Hi all,
I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore ,
but I have two questions
Q1)
I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB
On ABC.XYZ i make a backup
[root at dc.abc.xyz ~]#? samba-tool gpo backup --tmpdir=/root/gpo/computer/
--generalize
--entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
'{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}'
GPO copied to
/root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}
Attempting to generalize XML entities:
Entities successfully written to
/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
[root at dc.abc.xyz ~]# cat
/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent
<!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__
"machine-startup-script.sh
">
Go to AAA.BBB and try restore
[root at dc.aaa.bbb ~]# ?samba-tool gpo restore StartUp-Script
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required
--entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent
ERROR: Entities file does not appear to conform to format
e.g. <!ENTITY entity "value">
I must replace ENTITY SAMBA__NETWORK_PATH__? in the
/tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? Replace
for what?
Q2) I don't understand why Kerberos ticket is not used.
I specified --use-kerberos=required
[user at dc.aaa.bbb ~]$ ?kinit administrator
Password for administrator at AAA.BBB:
Warning: Your password will expire in 27 days on ?? 05 ??? 2023 09:44:26
[user at dc.aaa.bbb ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: administrator at AAA.BBB
Valid starting ??????Expires ?????????????Service principal
07.09.2023 09:53:08 ?07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB
???????renew until 08.09.2023 09:53:05
[user at dc.aaa.bbb ~]$ ?samba-tool gpo restore StartUp-Script
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required
Using temporary directory /tmp/.private/user/tmpstcd1nbi (use --tmpdir
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
[user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
Using temporary directory /tmp/.private/user/tmptj4bgfkf (use --tmpdir
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
[user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script
/tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/
--use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
Using temporary directory /tmp/.private/user/tmp271bduk7 (use --tmpdir
to change)
Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED?
--
Anton
On 07-09-2023 07:03, Anton Shevtsov via samba wrote:> Hi all, > > I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore , > but I have two questions > > Q1) > > I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB > > On ABC.XYZ i make a backup > > [root at dc.abc.xyz ~]#? samba-tool gpo backup > --tmpdir=/root/gpo/computer/ --generalize > --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent > '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}' > GPO copied to > /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D} > > Attempting to generalize XML entities: > Entities successfully written to > /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent > > [root at dc.abc.xyz ~]# cat > /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent > > <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ > "machine-startup-script.sh > "> > > Go to AAA.BBB and try restore > > [root at dc.aaa.bbb ~]# ?samba-tool gpo restore StartUp-Script > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > --use-kerberos=required > --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent > ERROR: Entities file does not appear to conform to format > e.g. <!ENTITY entity "value"> > > I must replace ENTITY SAMBA__NETWORK_PATH__? in the > /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? Replace > for what? > > Q2) I don't understand why Kerberos ticket is not used. > > I specified --use-kerberos=required > > [user at dc.aaa.bbb ~]$ ?kinit administrator > Password for administrator at AAA.BBB: > Warning: Your password will expire in 27 days on ?? 05 ??? 2023 09:44:26 > [user at dc.aaa.bbb ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: administrator at AAA.BBB > > Valid starting ??????Expires ?????????????Service principal > 07.09.2023 09:53:08 ?07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB > ???????renew until 08.09.2023 09:53:05 > > [user at dc.aaa.bbb ~]$ ?samba-tool gpo restore StartUp-Script > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > --use-kerberos=required > Using temporary directory /tmp/.private/user/tmpstcd1nbi (use --tmpdir > to change) > Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? > > [user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500 > Using temporary directory /tmp/.private/user/tmptj4bgfkf (use --tmpdir > to change) > Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? > > [user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500 > Using temporary directory /tmp/.private/user/tmp271bduk7 (use --tmpdir > to change) > Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? > > -- > > AntonI had the same issue some 1,5 year ago. I worked back then with David Mulder on an alternative solution, which is finally released as part of 4.19. Instead of backup/restore, I keep the GPOs as source code (json files for the regpol GPOs) and generate them in each domain from the source code. In 4.19 there is "samba-tool gpo load --content <json-file>" to load the json into an existing GPO. There is also "samba-tool gpo create" to initially create one. And there is the reverse operation to show the json content of a regpol GPO: "samba-tool gpo show". Now you can store everything in git and manage it with a set of scripts. - Kees.
On Thu, 2023-09-07 at 10:03 +0500, Anton Shevtsov via samba wrote:> Q2) I don't understand why Kerberos ticket is not used. > > > > I specified --use-kerberos=required >Thanks for mentioning this. I don't know why this is happening exactly. The samba-tool gpo command is a bit of a snowflake in the 'samba-tool' suite as it uses the libsmb library from the 'fileserver' or 'source3' area of the codebase, as that is much more mature. Sadly there is sometimes an "impedence mismatch" or 'the stiching is still visible' or 'a mismatch in expectations' between some parts of our codebase that were developed apart for a time, and I think this may be showing here. You could spend some time in a debugger, getting a backtrace when it asks for the password and working out if the Kerberos require flag has been lost somehow. We have got a lot better about not decomposing and re-composing our 'cli_credentials' structure, eg https://gitlab.com/samba-team/samba/-/merge_requests/3260 just today, and perhaps this is happening. I would say that, below, you seem to have tried all the command-line combinations I would try. Andrew Bartlett> > [ > user at dc.aaa.bbb > ~]$ kinit administrator > > Password for > administrator at AAA.BBB > : > > Warning: Your password will expire in 27 days on ?? 05 ??? 2023 > 09:44:26 > > [ > user at dc.aaa.bbb > ~]$ klist > > Ticket cache: FILE:/tmp/krb5cc_500 > > Default principal: > administrator at AAA.BBB > > > > > Valid starting Expires Service principal > > 07.09.2023 09:53:08 07.09.2023 19:53:08 krbtgt/ > AAA.BBB at AAA.BBB > > > renew until 08.09.2023 09:53:05 > > > > [ > user at dc.aaa.bbb > ~]$ samba-tool gpo restore StartUp-Script > > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > > --use-kerberos=required > > Using temporary directory /tmp/.private/user/tmpstcd1nbi (use -- > tmpdir > > to change) > > Password for [ > administrator at AAA.BBB > ]: WHY_IS_THE_PASSWORD_REQUESTED? > > > > [ > user at dc.aaa.bbb > ~]$ samba-tool gpo restore StartUp-Script > > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > > --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500 > > Using temporary directory /tmp/.private/user/tmptj4bgfkf (use -- > tmpdir > > to change) > > Password for [ > administrator at AAA.BBB > ]: WHY_IS_THE_PASSWORD_REQUESTED? > > > > [ > user at dc.aaa.bbb > ~]$ samba-tool gpo restore StartUp-Script > > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > > --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500 > > Using temporary directory /tmp/.private/user/tmp271bduk7 (use -- > tmpdir > > to change) > > Password for [ > administrator at AAA.BBB > ]: WHY_IS_THE_PASSWORD_REQUESTED? >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions