[Samba] domain online backup
L.P.H. van Belle
belle at bazuin.nl
Tue Jun 18 09:46:43 UTC 2019
In addition. ( for Rowland, you not totaly wrong ) ;-)
( thanks Tené for you question )
The "samba-tool domain backup online" that needs a correct user with correct rights WITHIN the AD-DB.
The "samba-tool domain backup offline" that needs a correct user with correct rights for the file system.
So to my understanding, here it needs to run "as root"
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: dinsdag 18 juni 2019 11:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] domain online backup
>
> See below.
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland penny via samba
> > Verzonden: dinsdag 18 juni 2019 11:22
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] domain online backup
> >
> > On 18/06/2019 09:36, lists via samba wrote:
> > > Hi,
> > >
> > > A question on the (for us: new) online backup
> > functionality. I created
> > > a backup of our domain successfully with:
> > >
> > > samba-tool domain backup online --server=dc3 --targetdir=/backup
> > > -Umyusername at samba.domain.com
> > >
> > > Next, to be able to schedule an automatic daily backup job,
> > I created
> > > a specific user (member of Domain Admins) to run the
> > backup. But then
> > > the backup fails:
> > >
> > >> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com]
> > >> objects[196/196] linked_values[0/0]
> > >> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
> > >> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com]
> > >> objects[25/25] linked_values[0/0]
> > >> Committing SAM database
> > >> Setting isSynchronized and dsServiceName
> > >> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
> > >> ERROR(runtime): uncaught exception - (3221225506, '{Access
> > Denied} A
> > >> process has requested access to an object but has not
> been granted
> > >> those access rights.')
> > >> File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > >> line 178, in _run
> > >> return self.run(*args, **kwargs)
> > >> File
> > >>
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> > >> line 243, in run
> > >> backup_online(smb_conn, sysvol_tar,
> > remote_sam.get_domain_sid())
> > >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
> > line 508,
> > >> in backup_online
> > >> ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
> > >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
> > line 331,
> > >> in get_acl
> > >> smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
> > >
> > > Having read the wiki, a cause could be that the backup tool
> > only works
> > > over SMBv1. But then it would always fail, also with my own
> > > myusername at samba.domain.com, so I guess that's not what
> is causing
> > > this..?
> > >
> > > So, other than being a member of the Domain Admin group,
> > what else is
> > > required for the user running the backup?
> > >
> > > (I tried also granting the SeBackupPrivilege to the user,
> > but it makes
> > > no difference)
> > >
> > > This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.
> > >
> > > MJ
> > >
> > I know you say you are using a specific user to run the
> > backup as, but
> > who is actually running the samba-tool comand ?
> >
> > It should be 'root'
> Sorry, i dont agree here.
>
> My test was done as a normal user. ( no SePrivileges at all. )
>
> It COULD be root, but you SHOULD be able to use any account,
> because you supply the user that needs the rights for the
> backup (on the ADDB and/or files.)
> In my case i did use Administrator, since it already have all
> needed rights..
>
> Greetz,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list