Web lists-archives.com

Re: [Samba] backup of tdb files




-<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Tuesday, 2018-10-16 05:17:13 AM |>-
> On Mon, 2018-10-15 at 16:05 +0200, Philipp Gesang via samba wrote:
> > -<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Saturday, 2018-10-13 08:09:31 AM |>-
> > > On Fri, 2018-10-12 at 16:59 +0200, Philipp Gesang via samba wrote:
> > > > Hi Andrew,
> > > > 
> > > > revisiting this subject once again because I seem to have reached
> > > > an impass.
> > > > 
> > > > -<| Quoting Andrew Bartlett <abartlet@xxxxxxxxx>, on Monday, 2018-09-24 07:14:48 PM |>-
> > > > > On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote:
> > > > > > > A long time ago I posted a script to dump the machine password to
> > > > > > > stdout for the benifit of an 802.1x client, but it never had tests
> > > > > > > so
> > > > > > > didn't get in.  
> > > > > > > 
> > > > > > > I could see JSON working well for this also.  Perhaps extend either
> > > > > > > samba-tool or net to print out the domain SID, local SID, domain
> > > > > > > member password and hostname?
> > > > > > 
> > > > > > Sounds promising. I’ll look into that.
> > > > 
> > > > Right now I am using values obtained as follows:
> > > > 
> > > > - hostname: get_global_sam_name() 
> > > > 
> > > > - local SID:
> > > >   secrets_fetch_domain_sid (get_global_sam_name(), …)
> > > >   == SECRETS/SID/CLIENTNAME in tdb
> > > > 
> > > > - domain SID:
> > > >   secrets_fetch_domain_sid (lp_workgroup(), …)
> > > >   == SECRETS/SID/WORKGROUPNAME
> > > > 
> > > > - domain member password:
> > > >   secrets_fetch_machine_password(lp_workgroup(), …)
> > > >   == SECRETS/MACHINE_DOMAIN_INFO/WORKGROUPNAME
> > > > 
> > > > This approach works well with a manually joined AD member but not
> > > > with any of the blackbox testsuites. In the secrets.tdb used
> > > > during tests I find only the domain SID (e. g. SECRETS/SID/CHDCDOMAIN)
> > > > but not the machine sid (probably SECRETS/SID/CLIENT).
> > > > 
> > > > How come that machine sid is absent in the tests? Is there
> > > > another means of retrieving it?
> > > 
> > > This is due to the test environment you are running in.  If you ran it
> > > in ad_member:local it would be there.
> > 
> > Yes, that was it. Thanks!
> > 
> > > The 'client' environment (where you don't specify a :local) is used,
> > > without the server's smb.conf or files, and doens't have a local SID.  
> > > 
> > > Also, it is only set when a source3 passdb operation happens, so AD DC
> > > client stuff won't trigger it (for historical reasons). 
> > 
> > I’m not 100% familiar with these concepts. Until now I’ve been
> > assuming Samba running as joined domain member. Does Samba as “AD
> > DC client” have machine credentials as well, just no local SID?
> > 
> > Currently the code errors out when any of the values couldn’t be
> > obtained. If the local SID may be absent in valid configurations
> > this is obviously the wrong approch.
> 
> Correct, have the values just be absent in the JSON if they are absent
> in the TDB.  Likewise the domain SID may be absent if the machine is
> not joined to a domain.

Ok, both SIDs are now being treated as optional.

There is something about the CI test environment I haven’t fully
grasped yet: In most envs the relevant secrets.tdb in the
container is located at $PREFIX/$ENVNAME/private/secrets.tdb. For
some reason this is not the case for “fl2003dc”. This one lacks
./st/*/private/secrets.tdb, but has
./ab/bin/*/private/secrets.tdb instead. How would I determine the
latter path in a blackbox test to avoid hardcoding it?

Best,
Philipp

Attachment: signature.asc
Description: PGP signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba