[Samba] GPO backup/restore questions
Anton Shevtsov
shevtsovay at basealt.ru
Thu Sep 7 08:34:45 UTC 2023
07.09.2023 13:04, Kees van Vloten via samba пишет:
> On 07-09-2023 07:03, Anton Shevtsov via samba wrote:
>> Hi all,
>>
>> I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore ,
>> but I have two questions
>>
>> Q1)
>>
>> I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB
>>
>> On ABC.XYZ i make a backup
>>
>> [root at dc.abc.xyz ~]# samba-tool gpo backup
>> --tmpdir=/root/gpo/computer/ --generalize
>> --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>> '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}'
>> GPO copied to
>> /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}
>>
>> Attempting to generalize XML entities:
>> Entities successfully written to
>> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>>
>> [root at dc.abc.xyz ~]# cat
>> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
>>
>> <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__
>> "machine-startup-script.sh
>> ">
>>
>> Go to AAA.BBB and try restore
>>
>> [root at dc.aaa.bbb ~]# samba-tool gpo restore StartUp-Script
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
>> --use-kerberos=required
>> --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
>> ERROR: Entities file does not appear to conform to format
>> e.g. <!ENTITY entity "value">
>>
>> I must replace ENTITY SAMBA__NETWORK_PATH__ in the
>> /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ?
>> Replace for what?
>>
>> Q2) I don't understand why Kerberos ticket is not used.
>>
>> I specified --use-kerberos=required
>>
>> [user at dc.aaa.bbb ~]$ kinit administrator
>> Password for administrator at AAA.BBB:
>> Warning: Your password will expire in 27 days on Чт 05 окт 2023 09:44:26
>> [user at dc.aaa.bbb ~]$ klist
>> Ticket cache: FILE:/tmp/krb5cc_500
>> Default principal: administrator at AAA.BBB
>>
>> Valid starting Expires Service principal
>> 07.09.2023 09:53:08 07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
>> renew until 08.09.2023 09:53:05
>>
>> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
>> --use-kerberos=required
>> Using temporary directory /tmp/.private/user/tmpstcd1nbi (use
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
>> --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
>> Using temporary directory /tmp/.private/user/tmptj4bgfkf (use
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script
>> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
>> --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
>> Using temporary directory /tmp/.private/user/tmp271bduk7 (use
>> --tmpdir to change)
>> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
>>
>> --
>>
>> Anton
>
> I had the same issue some 1,5 year ago. I worked back then with David
> Mulder on an alternative solution, which is finally released as part
> of 4.19.
>
> Instead of backup/restore, I keep the GPOs as source code (json files
> for the regpol GPOs) and generate them in each domain from the source
> code.
>
> In 4.19 there is "samba-tool gpo load --content <json-file>" to load
> the json into an existing GPO. There is also "samba-tool gpo create"
> to initially create one.
>
> And there is the reverse operation to show the json content of a
> regpol GPO: "samba-tool gpo show". Now you can store everything in git
> and manage it with a set of scripts.
>
> - Kees.
>
>
I use samba-4.16.11 (no more modern version in my repo)
I fix entity xml
cat /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
<!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__
"machine-startup-script.sh
">
pay attention to "> in new line. If fix it - import successfully (or not?)
sed -r ':a;N;$!ba;s/\n//g;s/">/">\n/'
/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
[user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script2
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required
--entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
Using temporary directory /tmp/.private/user/tmpl22krcs3 (use --tmpdir
to change)
Password for [administrator at TEST.ALT]:
GPO 'StartUp-Script2' created as {D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
WARNING: No such parser for machine-startup-script.sh
WARNING: Falling back to simple copy-restore.
But kerberos ticket not used (why?)
[user at dc.aaa.bbb ~]$ samba-tool gpo listall --use-kerberos=required |
grep -A 2 '{D83FB52C-FEDB-4599-82BC-7D67E942AB4E}'
GPO : {D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
display name : StartUp-Script2
path :
\\test.alt\sysvol\test.alt\Policies\{D83FB52C-FEDB-4599-82BC-7D67E942AB4E}
dn :
CN={D83FB52C-FEDB-4599-82BC-7D67E942AB4E},CN=Policies,CN=System,DC=test,DC=alt
version : 0
flags : NONE
For samba-tool gpo listallkerberos ticket is used (no password prompt)
--
Anton
More information about the samba
mailing list