[Samba] domain online backup

lists lists at merit.unu.edu
Tue Jun 18 10:38:45 UTC 2019


Hi Louis (and Rowland),

Welcome back from holiday!

First: I ran everything as root.

I increased log level, all the way up to 10, but I don't see much 
interesting. Here is the last bit with -d 10:
https://paste.ubuntu.com/p/yMrw7zNKvN/

Also no different behaviour kerberos vs NTLM. Perhaps interesting: I am 
not getting the additional password question near the end. (neither with 
kerberos nor ntlm)

Perhaps Andrew is right. I will wait until the next samba release, as I 
guess that one includes the aforementioned fix.

Next week, I will also upgrade to 4.10, and have a try with the offline 
backup option.

MJ

On 18-6-2019 11:05, L.P.H. van Belle via samba wrote:
> Hi M-J.
> 
> SeBackupPrivilege only give access to read all files.
> You also need to set: SeRestorePrivilege to allow restoring.
> And it does not say anything about the ACLs needed in the AD-DB.
> 
> Increase the debug level and find out where its giving this messages.
> On which object, if you know that, then you might find what is missing or if you found a bug ;-)
> (i think last)
> 
> Running this on samba 4.10.4 on my DC.  ( knit Administrator first ), I noticed this.
> 
> Im running: ( from DC1, backuping DC2 )
> samba-tool domain backup online --server=dc2 --targetdir=/tmp -k yes
> .. yes /tmp, i know its just a test..
> 
> Which runs fine, then just at the end of the backup..
> Its asking again for a password??
> Password for [Administrator at REALM.FQDN]:
> After typing the pass, the backup was correctly made.
> 
> Tested backup from DC1, backuping DC1.
> samba-tool domain backup online --server=dc1 --targetdir=/tmp -k yes
> Same result.
> 
> #Destroy kerberos ticket for Administrator
> kdestroy
> 
> samba-tool domain backup online --server=dc1 --targetdir=/tmp -Uadministrator
> Works, but no need to re-enter the password. !
> 
> And DC2. ( from DC1 backuped)
> samba-tool domain backup online --server=dc1 --targetdir=/tmp -Uadministrator
> 
> Also same, correct backup. Again no need to re-enter passwords.
> 
> So it looks like the you found a bug, and when i look at my output.
> 
> Its somewhere in this part, after
> /usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain
> 
> Password for [Administrator at REALM.FQDN]:
> 
> And before
> /usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124:
> 
> So run a new backup with a higher debug level, on in NTLM auth and one Kerberos should show whats going one.
> 
> Greetz,
> 
> Louis
> 
>   
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> lists via samba
>> Verzonden: dinsdag 18 juni 2019 10:36
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] domain online backup
>>
>> Hi,
>>
>> A question on the (for us: new) online backup functionality.
>> I created a
>> backup of our domain successfully with:
>>
>> samba-tool domain backup online --server=dc3 --targetdir=/backup
>> -Umyusername at samba.domain.com
>>
>> Next, to be able to schedule an automatic daily backup job, I
>> created a
>> specific user (member of Domain Admins) to run the backup.
>> But then the
>> backup fails:
>>
>>> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com]
>> objects[196/196] linked_values[0/0]
>>> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com
>>> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com]
>> objects[25/25] linked_values[0/0]
>>> Committing SAM database
>>> Setting isSynchronized and dsServiceName
>>> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949)
>>> ERROR(runtime): uncaught exception - (3221225506, '{Access
>> Denied} A process has requested access to an object but has
>> not been granted those access rights.')
>>>    File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 178, in _run
>>>      return self.run(*args, **kwargs)
>>>    File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.p
>> y", line 243, in run
>>>      backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
>>>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>> line 508, in backup_online
>>>      ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
>>>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>> line 331, in get_acl
>>>      smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
>>
>> Having read the wiki, a cause could be that the backup tool
>> only works
>> over SMBv1. But then it would always fail, also with my own
>> myusername at samba.domain.com, so I guess that's not what is
>> causing this..?
>>
>> So, other than being a member of the Domain Admin group, what else is
>> required for the user running the backup?
>>
>> (I tried also granting the SeBackupPrivilege to the user, but
>> it makes
>> no difference)
>>
>> This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.
>>
>> MJ
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
> 



More information about the samba mailing list