[Samba] domain online backup
Rowland penny
rpenny at samba.org
Tue Jun 18 09:50:08 UTC 2019
On 18/06/2019 10:39, L.P.H. van Belle via samba wrote:
> See below.
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland penny via samba
>> Verzonden: dinsdag 18 juni 2019 11:22
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] domain online backup
>>
>> On 18/06/2019 09:36, lists via samba wrote:
>>> Hi,
>>>
>>> A question on the (for us: new) online backup
>> functionality. I created
>>> a backup of our domain successfully with:
>>>
>>> samba-tool domain backup online --server=dc3 --targetdir=/backup
>>> -Umyusername at samba.domain.com
>>>
>>> Next, to be able to schedule an automatic daily backup job,
>> I created
>>> a specific user (member of Domain Admins) to run the
>> backup. But then
>>> the backup fails:
>>>
>>>> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com]
>>>> objects[196/196] linked_values[0/0]
>>>> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
>>>> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com]
>>>> objects[25/25] linked_values[0/0]
>>>> Committing SAM database
>>>> Setting isSynchronized and dsServiceName
>>>> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
>>>> ERROR(runtime): uncaught exception - (3221225506, '{Access
>> Denied} A
>>>> process has requested access to an object but has not been granted
>>>> those access rights.')
>>>> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>> line 178, in _run
>>>> return self.run(*args, **kwargs)
>>>> File
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
>>>> line 243, in run
>>>> backup_online(smb_conn, sysvol_tar,
>> remote_sam.get_domain_sid())
>>>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>> line 508,
>>>> in backup_online
>>>> ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
>>>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>> line 331,
>>>> in get_acl
>>>> smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
>>> Having read the wiki, a cause could be that the backup tool
>> only works
>>> over SMBv1. But then it would always fail, also with my own
>>> myusername at samba.domain.com, so I guess that's not what is causing
>>> this..?
>>>
>>> So, other than being a member of the Domain Admin group,
>> what else is
>>> required for the user running the backup?
>>>
>>> (I tried also granting the SeBackupPrivilege to the user,
>> but it makes
>>> no difference)
>>>
>>> This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.
>>>
>>> MJ
>>>
>> I know you say you are using a specific user to run the
>> backup as, but
>> who is actually running the samba-tool comand ?
>>
>> It should be 'root'
> Sorry, i dont agree here.
>
> My test was done as a normal user. ( no SePrivileges at all. )
>
> It COULD be root, but you SHOULD be able to use any account, because you supply the user that needs the rights for the backup (on the ADDB and/or files.)
> In my case i did use Administrator, since it already have all needed rights..
>
> Greetz,
>
> Louis
>
>
Hmm, the guy that wrote the 'backup' tool also wrote this wiki page:
https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC
Where, under the 'Creating Backups' heading, it says this:
Note that you should run the backup as root.
I would suggest that he knows best ;-)
Rowland
More information about the samba
mailing list