[Samba] GPO backup/restore questions

Anton Shevtsov shevtsovay at basealt.ru
Thu Sep 7 05:03:24 UTC 2023 

Hi all,

I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore , 
but I have two questions

Q1)

I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB

On ABC.XYZ i make a backup

[root at dc.abc.xyz ~]#  samba-tool gpo backup --tmpdir=/root/gpo/computer/ 
--generalize 
--entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent 
'{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}'
GPO copied to 
/root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}

Attempting to generalize XML entities:
Entities successfully written to 
/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent

[root at dc.abc.xyz ~]# cat 
/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent

<!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ 
"machine-startup-script.sh
">

Go to AAA.BBB and try restore

[root at dc.aaa.bbb ~]#  samba-tool gpo restore StartUp-Script 
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
--use-kerberos=required 
--entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
ERROR: Entities file does not appear to conform to format
e.g. <!ENTITY entity "value">

I must replace ENTITY SAMBA__NETWORK_PATH__  in the 
/tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? Replace 
for what?

Q2) I don't understand why Kerberos ticket is not used.

I specified --use-kerberos=required

[user at dc.aaa.bbb ~]$  kinit administrator
Password for administrator at AAA.BBB:
Warning: Your password will expire in 27 days on Чт 05 окт 2023 09:44:26
[user at dc.aaa.bbb ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: administrator at AAA.BBB

Valid starting       Expires              Service principal
07.09.2023 09:53:08  07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
        renew until 08.09.2023 09:53:05

[user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
--use-kerberos=required
Using temporary directory /tmp/.private/user/tmpstcd1nbi (use --tmpdir 
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?

[user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
--use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
Using temporary directory /tmp/.private/user/tmptj4bgfkf (use --tmpdir 
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?

[user at dc.aaa.bbb ~]$  samba-tool gpo restore StartUp-Script 
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
--use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
Using temporary directory /tmp/.private/user/tmp271bduk7 (use --tmpdir 
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?

--

Anton

More information about the samba mailing list