[Samba] GPO backup/restore questions

Anton Shevtsov shevtsovay at basealt.ru
Thu Sep 7 05:03:24 UTC 2023

Hi all,

I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore , 
but I have two questions


I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB

On ABC.XYZ i make a backup

[root at dc.abc.xyz ~]#  samba-tool gpo backup --tmpdir=/root/gpo/computer/ 
GPO copied to 

Attempting to generalize XML entities:
Entities successfully written to 

[root at dc.abc.xyz ~]# cat 

<!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ 

Go to AAA.BBB and try restore

[root at dc.aaa.bbb ~]#  samba-tool gpo restore StartUp-Script 
ERROR: Entities file does not appear to conform to format
e.g. <!ENTITY entity "value">

I must replace ENTITY SAMBA__NETWORK_PATH__  in the 
/tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? Replace 
for what?

Q2) I don't understand why Kerberos ticket is not used.

I specified --use-kerberos=required

[user at dc.aaa.bbb ~]$  kinit administrator
Password for administrator at AAA.BBB:
Warning: Your password will expire in 27 days on Чт 05 окт 2023 09:44:26
[user at dc.aaa.bbb ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: administrator at AAA.BBB

Valid starting       Expires              Service principal
07.09.2023 09:53:08  07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
        renew until 08.09.2023 09:53:05

[user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
Using temporary directory /tmp/.private/user/tmpstcd1nbi (use --tmpdir 
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?

[user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
--use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
Using temporary directory /tmp/.private/user/tmptj4bgfkf (use --tmpdir 
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?

[user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
--use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
Using temporary directory /tmp/.private/user/tmp271bduk7 (use --tmpdir 
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?



More information about the samba mailing list