Web lists-archives.com

Re: [Samba] backup of tdb files




-<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Saturday, 2018-10-13 08:09:31 AM |>-
> On Fri, 2018-10-12 at 16:59 +0200, Philipp Gesang via samba wrote:
> > Hi Andrew,
> > 
> > revisiting this subject once again because I seem to have reached
> > an impass.
> > 
> > -<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Monday, 2018-09-24 07:14:48 PM |>-
> > > On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote:
> > > > > A long time ago I posted a script to dump the machine password to
> > > > > stdout for the benifit of an 802.1x client, but it never had tests
> > > > > so
> > > > > didn't get in.  
> > > > > 
> > > > > I could see JSON working well for this also.  Perhaps extend either
> > > > > samba-tool or net to print out the domain SID, local SID, domain
> > > > > member password and hostname?
> > > > 
> > > > Sounds promising. I’ll look into that.
> > 
> > Right now I am using values obtained as follows:
> > 
> > - hostname: get_global_sam_name() 
> > 
> > - local SID:
> >   secrets_fetch_domain_sid (get_global_sam_name(), …)
> >   == SECRETS/SID/CLIENTNAME in tdb
> > 
> > - domain SID:
> >   secrets_fetch_domain_sid (lp_workgroup(), …)
> >   == SECRETS/SID/WORKGROUPNAME
> > 
> > - domain member password:
> >   secrets_fetch_machine_password(lp_workgroup(), …)
> >   == SECRETS/MACHINE_DOMAIN_INFO/WORKGROUPNAME
> > 
> > This approach works well with a manually joined AD member but not
> > with any of the blackbox testsuites. In the secrets.tdb used
> > during tests I find only the domain SID (e. g. SECRETS/SID/CHDCDOMAIN)
> > but not the machine sid (probably SECRETS/SID/CLIENT).
> > 
> > How come that machine sid is absent in the tests? Is there
> > another means of retrieving it?
> 
> This is due to the test environment you are running in.  If you ran it
> in ad_member:local it would be there.

Yes, that was it. Thanks!

> The 'client' environment (where you don't specify a :local) is used,
> without the server's smb.conf or files, and doens't have a local SID.  
>
> Also, it is only set when a source3 passdb operation happens, so AD DC
> client stuff won't trigger it (for historical reasons). 

I’m not 100% familiar with these concepts. Until now I’ve been
assuming Samba running as joined domain member. Does Samba as “AD
DC client” have machine credentials as well, just no local SID?

Currently the code errors out when any of the values couldn’t be
obtained. If the local SID may be absent in valid configurations
this is obviously the wrong approch.

Philipp

Attachment: signature.asc
Description: PGP signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba