[Samba] domain online backup

L.P.H. van Belle belle at bazuin.nl
Tue Jun 18 09:39:50 UTC 2019 

See below. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 18 juni 2019 11:22
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] domain online backup
> 
> On 18/06/2019 09:36, lists via samba wrote:
> > Hi,
> >
> > A question on the (for us: new) online backup 
> functionality. I created 
> > a backup of our domain successfully with:
> >
> > samba-tool domain backup online --server=dc3 --targetdir=/backup 
> > -Umyusername at samba.domain.com
> >
> > Next, to be able to schedule an automatic daily backup job, 
> I created 
> > a specific user (member of Domain Admins) to run the 
> backup. But then 
> > the backup fails:
> >
> >> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] 
> >> objects[196/196] linked_values[0/0]
> >> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
> >> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] 
> >> objects[25/25] linked_values[0/0]
> >> Committing SAM database
> >> Setting isSynchronized and dsServiceName
> >> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
> >> ERROR(runtime): uncaught exception - (3221225506, '{Access 
> Denied} A 
> >> process has requested access to an object but has not been granted 
> >> those access rights.')
> >>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> >> line 178, in _run
> >>     return self.run(*args, **kwargs)
> >>   File 
> >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", 
> >> line 243, in run
> >>     backup_online(smb_conn, sysvol_tar, 
> remote_sam.get_domain_sid())
> >>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 508, 
> >> in backup_online
> >>     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
> >>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 331, 
> >> in get_acl
> >>     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
> >
> > Having read the wiki, a cause could be that the backup tool 
> only works 
> > over SMBv1. But then it would always fail, also with my own 
> > myusername at samba.domain.com, so I guess that's not what is causing 
> > this..?
> >
> > So, other than being a member of the Domain Admin group, 
> what else is 
> > required for the user running the backup?
> >
> > (I tried also granting the SeBackupPrivilege to the user, 
> but it makes 
> > no difference)
> >
> > This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.
> >
> > MJ
> >
> I know you say you are using a specific user to run the 
> backup as, but 
> who is actually running the samba-tool comand ?
> 
> It should be 'root'
Sorry, i dont agree here. 

My test was done as a normal user.  ( no SePrivileges at all. ) 

It COULD be root, but you SHOULD be able to use any account, because you supply the user that needs the rights for the backup (on the ADDB and/or files.)
In my case i did use Administrator, since it already have all needed rights.. 

Greetz, 

Louis

More information about the samba mailing list