Web lists-archives.com

Re: [Samba] backup of tdb files




Hi Andrew,

thanks for addressing all my points. This is rather helpful.

-<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Friday, 2018-09-21 08:23:26 AM |>-
> On Fri, 2018-09-21 at 11:29 +0200, Philipp Gesang via samba wrote:
> > how would I go about dumping tdb files in a “neutral” format,
> > preferably JSON?
> > 
> > The goal is to have a domain member functional after restoring
> > from a backup without re-joining. 
> 
> Do take care that the password is changed by winbindd regularly.  It
> might not work any more.

The most common scenario for restoring a backup would be inside
the “window of opportunity” when the current password is still
valid. Besides, knowing our customers I expect a significant
number of users to disable password rotation for machine accounts
in the GPO …

> > By trial and error I determined that
> > /var/lib/samba/private/{netlogon_creds_cli,secrets}.tdb are the
> > only files from whose removal smbd can’t recover, so those are
> > the files I’m currently concerned with.
> 
> It should be only secrets.tdb.  The netlogon_creds_cli.tdb can be re-
> built from the domain member password.

You’re right, I just ran the test again. Probably a fluke in my
tests last week.

> A long time ago I posted a script to dump the machine password to
> stdout for the benifit of an 802.1x client, but it never had tests so
> didn't get in.  
> 
> I could see JSON working well for this also.  Perhaps extend either
> samba-tool or net to print out the domain SID, local SID, domain member
> password and hostname?

Sounds promising. I’ll look into that.

> (There are other elements of state, like idmap values, but how far you
> go depends on the local configuration needs, but these would be the
> four most critical items). 

> > What about portability? Are tdb contents platform independent? Is
> > a secrets.tdb created with 32 bit Samba usable on a 64 bit build
> > and vice versa?
> 
> Yes, tdb files are portable.

Just to be absolutely sure: This is true of both the tdb format
and the binary data stored in the values?

Best,
Philipp

Attachment: signature.asc
Description: PGP signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba