On Fri, 2019-08-30 at 10:20 +0100, Rowland penny via samba wrote:> On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote: > > On 30.08.19 11:01, Andrew Bartlett wrote: > > > On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba > > > wrote: > > > > I happily and trustfully use Louis' backup-script from > > > > > > > > https://github.com/thctlo/samba4 > > > > > > > > to dump AD content via cronjob. > > > > > > > > Is it necessary/recommended to do that on *each* samba DC? Is there > > > > something server-specific in the dump(s) or is it enough to do that > > > > once > > > > per domain? > > > I'm very sorry to advise that this script is not race-free in the > > > locking done on the AD databases, which is why we have written the > > > 'samba-tool domain backup offline' tool which holds the correct locks. > > Thanks for the info, I will write another cronjob using that tool. > Be prepared to put your administrators password in the cronjobThe offline backup does not require a password, only root privileges. While not tested or intended, it would not shock me if the online tool operated successfully with --machine-pass set, to use the DC's own password (assuming running on a DC). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On 30/08/2019 10:27, Andrew Bartlett wrote:> On Fri, 2019-08-30 at 10:20 +0100, Rowland penny via samba wrote: >> On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote: >>> On 30.08.19 11:01, Andrew Bartlett wrote: >>>> On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba >>>> wrote: >>>>> I happily and trustfully use Louis' backup-script from >>>>> >>>>> https://github.com/thctlo/samba4 >>>>> >>>>> to dump AD content via cronjob. >>>>> >>>>> Is it necessary/recommended to do that on *each* samba DC? Is there >>>>> something server-specific in the dump(s) or is it enough to do that >>>>> once >>>>> per domain? >>>> I'm very sorry to advise that this script is not race-free in the >>>> locking done on the AD databases, which is why we have written the >>>> 'samba-tool domain backup offline' tool which holds the correct locks. >>> Thanks for the info, I will write another cronjob using that tool. >> Be prepared to put your administrators password in the cronjob > The offline backup does not require a password, only root privileges.OH yes it does, I found this out yesterday, running as root with kerberos: Committing SAM database INFO 2019-08-29 16:56:10,650 pid:16393 /usr/lib/python3/dist-packages/samba/join.py #1643: Setting isSynchronized and dsServiceName INFO 2019-08-29 16:56:10,747 pid:16393 /usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain SAMDOM (SID S-1-5-21-1768301897-3342589593-1064908849) Password for [Administrator at SAMDOM.EXAMPLE.COM]: INFO 2019-08-29 16:56:34,573 pid:16393 /usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124: Creating backup file /root/samba-backup-samdom.example.com-2019-08-29T16-56-34.378389.tar.bz2...> > While not tested or intended, it would not shock me if the online tool > operated successfully with --machine-pass set, to use the DC's own > password (assuming running on a DC).Cannot speak for the online tool (never tried it, yet), but it doesn't work for the offline tool. Rowland
On 30/08/2019 10:31, Rowland penny via samba wrote:> On 30/08/2019 10:27, Andrew Bartlett wrote: >> On Fri, 2019-08-30 at 10:20 +0100, Rowland penny via samba wrote: >>> On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote: >>>> On 30.08.19 11:01, Andrew Bartlett wrote: >>>>> On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba >>>>> wrote: >>>>>> I happily and trustfully use Louis' backup-script from >>>>>> >>>>>> https://github.com/thctlo/samba4 >>>>>> >>>>>> to dump AD content via cronjob. >>>>>> >>>>>> Is it necessary/recommended to do that on *each* samba DC? Is there >>>>>> something server-specific in the dump(s) or is it enough to do that >>>>>> once >>>>>> per domain? >>>>> I'm very sorry to advise that this script is not race-free in the >>>>> locking done on the AD databases, which is why we have written the >>>>> 'samba-tool domain backup offline' tool which holds the correct >>>>> locks. >>>> Thanks for the info, I will write another cronjob using that tool. >>> Be prepared to put your administrators password in the cronjob >> The offline backup does not require a password, only root privileges. > > OH yes it does, I found this out yesterday, running as root with > kerberos: > > Committing SAM database > INFO 2019-08-29 16:56:10,650 pid:16393 > /usr/lib/python3/dist-packages/samba/join.py #1643: Setting > isSynchronized and dsServiceName > INFO 2019-08-29 16:56:10,747 pid:16393 > /usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain > SAMDOM (SID S-1-5-21-1768301897-3342589593-1064908849) > Password for [Administrator at SAMDOM.EXAMPLE.COM]: > INFO 2019-08-29 16:56:34,573 pid:16393 > /usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124: > Creating backup file > /root/samba-backup-samdom.example.com-2019-08-29T16-56-34.378389.tar.bz2... > >> >> While not tested or intended, it would not shock me if the online tool >> operated successfully with --machine-pass set, to use the DC's own >> password (assuming running on a DC). > > Cannot speak for the online tool (never tried it, yet), but it doesn't > work for the offline tool. >Mea culpa, I got them the wrong way around :-( It is the online tool that asks for the Administrator password. if you kinit as Administrator, then run as root: samba-tool domain backup online --targetdir=/root/ --server=dc1 -k yes Towards the end of the output, you get this: INFO 2019-08-29 16:56:10,650 pid:16393 /usr/lib/python3/dist-packages/samba/join.py #1643: Setting isSynchronized and dsServiceName INFO 2019-08-29 16:56:10,747 pid:16393 /usr/lib/python3/dist-packages/samba/join.py #1555: Cloned domain SAMDOM (SID S-1-5-21-1768301897-3342589593-1064908849) Password for [Administrator at SAMDOM.EXAMPLE.COM]: INFO 2019-08-29 16:56:34,573 pid:16393 /usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py #124: Creating backup file /root/samba-backup-samdom.example.com-2019-08-29T16-56-34.378389.tar.bz2... Which, on the face of it, is asking for the Administrator password, but after carrying out a few tests, it turns out just pressing 'Enter' is sufficient. Knowing this, the workaround is fairly obvious, run the command like this: echo | samba-tool domain backup online --targetdir=/root/ --server=dc1 -k yes Rowland