Bug 14570 - samba-tool domain backup online krb reauth challenge on sysvol part
Summary: samba-tool domain backup online krb reauth challenge on sysvol part
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python (show other bugs)
Version: 4.13.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
Depends on:
Reported: 2020-11-10 09:43 UTC by Michal Bruncko
Modified: 2022-09-02 03:58 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Michal Bruncko 2020-11-10 09:43:38 UTC
doing online samba-tool domain backup with using kerberos authentication using krb5-ccache parameter breaks the backup process while doing sysvol backup part:

samba-tool domain backup online --targetdir=/var/spool/backup/ --server=DC1 --krb5-ccache=/tmp/samba-domain.cc

INFO 2020-10-30 18:39:40,846 pid:169937 /usr/lib64/python3.6/site-packages/samba/join.py #1574: workgroup is FOOBAR
INFO 2020-10-30 18:39:40,847 pid:169937 /usr/lib64/python3.6/site-packages/samba/join.py #1577: realm is FOO.BAR.CO
Calling bare provision
INFO 2020-10-30 18:39:40,880 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2133: Looking up IPv4 addresses
INFO 2020-10-30 18:39:40,882 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: Looking up IPv6 addresses
INFO 2020-10-30 18:39:41,522 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2301: Setting up share.ldb
INFO 2020-10-30 18:39:41,532 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2305: Setting up secrets.ldb
INFO 2020-10-30 18:39:41,542 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2311: Setting up the registry
INFO 2020-10-30 18:39:41,570 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2314: Setting up the privileges database
INFO 2020-10-30 18:39:41,583 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2317: Setting up idmap db
INFO 2020-10-30 18:39:41,594 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2324: Setting up SAM db
INFO 2020-10-30 18:39:41,597 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #897: Setting up sam.ldb partitions and settings
INFO 2020-10-30 18:39:41,598 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #909: Setting up sam.ldb rootDSE
INFO 2020-10-30 18:39:41,600 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #1338: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2020-10-30 18:39:41,742 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2377: A Kerberos configuration suitable for Samba AD has been generated at /var/spool/backup/tmpbyxhrbhz/private/krb5.conf
INFO 2020-10-30 18:39:41,743 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2378: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=foo,DC=bar,DC=co
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[402/1628] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[804/1628] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[1206/1628] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[1608/1628] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[1628/1628] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[402/1619] linked_values[0/1]
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[804/1619] linked_values[0/1]
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1206/1619] linked_values[0/1]
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1608/1619] linked_values[0/1]
Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1619/1619] linked_values[30/30]
Replicating critical objects from the base DN of the domain
Partition[DC=foo,DC=bar,DC=co] objects[102/99] linked_values[39/39]
Partition[DC=foo,DC=bar,DC=co] objects[402/1698] linked_values[0/978]
Partition[DC=foo,DC=bar,DC=co] objects[804/1698] linked_values[0/992]
Partition[DC=foo,DC=bar,DC=co] objects[1206/1698] linked_values[0/1035]
Partition[DC=foo,DC=bar,DC=co] objects[1608/1698] linked_values[0/1511]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[1500/3156]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[3000/3156]
Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[3156/3156]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=foo,DC=bar,DC=co
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[402/1553] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[804/1553] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[1206/1553] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[1553/1553] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=foo,DC=bar,DC=co
Partition[DC=ForestDnsZones,DC=foo,DC=bar,DC=co] objects[19/19] linked_values[0/0]
Committing SAM database
Repacking database from v1 to v2 format (first record CN=SAM-Account-Type,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=remoteStorageServicePoint-Display,CN=40B,CN=DisplaySpecifiers,CN=Configuration,DC=foo,DC=bar,DC=co)
Repacking database from v1 to v2 format (first record CN=Deleted Objects,DC=ForestDnsZones,DC=foo,DC=bar,DC=co)
Repack: re-packed 10000 records so far
INFO 2020-10-30 18:41:21,983 pid:169937 /usr/lib64/python3.6/site-packages/samba/join.py #1671: Setting isSynchronized and dsServiceName
INFO 2020-10-30 18:41:21,995 pid:169937 /usr/lib64/python3.6/site-packages/samba/join.py #1580: Cloned domain FOOBAR (SID S-1-5-21-x-y-z)
INFO 2020-10-30 18:41:22,127 pid:169937 /usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py #271: Backing up sysvol files (via SMB)...
Password for [svc_backupdomain@FOO.BAR.CO]:
ERROR(runtime): uncaught exception - (3221225996, 'The transport connection is now disconnected.')
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", line 273, in run
    smb_conn = smb_sysvol_conn(server, lp, creds)
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", line 118, in smb_sysvol_conn
    return libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)

basically this backup with krb auth can't be used in scriptings as the process is interrupted with authentication challenge while starting backing up the sysvol part. 

tested over 4.13.2.
Comment 1 Rowland Penny 2020-12-18 20:55:58 UTC
OK, the problem is that the backup asks for a password, but you don't actually have to enter one, just pressing enter is sufficient. So the answer is fairly obvious, stop it asking for a password and luckily there is a parameter for this, just add '-N' to the command.
Comment 2 Douglas Bagnall 2022-08-04 04:16:51 UTC
(In reply to Rowland Penny from comment #1)
> just add '-N' to the command.

Michel, did you try this? Can we close the bug?
Comment 3 Rowland Penny 2022-08-29 08:52:43 UTC
(In reply to Douglas Bagnall from comment #2)
Hi Douglas, I can assure that using '-N' does work, I have a script that has been run every hour for over 12 months now to backup my domain, the relevant line is this:

samba-tool domain backup online --server="$PDCe" --targetdir="${STOREDIR}" --use-krb5-ccache=/tmp/backup_cc -N

Which results in a backup on a Unix domain member like this:


Would you like a copy of the script to test it ?
Comment 4 Douglas Bagnall 2022-09-02 03:58:28 UTC
(In reply to Rowland Penny from comment #3)

> Would you like a copy of the script to test it ?

No, I'm convinced. It seems a little bit of a usability bug -- we should be able to notice we don't need a password and not ask for it, but let's call that a different problem.