[Samba] sambatool online backups

Jonathon Reinhart jonathon.reinhart at gmail.com
Fri Feb 25 21:50:49 UTC 2022 

On Fri, Feb 25, 2022 at 4:23 PM Matt Ivie via samba
<samba at lists.samba.org> wrote:
>
> On Tue, 2021-11-02 at 20:19 +0000, Rowland Penny via samba wrote:
> > On Tue, 2021-11-02 at 12:48 -0700, Matt Ivie wrote:
> > > Thanks for the quick response.
> > >
> > > The reason I proposed that is that I can have bareos run a command
> > > to
> > > stop my DC, backup the dir, then restart it. Primarily for system
> > > failure restorations.
> >
> > Please do not do that, it 'might' work if you have only one DC, but
> > if
> > you have more than one DC (which is highly recommended), it will lead
> > to problems.
> >
> >
> > > > What is the actual command you ran ?
> > > >
> > > samba-tool domain backup online --targetdir=smb-ad-online-backup --
> > > server=Harveydc0 -UAdministrator
> >
> > I run the command in a script which is run by cron every hour (you
> > could run it more often, depends how often your AD changes) and it
> > similar to your command, except that I use kerberos authentication.
> >
> > As I said, it works for myself, but I use a much later version of
> > Samba.
> >
> > Rowland
> >
> >
> >
> I found a short term solution to this problem until I'm able to upgrade
> to a later version of Samba. The full details can be found at
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953918
>
> I followed this advice:
>
> All what to do is to replace the line 51
> "security.SEC_FLAG_MAXIMUM_ALLOWED"
> with "security.SEC_STD_READ_CONTROL" in
> "/usr/lib/python2.7/dist-packages/samba/ntacls.py".
>
>
> I know that the best option is to upgrade Samba to a later and
> supported version, but for anyone that is on Debian Buster and using
> the packaged version of Samba I hope this helps them out.

I can confirm that this is the patch I have on my Samba 4.9.5-debian
DCs as well:

--- /usr/lib/python2.7/dist-packages/samba/ntacls.py
+++ /usr/lib/python2.7/dist-packages/samba/ntacls.py
@@ -48,7 +48,7 @@

 # SEC_FLAG_SYSTEM_SECURITY is required otherwise get Access Denied
 SECURITY_SEC_FLAGS = security.SEC_FLAG_SYSTEM_SECURITY | \
-                     security.SEC_FLAG_MAXIMUM_ALLOWED
+                     security.SEC_STD_READ_CONTROL


References:
- https://github.com/samba-team/samba/commit/15032ec6df1abbb53f1b1d5377aab369f83ae707
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953918
- https://bugzilla.samba.org/show_bug.cgi?id=13917

More information about the samba mailing list