samba - Oct 2020 - Setting up Backup AD DC

On Thu, 29 Oct 2020, Rowland penny via samba wrote:
> On 29/10/2020 14:43, Marco Shmerykowsky via samba wrote:
>>  I want to setup a backup AD DC and have a few quick
>>  (possibly dumb) questions:
> No, you just want to add another DC
>>
>>  1) Is this link the best reference to the procedure to
>>  ?? create the backup AD DC?
>>
>>  ->
>> 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> It is a good start, then ask any questions here.
>>
>>  2) What is considered the best samba option of
>>  ?? the 3 listed for Sysvol Replication under the Subsection
>>  ?? titled "Built-in User & Group ID Mappings" in the
>>  ?? link provided above?
> This is very subjective, if you ask 100 Samba users 'which is
best', you will
> probably get about 150 different answers :-D
>>
>>  3) Does the backup and the primary need to run the
>>  ?? same version of samba?
>
> I think you mean 'Does the DC with all the FSMO roles and any other DC
need
> to run the same version of Samba' , to which the answer would be:
>
> Ideally yes, but different versions will work together, just don't try
to use
> something like 4.1.x and 4.12.x together, it may work, but I would bet
there
> will be problems.
Maybe I am missing something, but what is the secure way to run an automated
backup on recent versions of samba? Can samba-tool domain backup be made to use
kerberos so I do not need to store an admin password in an unencrypted file?

Regards,

-- 
Tom			me at tdiehl.org

On 29.10.2020 18:27, Tom Diehl via samba wrote:
> On Thu, 29 Oct 2020, Rowland penny via samba wrote:
>
>> On 29/10/2020 14:43, Marco Shmerykowsky via samba wrote:
>>> ?I want to setup a backup AD DC and have a few quick
>>> ?(possibly dumb) questions:
>> No, you just want to add another DC
>>>
>>> ?1) Is this link the best reference to the procedure to
>>> ??? create the backup AD DC?
>>>
>>> ?->
>>>
?https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>>
>> It is a good start, then ask any questions here.
>>>
>>> ?2) What is considered the best samba option of
>>> ??? the 3 listed for Sysvol Replication under the Subsection
>>> ??? titled "Built-in User & Group ID Mappings" in the
>>> ??? link provided above?
>> This is very subjective, if you ask 100 Samba users 'which is
best',
>> you will probably get about 150 different answers :-D
>>>
>>> ?3) Does the backup and the primary need to run the
>>> ??? same version of samba?
>>
>> I think you mean 'Does the DC with all the FSMO roles and any other
>> DC need to run the same version of Samba' , to which the answer
would
>> be:
>>
>> Ideally yes, but different versions will work together, just don't
>> try to use something like 4.1.x and 4.12.x together, it may work, but
>> I would bet there will be problems.
>
> Maybe I am missing something, but what is the secure way to run an
> automated
> backup on recent versions of samba? Can samba-tool domain backup be
> made to use
> kerberos so I do not need to store an admin password in an unencrypted
> file?
>
> Regards,
>
With Kerberos you need to have an [unencrypted] keytab file. Of course
that is better than a password in a file, but it's not fundamentally
different. The keytab content is just harder to spell than a password.

Regards,
Norbert

hello

out of curiosity as I wanted to achieve this some time before - i.e. to 
performing automated backup od samba domain.

now I've tried to use kerberos - for online backup (within script) I 
have used:

samba-tool domain backup online --targetdir=${BACKUPDIR} 
--server=${DCSERVER} --krb5-ccache=${KRB5CCNAME}

but seems this is not working as the backup process is interruped in the 
middle and I am challenged to authenticate:

samba-tool domain backup online --targetdir=/var/spool/backup/ 
--server=DC1 --krb5-ccache=/tmp/samba-domain.cc

INFO 2020-10-30 18:39:40,846 pid:169937 
/usr/lib64/python3.6/site-packages/samba/join.py #1574: workgroup is FOOBAR
INFO 2020-10-30 18:39:40,847 pid:169937 
/usr/lib64/python3.6/site-packages/samba/join.py #1577: realm is FOO.BAR.CO
Calling bare provision
INFO 2020-10-30 18:39:40,880 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2133: 
Looking up IPv4 addresses
INFO 2020-10-30 18:39:40,882 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: 
Looking up IPv6 addresses
INFO 2020-10-30 18:39:41,522 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2301: 
Setting up share.ldb
INFO 2020-10-30 18:39:41,532 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2305: 
Setting up secrets.ldb
INFO 2020-10-30 18:39:41,542 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2311: 
Setting up the registry
INFO 2020-10-30 18:39:41,570 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2314: 
Setting up the privileges database
INFO 2020-10-30 18:39:41,583 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2317: 
Setting up idmap db
INFO 2020-10-30 18:39:41,594 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2324: 
Setting up SAM db
INFO 2020-10-30 18:39:41,597 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #897: 
Setting up sam.ldb partitions and settings
INFO 2020-10-30 18:39:41,598 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #909: 
Setting up sam.ldb rootDSE
INFO 2020-10-30 18:39:41,600 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #1338: 
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint 
on local domainSIDs

INFO 2020-10-30 18:39:41,742 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2377: A 
Kerberos configuration suitable for Samba AD has been generated at 
/var/spool/backup/tmpbyxhrbhz/private/krb5.conf
INFO 2020-10-30 18:39:41,743 pid:169937 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2378: 
Merge the contents of this file with your system krb5.conf or replace it 
with this one. Do not create a symlink!
Provision OK for domain DN DC=foo,DC=bar,DC=co
Starting replication
Using DS_BIND_GUID_W2K3
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] 
objects[402/1628] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] 
objects[804/1628] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] 
objects[1206/1628] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] 
objects[1608/1628] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] 
objects[1628/1628] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[402/1619] 
linked_values[0/1]
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[804/1619] 
linked_values[0/1]
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1206/1619] 
linked_values[0/1]
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1608/1619] 
linked_values[0/1]
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1619/1619] 
linked_values[30/30]
Replicating critical objects from the base DN of the domain
Partition[DC=foo,DC=bar,DC=co] objects[102/99] linked_values[39/39]
Partition[DC=foo,DC=bar,DC=co] objects[402/1698] linked_values[0/978]
Partition[DC=foo,DC=bar,DC=co] objects[804/1698] linked_values[0/992]
Partition[DC=foo,DC=bar,DC=co] objects[1206/1698] linked_values[0/1035]
Partition[DC=foo,DC=bar,DC=co] objects[1608/1698] linked_values[0/1511]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[1500/3156]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[3000/3156]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[3156/3156]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=foo,DC=bar,DC=co
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[402/1553] 
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[804/1553] 
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[1206/1553] 
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[1553/1553] 
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=foo,DC=bar,DC=co
Partition[DC=ForestDnsZones,DC=foo,DC=bar,DC=co] objects[19/19] 
linked_values[0/0]
Committing SAM database
Repacking database from v1 to v2 format (first record 
CN=SAM-Account-Type,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record 
CN=remoteStorageServicePoint-Display,CN=40B,CN=DisplaySpecifiers,CN=Configuration,DC=foo,DC=bar,DC=co)
Repacking database from v1 to v2 format (first record CN=Deleted 
Objects,DC=ForestDnsZones,DC=foo,DC=bar,DC=co)
Repack: re-packed 10000 records so far
INFO 2020-10-30 18:41:21,983 pid:169937 
/usr/lib64/python3.6/site-packages/samba/join.py #1671: Setting 
isSynchronized and dsServiceName
INFO 2020-10-30 18:41:21,995 pid:169937 
/usr/lib64/python3.6/site-packages/samba/join.py #1580: Cloned domain 
FOOBAR (SID S-1-5-21-x-y-z)
INFO 2020-10-30 18:41:22,127 pid:169937 
/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py #271: 
Backing up sysvol files (via SMB)...
Password for [svc_backupdomain at FOO.BAR.CO]:
ERROR(runtime): uncaught exception - (3221225996, 'The transport 
connection is now disconnected.')
 ? File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line 186, in _run
 ??? return self.run(*args, **kwargs)
 ? File 
"/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py",
line
273, in run
 ??? smb_conn = smb_sysvol_conn(server, lp, creds)
 ? File 
"/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py",
line
118, in smb_sysvol_conn
 ??? return libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds,
sign=True)



notes:
- parameter "--krb5-ccache" is actually *not* documented in manpage - 
just found it in wiki page: 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller

- alternative with using offline backup does not work for us with known 
error:

module samba_dsdb initialization failed : Operations error
Unable to load modules for /var/lib/samba/bind-dns/dns/sam.ldb: 
partition_metadata: Migrating partition metadata: create of metadata.tdb 
gave: partition_metadata: Unable to create 
/var/lib/samba/bind-dns/dns/sam.ldb.d/metadata.tdb: Device or resource busy

samba-4.12.6

cheers
michal

On 10/30/2020 3:21 PM, Norbert Hanke via samba wrote:
>
> On 29.10.2020 18:27, Tom Diehl via samba wrote:
>> On Thu, 29 Oct 2020, Rowland penny via samba wrote:
>>
>>> On 29/10/2020 14:43, Marco Shmerykowsky via samba wrote:
>>>> ?I want to setup a backup AD DC and have a few quick
>>>> ?(possibly dumb) questions:
>>> No, you just want to add another DC
>>>>
>>>> ?1) Is this link the best reference to the procedure to
>>>> ??? create the backup AD DC?
>>>>
>>>> ?->
>>>>
?https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>>>
>>>>
>>> It is a good start, then ask any questions here.
>>>>
>>>> ?2) What is considered the best samba option of
>>>> ??? the 3 listed for Sysvol Replication under the Subsection
>>>> ??? titled "Built-in User & Group ID Mappings" in
the
>>>> ??? link provided above?
>>> This is very subjective, if you ask 100 Samba users 'which is
best',
>>> you will probably get about 150 different answers :-D
>>>>
>>>> ?3) Does the backup and the primary need to run the
>>>> ??? same version of samba?
>>>
>>> I think you mean 'Does the DC with all the FSMO roles and any
other
>>> DC need to run the same version of Samba' , to which the answer
would
>>> be:
>>>
>>> Ideally yes, but different versions will work together, just
don't
>>> try to use something like 4.1.x and 4.12.x together, it may work,
but
>>> I would bet there will be problems.
>>
>> Maybe I am missing something, but what is the secure way to run an
>> automated
>> backup on recent versions of samba? Can samba-tool domain backup be
>> made to use
>> kerberos so I do not need to store an admin password in an unencrypted
>> file?
>>
>> Regards,
>>
> With Kerberos you need to have an [unencrypted] keytab file. Of course
> that is better than a password in a file, but it's not fundamentally
> different. The keytab content is just harder to spell than a password.
>
> Regards,
> Norbert
>
>

On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba
wrote:
> On 29.10.2020 18:27, Tom Diehl via samba wrote:
> > 
> > Maybe I am missing something, but what is the secure way to run an
> > automated
> > backup on recent versions of samba? Can samba-tool domain backup be
> > made to use
> > kerberos so I do not need to store an admin password in an
> > unencrypted
> > file?
> > 
> > Regards,
> > 
> With Kerberos you need to have an [unencrypted] keytab file. Of
> course
> that is better than a password in a file, but it's not fundamentally
> different. The keytab content is just harder to spell than a
> password.
The offline backup is probably better for a cron-job if you are
hesitant about stored key/passwords. 

But then again, a keytab with those same permissions is unencrypted in
the private folder (with strict permissions naturally) of every DC, so
the risks on the backup server are relatively the same as yet another
DC. 

(DC accounts are equally powerful as the the administrator really). 

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba