Web lists-archives.com

Re: [Samba] backup of tdb files




On Mon, 2018-10-15 at 16:05 +0200, Philipp Gesang via samba wrote:
> -<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Saturday, 2018-10-13 08:09:31 AM |>-
> > On Fri, 2018-10-12 at 16:59 +0200, Philipp Gesang via samba wrote:
> > > Hi Andrew,
> > > 
> > > revisiting this subject once again because I seem to have reached
> > > an impass.
> > > 
> > > -<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Monday, 2018-09-24 07:14:48 PM |>-
> > > > On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote:
> > > > > > A long time ago I posted a script to dump the machine password to
> > > > > > stdout for the benifit of an 802.1x client, but it never had tests
> > > > > > so
> > > > > > didn't get in.  
> > > > > > 
> > > > > > I could see JSON working well for this also.  Perhaps extend either
> > > > > > samba-tool or net to print out the domain SID, local SID, domain
> > > > > > member password and hostname?
> > > > > 
> > > > > Sounds promising. I’ll look into that.
> > > 
> > > Right now I am using values obtained as follows:
> > > 
> > > - hostname: get_global_sam_name() 
> > > 
> > > - local SID:
> > >   secrets_fetch_domain_sid (get_global_sam_name(), …)
> > >   == SECRETS/SID/CLIENTNAME in tdb
> > > 
> > > - domain SID:
> > >   secrets_fetch_domain_sid (lp_workgroup(), …)
> > >   == SECRETS/SID/WORKGROUPNAME
> > > 
> > > - domain member password:
> > >   secrets_fetch_machine_password(lp_workgroup(), …)
> > >   == SECRETS/MACHINE_DOMAIN_INFO/WORKGROUPNAME
> > > 
> > > This approach works well with a manually joined AD member but not
> > > with any of the blackbox testsuites. In the secrets.tdb used
> > > during tests I find only the domain SID (e. g. SECRETS/SID/CHDCDOMAIN)
> > > but not the machine sid (probably SECRETS/SID/CLIENT).
> > > 
> > > How come that machine sid is absent in the tests? Is there
> > > another means of retrieving it?
> > 
> > This is due to the test environment you are running in.  If you ran it
> > in ad_member:local it would be there.
> 
> Yes, that was it. Thanks!
> 
> > The 'client' environment (where you don't specify a :local) is used,
> > without the server's smb.conf or files, and doens't have a local SID.  
> > 
> > Also, it is only set when a source3 passdb operation happens, so AD DC
> > client stuff won't trigger it (for historical reasons). 
> 
> I’m not 100% familiar with these concepts. Until now I’ve been
> assuming Samba running as joined domain member. Does Samba as “AD
> DC client” have machine credentials as well, just no local SID?
> 
> Currently the code errors out when any of the values couldn’t be
> obtained. If the local SID may be absent in valid configurations
> this is obviously the wrong approch.

Correct, have the values just be absent in the JSON if they are absent
in the TDB.  Likewise the domain SID may be absent if the machine is
not joined to a domain.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba