[Samba] Setting up Backup AD DC
Norbert Hanke
norbert.hanke at gmx.ch
Fri Oct 30 14:21:57 UTC 2020
On 29.10.2020 18:27, Tom Diehl via samba wrote:
> On Thu, 29 Oct 2020, Rowland penny via samba wrote:
>
>> On 29/10/2020 14:43, Marco Shmerykowsky via samba wrote:
>>> I want to setup a backup AD DC and have a few quick
>>> (possibly dumb) questions:
>> No, you just want to add another DC
>>>
>>> 1) Is this link the best reference to the procedure to
>>> create the backup AD DC?
>>>
>>> ->
>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>>
>> It is a good start, then ask any questions here.
>>>
>>> 2) What is considered the best samba option of
>>> the 3 listed for Sysvol Replication under the Subsection
>>> titled "Built-in User & Group ID Mappings" in the
>>> link provided above?
>> This is very subjective, if you ask 100 Samba users 'which is best',
>> you will probably get about 150 different answers :-D
>>>
>>> 3) Does the backup and the primary need to run the
>>> same version of samba?
>>
>> I think you mean 'Does the DC with all the FSMO roles and any other
>> DC need to run the same version of Samba' , to which the answer would
>> be:
>>
>> Ideally yes, but different versions will work together, just don't
>> try to use something like 4.1.x and 4.12.x together, it may work, but
>> I would bet there will be problems.
>
> Maybe I am missing something, but what is the secure way to run an
> automated
> backup on recent versions of samba? Can samba-tool domain backup be
> made to use
> kerberos so I do not need to store an admin password in an unencrypted
> file?
>
> Regards,
>
With Kerberos you need to have an [unencrypted] keytab file. Of course
that is better than a password in a file, but it's not fundamentally
different. The keytab content is just harder to spell than a password.
Regards,
Norbert
More information about the samba
mailing list