[Samba] domain online backup

Andrew Bartlett abartlet at samba.org
Tue Jun 18 09:46:08 UTC 2019 

On Tue, 2019-06-18 at 10:36 +0200, lists via samba wrote:
> Hi,
> 
> A question on the (for us: new) online backup functionality. I created a 
> backup of our domain successfully with:
> 
> samba-tool domain backup online --server=dc3 --targetdir=/backup 
> -Umyusername at samba.domain.com
> 
> Next, to be able to schedule an automatic daily backup job, I created a 
> specific user (member of Domain Admins) to run the backup. But then the 
> backup fails:
> 
> > Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] objects[196/196] linked_values[0/0]
> > Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
> > Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] objects[25/25] linked_values[0/0]
> > Committing SAM database
> > Setting isSynchronized and dsServiceName
> > Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
> > ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 178, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line 243, in run
> >     backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508, in backup_online
> >     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331, in get_acl
> >     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
> 
> Having read the wiki, a cause could be that the backup tool only works 
> over SMBv1. But then it would always fail, also with my own 
> myusername at samba.domain.com, so I guess that's not what is causing this..?
> 
> So, other than being a member of the Domain Admin group, what else is 
> required for the user running the backup?
> 
> (I tried also granting the SeBackupPrivilege to the user, but it makes 
> no difference)
> 
> This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.

This looks like a known bug:

https://bugzilla.samba.org/show_bug.cgi?id=13917

Perhaps try with that patch?

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list