[PATCH] Add a new tool, 'samba-tool domain clone'

Andrew Bartlett abartlet at samba.org
Sun Sep 13 23:47:31 UTC 2015 

On Thu, 2015-08-20 at 15:51 +1200, Andrew Bartlett wrote:
> On Thu, 2015-08-20 at 10:07 +1200, Andrew Bartlett wrote:
> > On Wed, 2015-08-19 at 06:56 +0200, Stefan Metzmacher wrote:
> > > Hi Andrew,
> > > 
> > > > > > If you just want to test the replication you can use net 
> > > > > > rpc 
> > > > > > vampire 
> > > > > > keytab,
> > > > > > but I guess it's not just replication you want to test...
> > > > No, what I'm interested in is joining a domain without creating
> > > > objects, to confirm:
> > > >  - that we can indeed import the schema
> > > >  - that the import is correct (we can use tools like ldapcmp to 
> > > > 
> > > > verify)
> > > >  - that we support the functional levels etc
> > > > 
> > > > The idea is that we would encourage admins to run 'samba-tool 
> > > > domain
> > > > clone' as a discovery measure, before committing to having 
> > > > Samba
> > > > objects in their directory, that would have to be removed 
> > > > again. 
> > > > 
> > > > To make it even safer, I've extended the tool to have a -
> > > > -include
> > > > -secrets option that asks the Windows 2008 or later server not 
> > > > to 
> > > > 
> > > > send
> > > > us the secret values, and to make decrypting them fail if we 
> > > > get 
> > > > them
> > > > regardless.  This would allow us as developers to obtain a copy 
> > > > 
> > > > of 
> > > > a
> > > > failing Samba domain from production sites for analysis, 
> > > > without
> > > > risking the most private values. 
> > > 
> > > Ok.
> > > 
> > > I'm still not really happy with the name 'samba-tool domain 
> > > clone'.
> > > I'd like to make it more obvious that this is just for 
> > > testing/simulating.
> > > Maybe something like 'samba-tool domain simulate-initial
> > > -replication',
> > > but that's a bit long. Any better ideas?
> > 
> > I understand your concerns, and I'll think about a better name.
> 
> What about online-export or (less preferred) drs-export?

I realise this is what is stalling this patch, but I still can't come
up with a name better than 'clone', or 'dc-clone' that describes what
this does.  Export and import are problematic, as it is sort of an
export from an existing AD, and an import into our own opaque(ish)
database (rather than plain ldif or such).  

I agree clone is potentially a problem as folks might not realise the
full ramifications, but I'm having trouble coming up with a better
name.  Even making it an option under 'join' I can't come up with a
better option name.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150914/73e5a1bb/signature.sig>

More information about the samba-technical mailing list