[Samba] Setting up Backup AD DC

Andrew Bartlett abartlet at samba.org
Fri Oct 30 19:44:54 UTC 2020

On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote:
> On 29.10.2020 18:27, Tom Diehl via samba wrote:
> > 
> > Maybe I am missing something, but what is the secure way to run an
> > automated
> > backup on recent versions of samba? Can samba-tool domain backup be
> > made to use
> > kerberos so I do not need to store an admin password in an
> > unencrypted
> > file?
> > 
> > Regards,
> > 
> With Kerberos you need to have an [unencrypted] keytab file. Of
> course
> that is better than a password in a file, but it's not fundamentally
> different. The keytab content is just harder to spell than a
> password.

The offline backup is probably better for a cron-job if you are
hesitant about stored key/passwords. 

But then again, a keytab with those same permissions is unencrypted in
the private folder (with strict permissions naturally) of every DC, so
the risks on the backup server are relatively the same as yet another

(DC accounts are equally powerful as the the administrator really). 

I hope this helps,

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list