Hi, A question on the (for us: new) online backup functionality. I created a backup of our domain successfully with: samba-tool domain backup online --server=dc3 --targetdir=/backup -Umyusername at samba.domain.com Next, to be able to schedule an automatic daily backup job, I created a specific user (member of Domain Admins) to run the backup. But then the backup fails:> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] objects[196/196] linked_values[0/0] > Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com > Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] objects[25/25] linked_values[0/0] > Committing SAM database > Setting isSynchronized and dsServiceName > Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) > ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 178, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line 243, in run > backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid()) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508, in backup_online > ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331, in get_acl > smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)Having read the wiki, a cause could be that the backup tool only works over SMBv1. But then it would always fail, also with my own myusername at samba.domain.com, so I guess that's not what is causing this..? So, other than being a member of the Domain Admin group, what else is required for the user running the backup? (I tried also granting the SeBackupPrivilege to the user, but it makes no difference) This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch. MJ
Hi M-J. SeBackupPrivilege only give access to read all files. You also need to set: SeRestorePrivilege to allow restoring. And it does not say anything about the ACLs needed in the AD-DB. Increase the debug level and find out where its giving this messages. On which object, if you know that, then you might find what is missing or if you found a bug ;-) (i think last) Running this on samba 4.10.4 on my DC. ( knit Administrator first ), I noticed this. Im running: ( from DC1, backuping DC2 ) samba-tool domain backup online --server=dc2 --targetdir=/tmp -k yes .. yes /tmp, i know its just a test.. Which runs fine, then just at the end of the backup.. Its asking again for a password?? Password for [Administrator at REALM.FQDN]: After typing the pass, the backup was correctly made. Tested backup from DC1, backuping DC1. samba-tool domain backup online --server=dc1 --targetdir=/tmp -k yes Same result. #Destroy kerberos ticket for Administrator kdestroy samba-tool domain backup online --server=dc1 --targetdir=/tmp -Uadministrator Works, but no need to re-enter the password. ! And DC2. ( from DC1 backuped) samba-tool domain backup online --server=dc1 --targetdir=/tmp -Uadministrator Also same, correct backup. Again no need to re-enter passwords. So it looks like the you found a bug, and when i look at my output. Its somewhere in this part, after /usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain Password for [Administrator at REALM.FQDN]: And before /usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124: So run a new backup with a higher debug level, on in NTLM auth and one Kerberos should show whats going one. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > lists via samba > Verzonden: dinsdag 18 juni 2019 10:36 > Aan: samba at lists.samba.org > Onderwerp: [Samba] domain online backup > > Hi, > > A question on the (for us: new) online backup functionality. > I created a > backup of our domain successfully with: > > samba-tool domain backup online --server=dc3 --targetdir=/backup > -Umyusername at samba.domain.com > > Next, to be able to schedule an automatic daily backup job, I > created a > specific user (member of Domain Admins) to run the backup. > But then the > backup fails: > > > Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] > objects[196/196] linked_values[0/0] > > Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com > > Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] > objects[25/25] linked_values[0/0] > > Committing SAM database > > Setting isSynchronized and dsServiceName > > Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) > > ERROR(runtime): uncaught exception - (3221225506, '{Access > Denied} A process has requested access to an object but has > not been granted those access rights.') > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 178, in _run > > return self.run(*args, **kwargs) > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.p > y", line 243, in run > > backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid()) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 508, in backup_online > > ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 331, in get_acl > > smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS) > > Having read the wiki, a cause could be that the backup tool > only works > over SMBv1. But then it would always fail, also with my own > myusername at samba.domain.com, so I guess that's not what is > causing this..? > > So, other than being a member of the Domain Admin group, what else is > required for the user running the backup? > > (I tried also granting the SeBackupPrivilege to the user, but > it makes > no difference) > > This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch. > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 18/06/2019 09:36, lists via samba wrote:> Hi, > > A question on the (for us: new) online backup functionality. I created > a backup of our domain successfully with: > > samba-tool domain backup online --server=dc3 --targetdir=/backup > -Umyusername at samba.domain.com > > Next, to be able to schedule an automatic daily backup job, I created > a specific user (member of Domain Admins) to run the backup. But then > the backup fails: > >> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] >> objects[196/196] linked_values[0/0] >> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com >> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] >> objects[25/25] linked_values[0/0] >> Committing SAM database >> Setting isSynchronized and dsServiceName >> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) >> ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A >> process has requested access to an object but has not been granted >> those access rights.') >> ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 178, in _run >> ??? return self.run(*args, **kwargs) >> ? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", >> line 243, in run >> ??? backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid()) >> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508, >> in backup_online >> ??? ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) >> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331, >> in get_acl >> ??? smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS) > > Having read the wiki, a cause could be that the backup tool only works > over SMBv1. But then it would always fail, also with my own > myusername at samba.domain.com, so I guess that's not what is causing > this..? > > So, other than being a member of the Domain Admin group, what else is > required for the user running the backup? > > (I tried also granting the SeBackupPrivilege to the user, but it makes > no difference) > > This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch. > > MJ >I know you say you are using a specific user to run the backup as, but who is actually running the samba-tool comand ? It should be 'root' Rowland
See below.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: dinsdag 18 juni 2019 11:22 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] domain online backup > > On 18/06/2019 09:36, lists via samba wrote: > > Hi, > > > > A question on the (for us: new) online backup > functionality. I created > > a backup of our domain successfully with: > > > > samba-tool domain backup online --server=dc3 --targetdir=/backup > > -Umyusername at samba.domain.com > > > > Next, to be able to schedule an automatic daily backup job, > I created > > a specific user (member of Domain Admins) to run the > backup. But then > > the backup fails: > > > >> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] > >> objects[196/196] linked_values[0/0] > >> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com > >> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] > >> objects[25/25] linked_values[0/0] > >> Committing SAM database > >> Setting isSynchronized and dsServiceName > >> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) > >> ERROR(runtime): uncaught exception - (3221225506, '{Access > Denied} A > >> process has requested access to an object but has not been granted > >> those access rights.') > >> ? File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > >> line 178, in _run > >> ??? return self.run(*args, **kwargs) > >> ? File > >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > >> line 243, in run > >> ??? backup_online(smb_conn, sysvol_tar, > remote_sam.get_domain_sid()) > >> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 508, > >> in backup_online > >> ??? ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) > >> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 331, > >> in get_acl > >> ??? smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS) > > > > Having read the wiki, a cause could be that the backup tool > only works > > over SMBv1. But then it would always fail, also with my own > > myusername at samba.domain.com, so I guess that's not what is causing > > this..? > > > > So, other than being a member of the Domain Admin group, > what else is > > required for the user running the backup? > > > > (I tried also granting the SeBackupPrivilege to the user, > but it makes > > no difference) > > > > This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch. > > > > MJ > > > I know you say you are using a specific user to run the > backup as, but > who is actually running the samba-tool comand ? > > It should be 'root'Sorry, i dont agree here. My test was done as a normal user. ( no SePrivileges at all. ) It COULD be root, but you SHOULD be able to use any account, because you supply the user that needs the rights for the backup (on the ADDB and/or files.) In my case i did use Administrator, since it already have all needed rights.. Greetz, Louis
On Tue, 2019-06-18 at 10:36 +0200, lists via samba wrote:> Hi, > > A question on the (for us: new) online backup functionality. I created a > backup of our domain successfully with: > > samba-tool domain backup online --server=dc3 --targetdir=/backup > -Umyusername at samba.domain.com > > Next, to be able to schedule an automatic daily backup job, I created a > specific user (member of Domain Admins) to run the backup. But then the > backup fails: > > > Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] objects[196/196] linked_values[0/0] > > Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com > > Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] objects[25/25] linked_values[0/0] > > Committing SAM database > > Setting isSynchronized and dsServiceName > > Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) > > ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.') > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 178, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line 243, in run > > backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid()) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508, in backup_online > > ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331, in get_acl > > smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS) > > Having read the wiki, a cause could be that the backup tool only works > over SMBv1. But then it would always fail, also with my own > myusername at samba.domain.com, so I guess that's not what is causing this..? > > So, other than being a member of the Domain Admin group, what else is > required for the user running the backup? > > (I tried also granting the SeBackupPrivilege to the user, but it makes > no difference) > > This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch.This looks like a known bug: https://bugzilla.samba.org/show_bug.cgi?id=13917 Perhaps try with that patch? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
In addition. ( for Rowland, you not totaly wrong ) ;-) ( thanks Ten? for you question ) The "samba-tool domain backup online" that needs a correct user with correct rights WITHIN the AD-DB. The "samba-tool domain backup offline" that needs a correct user with correct rights for the file system. So to my understanding, here it needs to run "as root" Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: dinsdag 18 juni 2019 11:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] domain online backup > > See below. > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Rowland penny via samba > > Verzonden: dinsdag 18 juni 2019 11:22 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] domain online backup > > > > On 18/06/2019 09:36, lists via samba wrote: > > > Hi, > > > > > > A question on the (for us: new) online backup > > functionality. I created > > > a backup of our domain successfully with: > > > > > > samba-tool domain backup online --server=dc3 --targetdir=/backup > > > -Umyusername at samba.domain.com > > > > > > Next, to be able to schedule an automatic daily backup job, > > I created > > > a specific user (member of Domain Admins) to run the > > backup. But then > > > the backup fails: > > > > > >> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] > > >> objects[196/196] linked_values[0/0] > > >> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com > > >> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] > > >> objects[25/25] linked_values[0/0] > > >> Committing SAM database > > >> Setting isSynchronized and dsServiceName > > >> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) > > >> ERROR(runtime): uncaught exception - (3221225506, '{Access > > Denied} A > > >> process has requested access to an object but has not > been granted > > >> those access rights.') > > >> ? File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > >> line 178, in _run > > >> ??? return self.run(*args, **kwargs) > > >> ? File > > >> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > > >> line 243, in run > > >> ??? backup_online(smb_conn, sysvol_tar, > > remote_sam.get_domain_sid()) > > >> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > > line 508, > > >> in backup_online > > >> ??? ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) > > >> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > > line 331, > > >> in get_acl > > >> ??? smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS) > > > > > > Having read the wiki, a cause could be that the backup tool > > only works > > > over SMBv1. But then it would always fail, also with my own > > > myusername at samba.domain.com, so I guess that's not what > is causing > > > this..? > > > > > > So, other than being a member of the Domain Admin group, > > what else is > > > required for the user running the backup? > > > > > > (I tried also granting the SeBackupPrivilege to the user, > > but it makes > > > no difference) > > > > > > This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch. > > > > > > MJ > > > > > I know you say you are using a specific user to run the > > backup as, but > > who is actually running the samba-tool comand ? > > > > It should be 'root' > Sorry, i dont agree here. > > My test was done as a normal user. ( no SePrivileges at all. ) > > It COULD be root, but you SHOULD be able to use any account, > because you supply the user that needs the rights for the > backup (on the ADDB and/or files.) > In my case i did use Administrator, since it already have all > needed rights.. > > Greetz, > > Louis > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 18/06/2019 10:39, L.P.H. van Belle via samba wrote:> See below. > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: dinsdag 18 juni 2019 11:22 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] domain online backup >> >> On 18/06/2019 09:36, lists via samba wrote: >>> Hi, >>> >>> A question on the (for us: new) online backup >> functionality. I created >>> a backup of our domain successfully with: >>> >>> samba-tool domain backup online --server=dc3 --targetdir=/backup >>> -Umyusername at samba.domain.com >>> >>> Next, to be able to schedule an automatic daily backup job, >> I created >>> a specific user (member of Domain Admins) to run the >> backup. But then >>> the backup fails: >>> >>>> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] >>>> objects[196/196] linked_values[0/0] >>>> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com >>>> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] >>>> objects[25/25] linked_values[0/0] >>>> Committing SAM database >>>> Setting isSynchronized and dsServiceName >>>> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) >>>> ERROR(runtime): uncaught exception - (3221225506, '{Access >> Denied} A >>>> process has requested access to an object but has not been granted >>>> those access rights.') >>>> ? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >>>> line 178, in _run >>>> ??? return self.run(*args, **kwargs) >>>> ? File >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", >>>> line 243, in run >>>> ??? backup_online(smb_conn, sysvol_tar, >> remote_sam.get_domain_sid()) >>>> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 508, >>>> in backup_online >>>> ??? ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) >>>> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 331, >>>> in get_acl >>>> ??? smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS) >>> Having read the wiki, a cause could be that the backup tool >> only works >>> over SMBv1. But then it would always fail, also with my own >>> myusername at samba.domain.com, so I guess that's not what is causing >>> this..? >>> >>> So, other than being a member of the Domain Admin group, >> what else is >>> required for the user running the backup? >>> >>> (I tried also granting the SeBackupPrivilege to the user, >> but it makes >>> no difference) >>> >>> This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch. >>> >>> MJ >>> >> I know you say you are using a specific user to run the >> backup as, but >> who is actually running the samba-tool comand ? >> >> It should be 'root' > Sorry, i dont agree here. > > My test was done as a normal user. ( no SePrivileges at all. ) > > It COULD be root, but you SHOULD be able to use any account, because you supply the user that needs the rights for the backup (on the ADDB and/or files.) > In my case i did use Administrator, since it already have all needed rights.. > > Greetz, > > Louis > >Hmm, the guy that wrote the 'backup' tool also wrote this wiki page: https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC Where, under the 'Creating Backups' heading, it says this: Note that you should run the backup as root. I would suggest that he knows best ;-) Rowland
> > > > > Hmm, the guy that wrote the 'backup' tool also wrote this wiki page: > > https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC > > Where, under the 'Creating Backups' heading, it says this: > > Note that you should run the backup as root. > > I would suggest that he knows best ;-) > > RowlandYes, i do agree, but when shown/explained like this, might helps finding/understanding, this bug/problem better. Run as root : samba-tool domain backup offline Run as any user : samba-tool domain backup online --server=DC1 --targetdir=/tmp -Uadministrator Where root is needed for all file access ( offline ) and adminstrator is needed for acl's withing the AD-DB. ( online ) And yes, i totaly agree, running it as root helps avoiding problems. Greetz, Louis
Hi Louis (and Rowland), Welcome back from holiday! First: I ran everything as root. I increased log level, all the way up to 10, but I don't see much interesting. Here is the last bit with -d 10: https://paste.ubuntu.com/p/yMrw7zNKvN/ Also no different behaviour kerberos vs NTLM. Perhaps interesting: I am not getting the additional password question near the end. (neither with kerberos nor ntlm) Perhaps Andrew is right. I will wait until the next samba release, as I guess that one includes the aforementioned fix. Next week, I will also upgrade to 4.10, and have a try with the offline backup option. MJ On 18-6-2019 11:05, L.P.H. van Belle via samba wrote:> Hi M-J. > > SeBackupPrivilege only give access to read all files. > You also need to set: SeRestorePrivilege to allow restoring. > And it does not say anything about the ACLs needed in the AD-DB. > > Increase the debug level and find out where its giving this messages. > On which object, if you know that, then you might find what is missing or if you found a bug ;-) > (i think last) > > Running this on samba 4.10.4 on my DC. ( knit Administrator first ), I noticed this. > > Im running: ( from DC1, backuping DC2 ) > samba-tool domain backup online --server=dc2 --targetdir=/tmp -k yes > .. yes /tmp, i know its just a test.. > > Which runs fine, then just at the end of the backup.. > Its asking again for a password?? > Password for [Administrator at REALM.FQDN]: > After typing the pass, the backup was correctly made. > > Tested backup from DC1, backuping DC1. > samba-tool domain backup online --server=dc1 --targetdir=/tmp -k yes > Same result. > > #Destroy kerberos ticket for Administrator > kdestroy > > samba-tool domain backup online --server=dc1 --targetdir=/tmp -Uadministrator > Works, but no need to re-enter the password. ! > > And DC2. ( from DC1 backuped) > samba-tool domain backup online --server=dc1 --targetdir=/tmp -Uadministrator > > Also same, correct backup. Again no need to re-enter passwords. > > So it looks like the you found a bug, and when i look at my output. > > Its somewhere in this part, after > /usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain > > Password for [Administrator at REALM.FQDN]: > > And before > /usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124: > > So run a new backup with a higher debug level, on in NTLM auth and one Kerberos should show whats going one. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> lists via samba >> Verzonden: dinsdag 18 juni 2019 10:36 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] domain online backup >> >> Hi, >> >> A question on the (for us: new) online backup functionality. >> I created a >> backup of our domain successfully with: >> >> samba-tool domain backup online --server=dc3 --targetdir=/backup >> -Umyusername at samba.domain.com >> >> Next, to be able to schedule an automatic daily backup job, I >> created a >> specific user (member of Domain Admins) to run the backup. >> But then the >> backup fails: >> >>> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] >> objects[196/196] linked_values[0/0] >>> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com >>> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] >> objects[25/25] linked_values[0/0] >>> Committing SAM database >>> Setting isSynchronized and dsServiceName >>> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) >>> ERROR(runtime): uncaught exception - (3221225506, '{Access >> Denied} A process has requested access to an object but has >> not been granted those access rights.') >>> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 178, in _run >>> return self.run(*args, **kwargs) >>> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.p >> y", line 243, in run >>> backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid()) >>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 508, in backup_online >>> ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) >>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 331, in get_acl >>> smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS) >> >> Having read the wiki, a cause could be that the backup tool >> only works >> over SMBv1. But then it would always fail, also with my own >> myusername at samba.domain.com, so I guess that's not what is >> causing this..? >> >> So, other than being a member of the Domain Admin group, what else is >> required for the user running the backup? >> >> (I tried also granting the SeBackupPrivilege to the user, but >> it makes >> no difference) >> >> This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch. >> >> MJ >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
Hi, Just to answer my own question from a month ago. Today we upgraded from 4.9 to 4.10 (.6) and now the online backup functionality started working as expected. Best regards to all, and enjoy your holidays if you are having it :-) MJ On 18-6-2019 10:36, lists via samba wrote:> Hi, > > A question on the (for us: new) online backup functionality. I created a > backup of our domain successfully with: > > samba-tool domain backup online --server=dc3 --targetdir=/backup > -Umyusername at samba.domain.com > > Next, to be able to schedule an automatic daily backup job, I created a > specific user (member of Domain Admins) to run the backup. But then the > backup fails: > >> Partition[DC=DomainDnsZones,DC=samba,DC=company,DC=com] >> objects[196/196] linked_values[0/0] >> Replicating DC=ForestDnsZones,DC=samba,DC=company,DC=com >> Partition[DC=ForestDnsZones,DC=samba,DC=company,DC=com] objects[25/25] >> linked_values[0/0] >> Committing SAM database >> Setting isSynchronized and dsServiceName >> Cloned domain SAMDOM (SID S-1-5-21-90839350-988488634-868425949) >> ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A >> process has requested access to an object but has not been granted >> those access rights.') >> ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 178, in _run >> ??? return self.run(*args, **kwargs) >> ? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line >> 243, in run >> ??? backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid()) >> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508, >> in backup_online >> ??? ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True) >> ? File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331, >> in get_acl >> ??? smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS) > > Having read the wiki, a cause could be that the backup tool only works > over SMBv1. But then it would always fail, also with my own > myusername at samba.domain.com, so I guess that's not what is causing this..? > > So, other than being a member of the Domain Admin group, what else is > required for the user running the backup? > > (I tried also granting the SeBackupPrivilege to the user, but it makes > no difference) > > This is samba 4.9.8-SerNet-Debian-13.stretch, on stretch. > > MJ >