Some issues were found trying to run the new 'samba-tool domain backup online|restore|rename' commands. 1. The sysvol backup doesn't work if SMBv1 is disabled on the server. (This seems to be a more generic problem that the smb.SMB() python API can't create a SMBv2 connection to the server). 2. The restore command only works if "Default-First-Site-Name" is still present. E.g. If a '--site' option was specified the domain was provisioned, then the restore command will fail.
I've found additional problem. If server/client signing is set in smb.conf command "samba-tool domain backup online" failed during sysvol operations with an exception: smbXcli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it. ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain_backup.py", line 241, in run smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds) My smb.conf includes entries like: server signing = mandatory client signing = mandatory client ipc signing = mandatory
Thanks. I think that's the same problem as #1, it's just a slightly different error message because you have the mandatory signing config. I'm guessing you also have some 'min protocol' settings in your smb.conf? e.g. server min protocol = SMB2 client min protocol = SMB2 The underlying code that the backup is using only supports SMBv1. Because your smb.conf/server only supports SMBv2, no SMB protocol is negotiated. When this happens, I think the code is a little buggy and so you get a slightly cryptic error message.
Hello. Exactly, "server min protocol = SMB2" is set (according to https://www.samba.org /samba/security/CVE-2017-14746.html). I am looking forward to introducing amendments. Thank you in advance.
Created attachment 14538 [details] Backport of fixes for 4.9 Attached are the fixes for 4.9. The SMBv1-disabled problem still isn't fixed, but these other changes can be reviewed and delivered. CI pass: https://gitlab.com/catalyst-samba/samba/pipelines/34067800
Hi Karolin, could you apply the attached patches to the 4.9 branch please? Note that this bug covers 2 related, but separate, problems. One is fixed by the attached patches, one (SMBv1 disabled) is still unresolved. So could you either assign the bug back to me once you're done, or I can file a separate related bug number for the remaining problem (I'm not sure which fits best with the Samba workflow). Thanks.
(In reply to Tim Beale from comment #5) Hi Tim, pushed to autobuild-v4-9-test. Both works for me, but a new bug report for the remaining issue is a bit safer, because it might happen that I don't remember your comment if it takes a while until the patches are upstream (which does not happen usually ;-). Thanks! Karolin
Raised Bug 13676 to cover the remaining SMBv1-disabled problem. Closing this bug as some of the backup problems noticed have been fixed and backported to v4.9.