
>> process has requested access to an object but has not been granted
>> those access rights.')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 178, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
>> line 243, in run
>> backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508,
>> in backup_online
>> ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331,
>> in get_acl
>> smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
>
> Having read the wiki, a cause could be that the backup tool only works
> over SMBv1. But then it would always fail, also with my own
> myusername at samba.domain.com, so I guess that's not what is causing
> this..?
>
> So, other than being a member of the Domain Admin group, what else is
> required for the user running the backup?
>
> (I tried also granting the SeBackupPrivilege to the user, but it makes
> no difference)
>
> This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.
>
> MJ
>
I know you say you are using a specific user to run the backup as, but
who is actually running the samba-tool comand ?
It should be 'root'
Rowland
More information about the samba
mailing list