Bug 13621 - Problems running domain backups (handling SMBv2, sites)
Summary: Problems running domain backups (handling SMBv2, sites)
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.9.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Tim Beale
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-09-17 04:46 UTC by Tim Beale
Modified: 2018-11-05 21:19 UTC (History)
2 users (show)

See Also:

Backport of fixes for 4.9 (35.89 KB, text/plain)
2018-10-24 01:14 UTC, Tim Beale
timbeale: review? (gary)
gary: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Beale 2018-09-17 04:46:25 UTC
Some issues were found trying to run the new 'samba-tool domain backup online|restore|rename' commands.

1. The sysvol backup doesn't work if SMBv1 is disabled on the server. (This seems to be a more generic problem that the smb.SMB() python API can't create a SMBv2 connection to the server).

2. The restore command only works if "Default-First-Site-Name" is still present. E.g. If a '--site' option was specified the domain was provisioned, then the restore command will fail.
Comment 1 mm 2018-09-25 13:36:40 UTC
I've found additional problem. If server/client signing is set in smb.conf command "samba-tool domain backup online" failed during sysvol operations with an exception:

smbXcli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.
ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain_backup.py", line 241, in run
    smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds)

My smb.conf includes entries like:
        server signing = mandatory
        client signing = mandatory
        client ipc signing = mandatory
Comment 2 Tim Beale 2018-09-26 05:22:22 UTC
Thanks. I think that's the same problem as #1, it's just a slightly different error message because you have the mandatory signing config. I'm guessing you also have some 'min protocol' settings in your smb.conf? e.g.
server min protocol = SMB2
client min protocol = SMB2

The underlying code that the backup is using only supports SMBv1. Because your smb.conf/server only supports SMBv2, no SMB protocol is negotiated. When this happens, I think the code is a little buggy and so you get a slightly cryptic error message.
Comment 3 mm 2018-09-26 06:33:57 UTC
Exactly, "server min protocol = SMB2" is set (according to  https://www.samba.org /samba/security/CVE-2017-14746.html).
I am looking forward to introducing amendments. Thank you in advance.
Comment 4 Tim Beale 2018-10-24 01:14:23 UTC
Created attachment 14538 [details]
Backport of fixes for 4.9

Attached are the fixes for 4.9. The SMBv1-disabled problem still isn't fixed, but these other changes can be reviewed and delivered.

CI pass: https://gitlab.com/catalyst-samba/samba/pipelines/34067800
Comment 5 Tim Beale 2018-10-31 22:23:16 UTC
Hi Karolin, could you apply the attached patches to the 4.9 branch please?

Note that this bug covers 2 related, but separate, problems. One is fixed by the attached patches, one (SMBv1 disabled) is still unresolved. So could you either assign the bug back to me once you're done, or I can file a separate related bug number for the remaining problem (I'm not sure which fits best with the Samba workflow). Thanks.
Comment 6 Karolin Seeger 2018-11-01 12:55:28 UTC
(In reply to Tim Beale from comment #5)
Hi Tim,

pushed to autobuild-v4-9-test.

Both works for me, but a new bug report for the remaining issue is a bit safer, because it might happen that I don't remember your comment if it takes a while until the patches are upstream (which does not happen usually ;-).


Comment 7 Tim Beale 2018-11-05 21:19:33 UTC
Raised Bug 13676 to cover the remaining SMBv1-disabled problem. Closing this bug as some of the backup problems noticed have been fixed and backported to v4.9.