[Samba] Accidental zone deletion

Prasad Dwarapureddi ursdurgaprasad.d at gmail.com
Tue Jun 22 07:45:52 UTC 2021 

Hi,

We are trying to build the Admin function delegation on OU in the UI we are
designing. Is there any command in Samba or any python binding that will
help us achieve this?

Below is the output we get after executing command  - samba-tool delegation
--help

Available subcommands:
  add-service       - Add a service principal as msDS-AllowedToDelegateTo.
  del-service       - Delete a service principal as
msDS-AllowedToDelegateTo.
  for-any-protocol  - Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
(S4U2Proxy) for an account.
  for-any-service   - Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
  show              - Show the delegation setting of an account.

After executing samba-tool delegation add-service --help

Usage: samba-tool delegation add-service <accountname> <principal> [options]
Options:
  -h, --help            show this help message and exit
  -H URL, --URL=URL     LDB URL for database or target server

>From the commands we have below questions

1) There is no <option> for passing the OU name in the "add-service"
subcommand.
2) What are all the possible inputs, we can pass in the for "principal"
parameter in the "add-service" subcommand.
3) Where we will get all the user/group accounts information about
delegated tasks on a specific OU.



*Thanks and Regards,*

*Durga Prasad D*

On Tue, Jun 22, 2021 at 1:11 PM Andrew Bartlett via samba <
samba at lists.samba.org> wrote:

> On Tue, 2021-06-22 at 07:16 +0000, Chris Puttick via samba wrote:
> > Thanks for the response, about what we feared. For interest on one of
> > the DCs we tried
> >
> > samba_upgradedns --dns-backend=SAMBA_INTERNAL --migrate=no
> >
> > and got the response
> >
> > # samba_upgradedns --dns-backend=SAMBA_INTERNAL --migrate=no
> > Reading domain information
> > DNS accounts already exist
> > No zone file /var/lib/samba/private/dns/OXARCH.LOCAL.zone
> > DNS records will be automatically created
> > DNS partitions already exist
> > Finished upgrading DNS
>
> This may have rebuilt a very minimal DNS, which may be a good thing.
>
> > Found the comment about "no zone file" interesting because that
> > directory doesn't exist and AFAIK has never existed (Ubuntu 18.04
> > running Samba 4.7.6-Ubuntu).
>
> Correct.  That tool does a number of different things, but one thing it
> was built for originally was upgrading from a file-based zone into the
> in-directory zone, hence that check and message.
>
> Andrew Bartlett
>
>
> >
> > ----- Original Message -----
> > From: "Andrew Bartlett" <abartlet at samba.org>
> > To: "Chris Puttick" <chris.puttick at cp1associates.net>, "samba" <
> > samba at lists.samba.org>
> > Sent: Tuesday, 22 June, 2021 06:47:29
> > Subject: Re: [Samba] Accidental zone deletion
> >
> > On Tue, 2021-06-22 at 05:29 +0000, Chris Puttick via samba wrote:
> > > Hi
> > >
> > > We have a situation where an MS admin used the AD utilities to tidy
> > > up an neighbouring (MS-based) domain but was attached to the wrong
> > > DC
> > > and deleted the wrongdomain.local zone file (which is apparently a
> > > bit of a thing in MS circles); by the time said admin realised the
> > > deletion had replicated across DCs on all sites. How do we recreate
> > > it, in partiular the contents? Hoping the answer is "just manually
> > > create the zone and it'll repopulate".
> > >
> > > Any suggestions welcomed...
> >
> > I assume of course you mean the zone in a Samba AD DC, not a simple
> > .zone file.
> >
> > This has happened, and yes, I do think we should prevent it at the
> > database level, as nobody ever really means to do that.  Last time
> > that
> > happened we helped a client jury-rig up a backup of the sam.ldb into
> > BIND9-DLZ (so only DNS used the old data), allowing service to
> > somewhat
> > continue while things were fixed back up.
> >
> > However, I'm sorry to say it won't just be regenerated, while Samba
> > will try and re-register itself every now and then, I wouldn't count
> > on
> > it getting back the way you found it fast.
> >
> > How are your backups?
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
> >
> > Samba Development and Support, Catalyst IT - Expert Open Source
> > Solutions
> >
> --
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list