[Samba] Setting up Backup AD DC

Norbert Hanke norbert.hanke at gmx.ch
Fri Oct 30 22:55:18 UTC 2020

On 30.10.2020 20:44, Andrew Bartlett wrote:
> On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote:
>> On 29.10.2020 18:27, Tom Diehl via samba wrote:
>>> Maybe I am missing something, but what is the secure way to run an
>>> automated
>>> backup on recent versions of samba? Can samba-tool domain backup be
>>> made to use
>>> kerberos so I do not need to store an admin password in an
>>> unencrypted
>>> file?
>>> Regards,
>> With Kerberos you need to have an [unencrypted] keytab file. Of
>> course
>> that is better than a password in a file, but it's not fundamentally
>> different. The keytab content is just harder to spell than a
>> password.
> The offline backup is probably better for a cron-job if you are
> hesitant about stored key/passwords.
> But then again, a keytab with those same permissions is unencrypted in
> the private folder (with strict permissions naturally) of every DC, so
> the risks on the backup server are relatively the same as yet another
> DC.
> (DC accounts are equally powerful as the the administrator really).
> I hope this helps,
> Andrew Bartlett
I agree: being able to online-backup everything puts the backup server
on an equal level as the DC.

And the same is true for anybody else having access to a backups (online
or offline): having a copy of KRBTGT's keytab gives full power to
impersonate everybody including all kinds of administrator users, most
likely forever. Backups need to be very well protected.

IMHO that's the fundamental security weakness of AD (and Kerberos) in
general: relying on KRBTGT's keys that reside in storage (for all
practical implementations) and rarely get rotated, if at all.

Frankly, I wouldn't know how to rotate KRBTGT keys with a samba DC. For
Windows DCs it's possible and Microsoft published a script to do so:
. Would something similar be possible with Samba?


More information about the samba mailing list