Web lists-archives.com

Re: [Samba] backup of tdb files




On Fri, 2018-10-12 at 16:59 +0200, Philipp Gesang via samba wrote:
> Hi Andrew,
> 
> revisiting this subject once again because I seem to have reached
> an impass.
> 
> -<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Monday, 2018-09-24 07:14:48 PM |>-
> > On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote:
> > > > A long time ago I posted a script to dump the machine password to
> > > > stdout for the benifit of an 802.1x client, but it never had tests
> > > > so
> > > > didn't get in.  
> > > > 
> > > > I could see JSON working well for this also.  Perhaps extend either
> > > > samba-tool or net to print out the domain SID, local SID, domain
> > > > member password and hostname?
> > > 
> > > Sounds promising. I’ll look into that.
> 
> Right now I am using values obtained as follows:
> 
> - hostname: get_global_sam_name() 
> 
> - local SID:
>   secrets_fetch_domain_sid (get_global_sam_name(), …)
>   == SECRETS/SID/CLIENTNAME in tdb
> 
> - domain SID:
>   secrets_fetch_domain_sid (lp_workgroup(), …)
>   == SECRETS/SID/WORKGROUPNAME
> 
> - domain member password:
>   secrets_fetch_machine_password(lp_workgroup(), …)
>   == SECRETS/MACHINE_DOMAIN_INFO/WORKGROUPNAME
> 
> This approach works well with a manually joined AD member but not
> with any of the blackbox testsuites. In the secrets.tdb used
> during tests I find only the domain SID (e. g. SECRETS/SID/CHDCDOMAIN)
> but not the machine sid (probably SECRETS/SID/CLIENT).
> 
> How come that machine sid is absent in the tests? Is there
> another means of retrieving it?

This is due to the test environment you are running in.  If you ran it
in ad_member:local it would be there.

The 'client' environment (where you don't specify a :local) is used,
without the server's smb.conf or files, and doens't have a local SID.  

Also, it is only set when a source3 passdb operation happens, so AD DC
client stuff won't trigger it (for historical reasons). 

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba