On 07-09-2023 07:03, Anton Shevtsov via samba wrote:> Hi all, > > I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore , > but I have two questions > > Q1) > > I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB > > On ABC.XYZ i make a backup > > [root at dc.abc.xyz ~]#? samba-tool gpo backup > --tmpdir=/root/gpo/computer/ --generalize > --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent > '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}' > GPO copied to > /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D} > > Attempting to generalize XML entities: > Entities successfully written to > /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent > > [root at dc.abc.xyz ~]# cat > /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent > > <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ > "machine-startup-script.sh > "> > > Go to AAA.BBB and try restore > > [root at dc.aaa.bbb ~]# ?samba-tool gpo restore StartUp-Script > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > --use-kerberos=required > --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent > ERROR: Entities file does not appear to conform to format > e.g. <!ENTITY entity "value"> > > I must replace ENTITY SAMBA__NETWORK_PATH__? in the > /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? Replace > for what? > > Q2) I don't understand why Kerberos ticket is not used. > > I specified --use-kerberos=required > > [user at dc.aaa.bbb ~]$ ?kinit administrator > Password for administrator at AAA.BBB: > Warning: Your password will expire in 27 days on ?? 05 ??? 2023 09:44:26 > [user at dc.aaa.bbb ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: administrator at AAA.BBB > > Valid starting ??????Expires ?????????????Service principal > 07.09.2023 09:53:08 ?07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB > ???????renew until 08.09.2023 09:53:05 > > [user at dc.aaa.bbb ~]$ ?samba-tool gpo restore StartUp-Script > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > --use-kerberos=required > Using temporary directory /tmp/.private/user/tmpstcd1nbi (use --tmpdir > to change) > Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? > > [user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500 > Using temporary directory /tmp/.private/user/tmptj4bgfkf (use --tmpdir > to change) > Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? > > [user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500 > Using temporary directory /tmp/.private/user/tmp271bduk7 (use --tmpdir > to change) > Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? > > -- > > AntonI had the same issue some 1,5 year ago. I worked back then with David Mulder on an alternative solution, which is finally released as part of 4.19. Instead of backup/restore, I keep the GPOs as source code (json files for the regpol GPOs) and generate them in each domain from the source code. In 4.19 there is "samba-tool gpo load --content <json-file>" to load the json into an existing GPO. There is also "samba-tool gpo create" to initially create one. And there is the reverse operation to show the json content of a regpol GPO: "samba-tool gpo show". Now you can store everything in git and manage it with a set of scripts. - Kees.
07.09.2023 13:04, Kees van Vloten via samba ?????:> On 07-09-2023 07:03, Anton Shevtsov via samba wrote: >> Hi all, >> >> I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore , >> but I have two questions >> >> Q1) >> >> I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB >> >> On ABC.XYZ i make a backup >> >> [root at dc.abc.xyz ~]#? samba-tool gpo backup >> --tmpdir=/root/gpo/computer/ --generalize >> --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent >> '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}' >> GPO copied to >> /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D} >> >> Attempting to generalize XML entities: >> Entities successfully written to >> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent >> >> [root at dc.abc.xyz ~]# cat >> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent >> >> <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ >> "machine-startup-script.sh >> "> >> >> Go to AAA.BBB and try restore >> >> [root at dc.aaa.bbb ~]# ?samba-tool gpo restore StartUp-Script >> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ >> --use-kerberos=required >> --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent >> ERROR: Entities file does not appear to conform to format >> e.g. <!ENTITY entity "value"> >> >> I must replace ENTITY SAMBA__NETWORK_PATH__? in the >> /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? >> Replace for what? >> >> Q2) I don't understand why Kerberos ticket is not used. >> >> I specified --use-kerberos=required >> >> [user at dc.aaa.bbb ~]$ ?kinit administrator >> Password for administrator at AAA.BBB: >> Warning: Your password will expire in 27 days on ?? 05 ??? 2023 09:44:26 >> [user at dc.aaa.bbb ~]$ klist >> Ticket cache: FILE:/tmp/krb5cc_500 >> Default principal: administrator at AAA.BBB >> >> Valid starting ??????Expires ?????????????Service principal >> 07.09.2023 09:53:08 ?07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB >> ???????renew until 08.09.2023 09:53:05 >> >> [user at dc.aaa.bbb ~]$ ?samba-tool gpo restore StartUp-Script >> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ >> --use-kerberos=required >> Using temporary directory /tmp/.private/user/tmpstcd1nbi (use >> --tmpdir to change) >> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? >> >> [user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script >> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ >> --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500 >> Using temporary directory /tmp/.private/user/tmptj4bgfkf (use >> --tmpdir to change) >> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? >> >> [user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script >> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ >> --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500 >> Using temporary directory /tmp/.private/user/tmp271bduk7 (use >> --tmpdir to change) >> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? >> >> -- >> >> Anton > > I had the same issue some 1,5 year ago. I worked back then with David > Mulder on an alternative solution, which is finally released as part > of 4.19. > > Instead of backup/restore, I keep the GPOs as source code (json files > for the regpol GPOs) and generate them in each domain from the source > code. > > In 4.19 there is "samba-tool gpo load --content <json-file>" to load > the json into an existing GPO. There is also "samba-tool gpo create" > to initially create one. > > And there is the reverse operation to show the json content of a > regpol GPO: "samba-tool gpo show". Now you can store everything in git > and manage it with a set of scripts. > > - Kees. > >I use samba-4.16.11 (no more modern version in my repo) I fix entity xml cat /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ "machine-startup-script.sh "> pay attention to "> in new line. If fix it - import successfully (or not?) sed -r ':a;N;$!ba;s/\n//g;s/">/">\n/' /tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent [user at dc.aaa.bbb ~]$ samba-tool gpo restore StartUp-Script2 /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ --use-kerberos=required --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent Using temporary directory /tmp/.private/user/tmpl22krcs3 (use --tmpdir to change) Password for [administrator at TEST.ALT]: GPO 'StartUp-Script2' created as {D83FB52C-FEDB-4599-82BC-7D67E942AB4E} WARNING: No such parser for machine-startup-script.sh WARNING: Falling back to simple copy-restore. But kerberos ticket not used (why?) [user at dc.aaa.bbb ~]$ samba-tool gpo listall --use-kerberos=required | grep -A 2 '{D83FB52C-FEDB-4599-82BC-7D67E942AB4E}' GPO ?????????: {D83FB52C-FEDB-4599-82BC-7D67E942AB4E} display name : StartUp-Script2 path ????????: \\test.alt\sysvol\test.alt\Policies\{D83FB52C-FEDB-4599-82BC-7D67E942AB4E} dn ??????????: CN={D83FB52C-FEDB-4599-82BC-7D67E942AB4E},CN=Policies,CN=System,DC=test,DC=alt version ?????: 0 flags ???????: NONE For samba-tool gpo listallkerberos ticket is used (no password prompt) -- Anton
Hi To summarize all of the above. Do I understand correctly that gpo backup/restore will not work correctly in 4.16 and there is no point in working with this version? Does it work in 4.19 (or maybe 4.17? 4.18?)? 07.09.2023 13:04, Kees van Vloten via samba ?????:> On 07-09-2023 07:03, Anton Shevtsov via samba wrote: >> Hi all, >> >> I have read https://wiki.samba.org/index.php/GPO_Backup_and_Restore , >> but I have two questions >> >> Q1) >> >> I want backup GPO from domain ABC.XYZ and restore for domain AAA.BBB >> >> On ABC.XYZ i make a backup >> >> [root at dc.abc.xyz ~]#? samba-tool gpo backup >> --tmpdir=/root/gpo/computer/ --generalize >> --entities=/root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent >> '{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}' >> GPO copied to >> /root/gpo/computer/policy/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D} >> >> Attempting to generalize XML entities: >> Entities successfully written to >> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent >> >> [root at dc.abc.xyz ~]# cat >> /root/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent >> >> <!ENTITY SAMBA__NETWORK_PATH__b1b66be4ed054b37b1d72f4be8f953b9__ >> "machine-startup-script.sh >> "> >> >> Go to AAA.BBB and try restore >> >> [root at dc.aaa.bbb ~]# ?samba-tool gpo restore StartUp-Script >> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ >> --use-kerberos=required >> --entities=/tmp/gpo/computer/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}.ent >> ERROR: Entities file does not appear to conform to format >> e.g. <!ENTITY entity "value"> >> >> I must replace ENTITY SAMBA__NETWORK_PATH__? in the >> /tmp/gpo/computer/{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D}.ent ? >> Replace for what? >> >> Q2) I don't understand why Kerberos ticket is not used. >> >> I specified --use-kerberos=required >> >> [user at dc.aaa.bbb ~]$ ?kinit administrator >> Password for administrator at AAA.BBB: >> Warning: Your password will expire in 27 days on ?? 05 ??? 2023 09:44:26 >> [user at dc.aaa.bbb ~]$ klist >> Ticket cache: FILE:/tmp/krb5cc_500 >> Default principal: administrator at AAA.BBB >> >> Valid starting ??????Expires ?????????????Service principal >> 07.09.2023 09:53:08 ?07.09.2023 19:53:08 krbtgt/AAA.BBB at AAA.BBB >> ???????renew until 08.09.2023 09:53:05 >> >> [user at dc.aaa.bbb ~]$ ?samba-tool gpo restore StartUp-Script >> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ >> --use-kerberos=required >> Using temporary directory /tmp/.private/user/tmpstcd1nbi (use >> --tmpdir to change) >> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? >> >> [user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script >> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ >> --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500 >> Using temporary directory /tmp/.private/user/tmptj4bgfkf (use >> --tmpdir to change) >> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? >> >> [user at dc.aaa.bbb ~]$? samba-tool gpo restore StartUp-Script >> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ >> --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500 >> Using temporary directory /tmp/.private/user/tmp271bduk7 (use >> --tmpdir to change) >> Password for [administrator at AAA.BBB]: WHY_IS_THE_PASSWORD_REQUESTED? >> >> -- >> >> Anton > > I had the same issue some 1,5 year ago. I worked back then with David > Mulder on an alternative solution, which is finally released as part > of 4.19. > > Instead of backup/restore, I keep the GPOs as source code (json files > for the regpol GPOs) and generate them in each domain from the source > code. > > In 4.19 there is "samba-tool gpo load --content <json-file>" to load > the json into an existing GPO. There is also "samba-tool gpo create" > to initially create one. > > And there is the reverse operation to show the json content of a > regpol GPO: "samba-tool gpo show". Now you can store everything in git > and manage it with a set of scripts. > > - Kees. > > >-- Anton