[Samba] Setting up Backup AD DC

Michal Bruncko michal.bruncko at ssrk.sk
Fri Oct 30 17:59:13 UTC 2020


out of curiosity as I wanted to achieve this some time before - i.e. to 
performing automated backup od samba domain.

now I've tried to use kerberos - for online backup (within script) I 
have used:

samba-tool domain backup online --targetdir=${BACKUPDIR} 
--server=${DCSERVER} --krb5-ccache=${KRB5CCNAME}

but seems this is not working as the backup process is interruped in the 
middle and I am challenged to authenticate:

samba-tool domain backup online --targetdir=/var/spool/backup/ 
--server=DC1 --krb5-ccache=/tmp/samba-domain.cc

INFO 2020-10-30 18:39:40,846 pid:169937 
/usr/lib64/python3.6/site-packages/samba/join.py #1574: workgroup is FOOBAR
INFO 2020-10-30 18:39:40,847 pid:169937 
/usr/lib64/python3.6/site-packages/samba/join.py #1577: realm is FOO.BAR.CO
Calling bare provision
INFO 2020-10-30 18:39:40,880 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2133: 
Looking up IPv4 addresses
INFO 2020-10-30 18:39:40,882 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: 
Looking up IPv6 addresses
INFO 2020-10-30 18:39:41,522 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2301: 
Setting up share.ldb
INFO 2020-10-30 18:39:41,532 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2305: 
Setting up secrets.ldb
INFO 2020-10-30 18:39:41,542 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2311: 
Setting up the registry
INFO 2020-10-30 18:39:41,570 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2314: 
Setting up the privileges database
INFO 2020-10-30 18:39:41,583 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2317: 
Setting up idmap db
INFO 2020-10-30 18:39:41,594 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2324: 
Setting up SAM db
INFO 2020-10-30 18:39:41,597 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #897: 
Setting up sam.ldb partitions and settings
INFO 2020-10-30 18:39:41,598 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #909: 
Setting up sam.ldb rootDSE
INFO 2020-10-30 18:39:41,600 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #1338: 
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint 
on local domainSIDs

INFO 2020-10-30 18:39:41,742 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2377: A 
Kerberos configuration suitable for Samba AD has been generated at 
INFO 2020-10-30 18:39:41,743 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2378: 
Merge the contents of this file with your system krb5.conf or replace it 
with this one. Do not create a symlink!
Provision OK for domain DN DC=foo,DC=bar,DC=co
Starting replication
objects[402/1628] linked_values[0/0]
objects[804/1628] linked_values[0/0]
objects[1206/1628] linked_values[0/0]
objects[1608/1628] linked_values[0/0]
objects[1628/1628] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[402/1619] 
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[804/1619] 
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1206/1619] 
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1608/1619] 
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1619/1619] 
Replicating critical objects from the base DN of the domain
Partition[DC=foo,DC=bar,DC=co] objects[102/99] linked_values[39/39]
Partition[DC=foo,DC=bar,DC=co] objects[402/1698] linked_values[0/978]
Partition[DC=foo,DC=bar,DC=co] objects[804/1698] linked_values[0/992]
Partition[DC=foo,DC=bar,DC=co] objects[1206/1698] linked_values[0/1035]
Partition[DC=foo,DC=bar,DC=co] objects[1608/1698] linked_values[0/1511]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[1500/3156]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[3000/3156]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[3156/3156]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=foo,DC=bar,DC=co
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[402/1553] 
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[804/1553] 
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[1206/1553] 
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[1553/1553] 
Replicating DC=ForestDnsZones,DC=foo,DC=bar,DC=co
Partition[DC=ForestDnsZones,DC=foo,DC=bar,DC=co] objects[19/19] 
Committing SAM database
Repacking database from v1 to v2 format (first record 
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record 
Repacking database from v1 to v2 format (first record CN=Deleted 
Repack: re-packed 10000 records so far
INFO 2020-10-30 18:41:21,983 pid:169937 
/usr/lib64/python3.6/site-packages/samba/join.py #1671: Setting 
isSynchronized and dsServiceName
INFO 2020-10-30 18:41:21,995 pid:169937 
/usr/lib64/python3.6/site-packages/samba/join.py #1580: Cloned domain 
FOOBAR (SID S-1-5-21-x-y-z)
INFO 2020-10-30 18:41:22,127 pid:169937 
/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py #271: 
Backing up sysvol files (via SMB)...
Password for [svc_backupdomain at FOO.BAR.CO]:
ERROR(runtime): uncaught exception - (3221225996, 'The transport 
connection is now disconnected.')
   File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", 
line 186, in _run
     return self.run(*args, **kwargs)
"/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", line 
273, in run
     smb_conn = smb_sysvol_conn(server, lp, creds)
"/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", line 
118, in smb_sysvol_conn
     return libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)

- parameter "--krb5-ccache" is actually *not* documented in manpage - 
just found it in wiki page: 

- alternative with using offline backup does not work for us with known 

module samba_dsdb initialization failed : Operations error
Unable to load modules for /var/lib/samba/bind-dns/dns/sam.ldb: 
partition_metadata: Migrating partition metadata: create of metadata.tdb 
gave: partition_metadata: Unable to create 
/var/lib/samba/bind-dns/dns/sam.ldb.d/metadata.tdb: Device or resource busy



On 10/30/2020 3:21 PM, Norbert Hanke via samba wrote:
> On 29.10.2020 18:27, Tom Diehl via samba wrote:
>> On Thu, 29 Oct 2020, Rowland penny via samba wrote:
>>> On 29/10/2020 14:43, Marco Shmerykowsky via samba wrote:
>>>>  I want to setup a backup AD DC and have a few quick
>>>>  (possibly dumb) questions:
>>> No, you just want to add another DC
>>>>  1) Is this link the best reference to the procedure to
>>>>     create the backup AD DC?
>>>>  ->
>>>>  https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
>>> It is a good start, then ask any questions here.
>>>>  2) What is considered the best samba option of
>>>>     the 3 listed for Sysvol Replication under the Subsection
>>>>     titled "Built-in User & Group ID Mappings" in the
>>>>     link provided above?
>>> This is very subjective, if you ask 100 Samba users 'which is best',
>>> you will probably get about 150 different answers :-D
>>>>  3) Does the backup and the primary need to run the
>>>>     same version of samba?
>>> I think you mean 'Does the DC with all the FSMO roles and any other
>>> DC need to run the same version of Samba' , to which the answer would
>>> be:
>>> Ideally yes, but different versions will work together, just don't
>>> try to use something like 4.1.x and 4.12.x together, it may work, but
>>> I would bet there will be problems.
>> Maybe I am missing something, but what is the secure way to run an
>> automated
>> backup on recent versions of samba? Can samba-tool domain backup be
>> made to use
>> kerberos so I do not need to store an admin password in an unencrypted
>> file?
>> Regards,
> With Kerberos you need to have an [unencrypted] keytab file. Of course
> that is better than a password in a file, but it's not fundamentally
> different. The keytab content is just harder to spell than a password.
> Regards,
> Norbert

More information about the samba mailing list