[Samba] Setting up Backup AD DC
Andrew Bartlett
abartlet at samba.org
Fri Oct 30 19:44:54 UTC 2020
On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote:
> On 29.10.2020 18:27, Tom Diehl via samba wrote:
> >
> > Maybe I am missing something, but what is the secure way to run an
> > automated
> > backup on recent versions of samba? Can samba-tool domain backup be
> > made to use
> > kerberos so I do not need to store an admin password in an
> > unencrypted
> > file?
> >
> > Regards,
> >
> With Kerberos you need to have an [unencrypted] keytab file. Of
> course
> that is better than a password in a file, but it's not fundamentally
> different. The keytab content is just harder to spell than a
> password.
The offline backup is probably better for a cron-job if you are
hesitant about stored key/passwords.
But then again, a keytab with those same permissions is unencrypted in
the private folder (with strict permissions naturally) of every DC, so
the risks on the backup server are relatively the same as yet another
DC.
(DC accounts are equally powerful as the the administrator really).
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list