samba - Jun 2024 - Online AD Backup fails with "no auth" in 4.20?

Hey Luis,

on the member server:

# net ads testjoin
Join is OK

# wbinfo --ping-dc
checking the NETLOGON for domain[AD-ELLERHOLD] dc connection to 
"rad-2.ad.ellerhold.lan" succeeded

SSH login to this member works, Access via SMB works... all good!

Our AD is healthy as far as I can tell... all services work as far as we 
can tell.

The same command on a member server with 4.19 still works. Using another 
domain member with 4.20 fails too. The tickets was created fresh today.

The package "samba-ad-dc" is installed on all DCs and was never 
installed on the domain members.

Just for completeness: the upgrade to 4.20 was around 2 weeks ago and 
this failing backup was pushed time and time again because we had other 
(unrelated) bigger problems.

Regards, Matthias.

Am 27.06.24 um 14:24 schrieb Luis Peromarta:
>
> LP
> On Jun 27, 2024 at 13:13 +0100, Matthias K?hne | Ellerhold 
> Aktiengesellschaft via samba <samba at lists.samba.org>, wrote:
>
>     Hallo lovely samba-people,
>
>     did something change in regards to the online AD Backup in 4.20?
>
>     We're using this CLI command to create a backup of our domain:
>
>     ?? ?/usr/bin/samba-tool domain backup online
--targetdir="/my/path"
>     --server="rad-2.ad.ellerhold.lan"
>     --use-krb5-ccache="/opt/samba-ad-backup/ad-backup.krb5cc" -N
>
>     This ran successfully on a member server without a problem. klist
>     shows
>     a valid ticket:
>
>     # klist -c /opt/samba-ad-backup/ad-backup.krb5cc
>     Ticket cache: FILE:/opt/samba-ad-backup/ad-backup.krb5cc
>     Default principal: ad-backup at AD.ELLERHOLD.LAN
>
>     Valid starting? ? ?Expires?? ? ? ? ? ?Service principal
>     27/06/24 11:28:22??27/06/24 21:28:22
>     krbtgt/AD.ELLERHOLD.LAN at AD.ELLERHOLD.LAN
>     ?? ?renew until 28/06/24 11:28:22
>
>
>     After upgrading to 4.20 this results in the error message:
>     ERROR(<class
>     'samba.join.DCJoinException'>): uncaught exception -
Can't join,
>     error:
>     00002020: Operation unavailable without authentication
>
>
> This suggests bad or no Join.
> What is the output of
>
> net ads testjoin
>
> ?
>
>
>     Even this doesnt work:
>
>     ??/usr/bin/samba-tool domain backup online
--targetdir="/my/path"
>     --server="dc1.example.org" -U Administrator
>
>     Same error message on a member server. Running this on a DC prompts me
>     for the password correctly. Running this on a 4.19 member server
>     correctly prompts me for the password too.
>
>     I even copied an smb.conf from a DC and added
>     --configfile=/path/to/dc-smb.conf . Same error...
>
>     Can someone point me in the right directory to make this work
>     again on a
>     4.20 member server?
>
>     Environment: Samba 4.20.2 in Debian 12 (mjts Repository).
>
>
> Did this fail after updating to samba 4.20 ? Is your AD showing any 
> other problems ?
> Do you have the package samba-ad-dc installed in the DCs ? It wasn?t 
> needed before 4.20 (or 4.20.1, not sure), but it is now.
>
>
>     Thanks for your help and have a nice day.
>
>
> You too.
>
> MfG.
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web:www.ellerhold.de
Facebook:www.facebook.com/ellerhold.gruppe
Instagram:www.instagram.com/ellerhold.gruppe
LinkedIn:www.linkedin.com/company/ellerhold-gruppe  

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold


---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und
um sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

Hopefully other senior members can help, I would not know what else to suggest.

In my case it?s been the other way around . It works on DCs, not in members.

/usr/bin/samba-tool domain backup online --targetdir=/root/samba-ad-backup-dc1/
?server=dc1 -UAdministrator%My$ecretPassword

Has always worked in DC, actually all my DCs run this daily and keep 10 copies.

LP
On Jun 27, 2024 at 13:38 +0100, Matthias K?hne | Ellerhold Aktiengesellschaft
via samba <samba at lists.samba.org>, wrote:
> Hey Luis,
>
> on the member server:
>
> # net ads testjoin
> Join is OK
>
> # wbinfo --ping-dc
> checking the NETLOGON for domain[AD-ELLERHOLD] dc connection to
> "rad-2.ad.ellerhold.lan" succeeded
>
> SSH login to this member works, Access via SMB works... all good!
>
> Our AD is healthy as far as I can tell... all services work as far as we
> can tell.
>
> The same command on a member server with 4.19 still works. Using another
> domain member with 4.20 fails too. The tickets was created fresh today.
>
> The package "samba-ad-dc" is installed on all DCs and was never
> installed on the domain members.
>
> Just for completeness: the upgrade to 4.20 was around 2 weeks ago and
> this failing backup was pushed time and time again because we had other
> (unrelated) bigger problems.
>
> Regards, Matthias.
>