samba - Jun 2024 - Online AD Backup fails with "no auth" in 4.20?

Hallo lovely samba-people,

did something change in regards to the online AD Backup in 4.20?

We're using this CLI command to create a backup of our domain:

 ??? /usr/bin/samba-tool domain backup online --targetdir="/my/path" 
--server="rad-2.ad.ellerhold.lan" 
--use-krb5-ccache="/opt/samba-ad-backup/ad-backup.krb5cc" -N

This ran successfully on a member server without a problem. klist shows 
a valid ticket:

# klist -c /opt/samba-ad-backup/ad-backup.krb5cc
Ticket cache: FILE:/opt/samba-ad-backup/ad-backup.krb5cc
Default principal: ad-backup at AD.ELLERHOLD.LAN

Valid starting???? Expires??????????? Service principal
27/06/24 11:28:22? 27/06/24 21:28:22 
krbtgt/AD.ELLERHOLD.LAN at AD.ELLERHOLD.LAN
 ?? ?renew until 28/06/24 11:28:22


After upgrading to 4.20 this results in the error message: ERROR(<class 
'samba.join.DCJoinException'>): uncaught exception - Can't join,
error:
00002020: Operation unavailable without authentication

Even this doesnt work:

 ? /usr/bin/samba-tool domain backup online --targetdir="/my/path" 
--server="dc1.example.org" -U Administrator

Same error message on a member server. Running this on a DC prompts me 
for the password correctly. Running this on a 4.19 member server 
correctly prompts me for the password too.

I even copied an smb.conf from a DC and added 
--configfile=/path/to/dc-smb.conf . Same error...

Can someone point me in the right directory to make this work again on a 
4.20 member server?

Environment: Samba 4.20.2 in Debian 12 (mjts Repository).

Thanks for your help and have a nice day.

-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und
um sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

LP
On Jun 27, 2024 at 13:13 +0100, Matthias K?hne | Ellerhold Aktiengesellschaft
via samba <samba at lists.samba.org>, wrote:
>
>
> After upgrading to 4.20 this results in the error message: ERROR(<class
> 'samba.join.DCJoinException'>): uncaught exception - Can't
join, error:
> 00002020: Operation unavailable without authentication
This suggests bad or no Join.
What is the output of

net ads testjoin

?
>
> Even this doesnt work:
>
> ??/usr/bin/samba-tool domain backup online --targetdir="/my/path"
> --server="dc1.example.org" -U Administrator
>
> Same error message on a member server. Running this on a DC prompts me
> for the password correctly. Running this on a 4.19 member server
> correctly prompts me for the password too.
>
> I even copied an smb.conf from a DC and added
> --configfile=/path/to/dc-smb.conf . Same error...
>
> Can someone point me in the right directory to make this work again on a
> 4.20 member server?
>
> Environment: Samba 4.20.2 in Debian 12 (mjts Repository).
Did this fail after updating to samba 4.20 ? Is your AD showing any other
problems ?
Do you have the package samba-ad-dc installed in the DCs ? It wasn?t needed
before 4.20 (or 4.20.1, not sure), but it is now.
>
> Thanks for your help and have a nice day.
>
>
You too.

MfG.

On Thu, 27 Jun 2024 13:57:16 +0200
Matthias K?hne | Ellerhold Aktiengesellschaft via samba
<samba at lists.samba.org> wrote:
> Hallo lovely samba-people,
> 
> did something change in regards to the online AD Backup in 4.20?
> 
> We're using this CLI command to create a backup of our domain:
> 
>  ??? /usr/bin/samba-tool domain backup online
--targetdir="/my/path"
> --server="rad-2.ad.ellerhold.lan" 
> --use-krb5-ccache="/opt/samba-ad-backup/ad-backup.krb5cc" -N
> 
> This ran successfully on a member server without a problem. klist
> shows a valid ticket:
> 
> # klist -c /opt/samba-ad-backup/ad-backup.krb5cc
> Ticket cache: FILE:/opt/samba-ad-backup/ad-backup.krb5cc
> Default principal: ad-backup at AD.ELLERHOLD.LAN
> 
> Valid starting???? Expires??????????? Service principal
> 27/06/24 11:28:22? 27/06/24 21:28:22 
> krbtgt/AD.ELLERHOLD.LAN at AD.ELLERHOLD.LAN
>  ?? ?renew until 28/06/24 11:28:22
> 
> 
> After upgrading to 4.20 this results in the error message:
> ERROR(<class 'samba.join.DCJoinException'>): uncaught
exception -
> Can't join, error: 00002020: Operation unavailable without
> authentication
> 
> Even this doesnt work:
> 
>  ? /usr/bin/samba-tool domain backup online
--targetdir="/my/path"
> --server="dc1.example.org" -U Administrator
> 
> Same error message on a member server. Running this on a DC prompts
> me for the password correctly. Running this on a 4.19 member server 
> correctly prompts me for the password too.
> 
> I even copied an smb.conf from a DC and added 
> --configfile=/path/to/dc-smb.conf . Same error...
> 
> Can someone point me in the right directory to make this work again
> on a 4.20 member server?
> 
> Environment: Samba 4.20.2 in Debian 12 (mjts Repository).
> 
> Thanks for your help and have a nice day.
> 
I have a script on a Unix domain member that is run every hour by cron,
it has run for months and is still working. the actual samba-tool line
is this:

 samba-tool domain backup online --server="$PDCe"
 --targetdir="${STOREDIR}" --krb5-ccache=/tmp/backup_cc -N

My Samba version is 4.20.1

Rowland

I can confirm that, in order to do backups from a member server, you need to
install samba-ad-dc in the member server running > 4.20.

Regards

LP
On Jun 27, 2024 at 13:13 +0100, Matthias K?hne | Ellerhold Aktiengesellschaft
<matthias.kuehne at ellerhold.de>, wrote:
>
> Can someone point me in the right directory to make this work again on a
> 4.20 member server?