Hi Andrew, thanks for addressing all my points. This is rather helpful. -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Friday, 2018-09-21 08:23:26 AM |>-> On Fri, 2018-09-21 at 11:29 +0200, Philipp Gesang via samba wrote: > > how would I go about dumping tdb files in a “neutral” format, > > preferably JSON? > > > > The goal is to have a domain member functional after restoring > > from a backup without re-joining. > > Do take care that the password is changed by winbindd regularly. It > might not work any more.The most common scenario for restoring a backup would be inside the “window of opportunity” when the current password is still valid. Besides, knowing our customers I expect a significant number of users to disable password rotation for machine accounts in the GPO …> > By trial and error I determined that > > /var/lib/samba/private/{netlogon_creds_cli,secrets}.tdb are the > > only files from whose removal smbd can’t recover, so those are > > the files I’m currently concerned with. > > It should be only secrets.tdb. The netlogon_creds_cli.tdb can be re- > built from the domain member password.You’re right, I just ran the test again. Probably a fluke in my tests last week.> A long time ago I posted a script to dump the machine password to > stdout for the benifit of an 802.1x client, but it never had tests so > didn't get in. > > I could see JSON working well for this also. Perhaps extend either > samba-tool or net to print out the domain SID, local SID, domain member > password and hostname?Sounds promising. I’ll look into that.> (There are other elements of state, like idmap values, but how far you > go depends on the local configuration needs, but these would be the > four most critical items).> > What about portability? Are tdb contents platform independent? Is > > a secrets.tdb created with 32 bit Samba usable on a 64 bit build > > and vice versa? > > Yes, tdb files are portable.Just to be absolutely sure: This is true of both the tdb format and the binary data stored in the values? Best, Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20180924/297db7ae/signature.sig>
On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote:> Hi Andrew, > > thanks for addressing all my points. This is rather helpful. > > -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Friday, 2018-09- > 21 08:23:26 AM |>- > > > > On Fri, 2018-09-21 at 11:29 +0200, Philipp Gesang via samba wrote: > > > > > > how would I go about dumping tdb files in a “neutral” format, > > > preferably JSON? > > > > > > The goal is to have a domain member functional after restoring > > > from a backup without re-joining. > > Do take care that the password is changed by winbindd regularly. > > It > > might not work any more. > The most common scenario for restoring a backup would be inside > the “window of opportunity” when the current password is still > valid. Besides, knowing our customers I expect a significant > number of users to disable password rotation for machine accounts > in the GPO …Samba doesn't honour that (yet). It is controlled in the smb.conf.> > > > > > > > By trial and error I determined that > > > /var/lib/samba/private/{netlogon_creds_cli,secrets}.tdb are the > > > only files from whose removal smbd can’t recover, so those are > > > the files I’m currently concerned with. > > It should be only secrets.tdb. The netlogon_creds_cli.tdb can be > > re- > > built from the domain member password. > You’re right, I just ran the test again. Probably a fluke in my > tests last week. > > > > > A long time ago I posted a script to dump the machine password to > > stdout for the benifit of an 802.1x client, but it never had tests > > so > > didn't get in. > > > > I could see JSON working well for this also. Perhaps extend either > > samba-tool or net to print out the domain SID, local SID, domain > > member > > password and hostname? > Sounds promising. I’ll look into that.Thanks.> > > > (There are other elements of state, like idmap values, but how far > > you > > go depends on the local configuration needs, but these would be the > > four most critical items). > > > > > > > > What about portability? Are tdb contents platform independent? Is > > > a secrets.tdb created with 32 bit Samba usable on a 64 bit build > > > and vice versa? > > Yes, tdb files are portable. > Just to be absolutely sure: This is true of both the tdb format > and the binary data stored in the values?That is the design goal. Thanks for your continued work to improve Samba! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew, revisiting this subject once again because I seem to have reached an impass. -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Monday, 2018-09-24 07:14:48 PM |>-> On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote: > > > A long time ago I posted a script to dump the machine password to > > > stdout for the benifit of an 802.1x client, but it never had tests > > > so > > > didn't get in. > > > > > > I could see JSON working well for this also. Perhaps extend either > > > samba-tool or net to print out the domain SID, local SID, domain > > > member password and hostname? > > Sounds promising. I’ll look into that.Right now I am using values obtained as follows: - hostname: get_global_sam_name() - local SID: secrets_fetch_domain_sid (get_global_sam_name(), …) == SECRETS/SID/CLIENTNAME in tdb - domain SID: secrets_fetch_domain_sid (lp_workgroup(), …) == SECRETS/SID/WORKGROUPNAME - domain member password: secrets_fetch_machine_password(lp_workgroup(), …) == SECRETS/MACHINE_DOMAIN_INFO/WORKGROUPNAME This approach works well with a manually joined AD member but not with any of the blackbox testsuites. In the secrets.tdb used during tests I find only the domain SID (e. g. SECRETS/SID/CHDCDOMAIN) but not the machine sid (probably SECRETS/SID/CLIENT). How come that machine sid is absent in the tests? Is there another means of retrieving it? Thank you and enjoy the weekend, Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20181012/c7947999/signature.sig>