[Samba] GPO backup/restore questions
Anton Shevtsov
shevtsovay at basealt.ru
Thu Sep 7 05:03:24 UTC 2023
Hi all,
I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore ,
but I have two questions
Q1)
I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB
On ABC.XYZ i make a backup
[root at dc.abc.xyz ~]# samba-tool gpo backup --tmpdir=/root/gpo/computer/
--generalize
--entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
'{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}'
GPO copied to
/root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}
Attempting to generalize XML entities:
Entities successfully written to
/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
[root at dc.abc.xyz ~]# cat
/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
<!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__
"machine-startup-script.sh
">
Go to AAA.BBB and try restore
[root at dc.aaa.bbb ~]# samba-tool gpo restore StartUp-Script
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required
--entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
ERROR: Entities file does not appear to conform to format
e.g. <!ENTITY entity "value">
I must replace ENTITY SAMBA__NETWORK_PATH__ in the
/tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? Replace
for what?
Q2) I don't understand why Kerberos ticket is not used.
I specified --use-kerberos=required
[user at dc.aaa.bbb ~]$ kinit administrator
Password for administrator at AAA.BBB:
Warning: Your password will expire in 27 days on Чт 05 окт 2023 09:44:26
[user at dc.aaa.bbb ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: administrator at AAA.BBB
Valid starting Expires Service principal
07.09.2023 09:53:08 07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
renew until 08.09.2023 09:53:05
[user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required
Using temporary directory /tmp/.private/user/tmpstcd1nbi (use --tmpdir
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
[user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
Using temporary directory /tmp/.private/user/tmptj4bgfkf (use --tmpdir
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
[user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
Using temporary directory /tmp/.private/user/tmp271bduk7 (use --tmpdir
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
--
Anton
More information about the samba
mailing list