doing online samba-tool domain backup with using kerberos authentication using krb5-ccache parameter breaks the backup process while doing sysvol backup part: samba-tool domain backup online --targetdir=/var/spool/backup/ --server=DC1 --krb5-ccache=/tmp/samba-domain.cc INFO 2020-10-30 18:39:40,846 pid:169937 /usr/lib64/python3.6/site-packages/samba/join.py #1574: workgroup is FOOBAR INFO 2020-10-30 18:39:40,847 pid:169937 /usr/lib64/python3.6/site-packages/samba/join.py #1577: realm is FOO.BAR.CO Calling bare provision INFO 2020-10-30 18:39:40,880 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2133: Looking up IPv4 addresses INFO 2020-10-30 18:39:40,882 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: Looking up IPv6 addresses INFO 2020-10-30 18:39:41,522 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2301: Setting up share.ldb INFO 2020-10-30 18:39:41,532 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2305: Setting up secrets.ldb INFO 2020-10-30 18:39:41,542 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2311: Setting up the registry INFO 2020-10-30 18:39:41,570 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2314: Setting up the privileges database INFO 2020-10-30 18:39:41,583 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2317: Setting up idmap db INFO 2020-10-30 18:39:41,594 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2324: Setting up SAM db INFO 2020-10-30 18:39:41,597 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #897: Setting up sam.ldb partitions and settings INFO 2020-10-30 18:39:41,598 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #909: Setting up sam.ldb rootDSE INFO 2020-10-30 18:39:41,600 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #1338: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2020-10-30 18:39:41,742 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2377: A Kerberos configuration suitable for Samba AD has been generated at /var/spool/backup/tmpbyxhrbhz/private/krb5.conf INFO 2020-10-30 18:39:41,743 pid:169937 /usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2378: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Provision OK for domain DN DC=foo,DC=bar,DC=co Starting replication Using DS_BIND_GUID_W2K3 Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[402/1628] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[804/1628] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[1206/1628] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[1608/1628] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co] objects[1628/1628] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[402/1619] linked_values[0/1] Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[804/1619] linked_values[0/1] Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1206/1619] linked_values[0/1] Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1608/1619] linked_values[0/1] Partition[CN=Configuration,DC=foo,DC=bar,DC=co] objects[1619/1619] linked_values[30/30] Replicating critical objects from the base DN of the domain Partition[DC=foo,DC=bar,DC=co] objects[102/99] linked_values[39/39] Partition[DC=foo,DC=bar,DC=co] objects[402/1698] linked_values[0/978] Partition[DC=foo,DC=bar,DC=co] objects[804/1698] linked_values[0/992] Partition[DC=foo,DC=bar,DC=co] objects[1206/1698] linked_values[0/1035] Partition[DC=foo,DC=bar,DC=co] objects[1608/1698] linked_values[0/1511] Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[1500/3156] Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[3000/3156] Partition[DC=foo,DC=bar,DC=co] objects[1698/1698] linked_values[3156/3156] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=foo,DC=bar,DC=co Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[402/1553] linked_values[0/0] Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[804/1553] linked_values[0/0] Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[1206/1553] linked_values[0/0] Partition[DC=DomainDnsZones,DC=foo,DC=bar,DC=co] objects[1553/1553] linked_values[0/0] Replicating DC=ForestDnsZones,DC=foo,DC=bar,DC=co Partition[DC=ForestDnsZones,DC=foo,DC=bar,DC=co] objects[19/19] linked_values[0/0] Committing SAM database Repacking database from v1 to v2 format (first record CN=SAM-Account-Type,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=co) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=remoteStorageServicePoint-Display,CN=40B,CN=DisplaySpecifiers,CN=Configuration,DC=foo,DC=bar,DC=co) Repacking database from v1 to v2 format (first record CN=Deleted Objects,DC=ForestDnsZones,DC=foo,DC=bar,DC=co) Repack: re-packed 10000 records so far INFO 2020-10-30 18:41:21,983 pid:169937 /usr/lib64/python3.6/site-packages/samba/join.py #1671: Setting isSynchronized and dsServiceName INFO 2020-10-30 18:41:21,995 pid:169937 /usr/lib64/python3.6/site-packages/samba/join.py #1580: Cloned domain FOOBAR (SID S-1-5-21-x-y-z) INFO 2020-10-30 18:41:22,127 pid:169937 /usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py #271: Backing up sysvol files (via SMB)... Password for [svc_backupdomain@FOO.BAR.CO]: ERROR(runtime): uncaught exception - (3221225996, 'The transport connection is now disconnected.') File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", line 273, in run smb_conn = smb_sysvol_conn(server, lp, creds) File "/usr/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", line 118, in smb_sysvol_conn return libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True) basically this backup with krb auth can't be used in scriptings as the process is interrupted with authentication challenge while starting backing up the sysvol part. tested over 4.13.2.
OK, the problem is that the backup asks for a password, but you don't actually have to enter one, just pressing enter is sufficient. So the answer is fairly obvious, stop it asking for a password and luckily there is a parameter for this, just add '-N' to the command.
(In reply to Rowland Penny from comment #1) > just add '-N' to the command. Michel, did you try this? Can we close the bug?
(In reply to Douglas Bagnall from comment #2) Hi Douglas, I can assure that using '-N' does work, I have a script that has been run every hour for over 12 months now to backup my domain, the relevant line is this: samba-tool domain backup online --server="$PDCe" --targetdir="${STOREDIR}" --use-krb5-ccache=/tmp/backup_cc -N Which results in a backup on a Unix domain member like this: samba-backup-samdom.example.com-2022-08-29T08-47-27.775896.tar.bz2 Would you like a copy of the script to test it ?
(In reply to Rowland Penny from comment #3) > Would you like a copy of the script to test it ? No, I'm convinced. It seems a little bit of a usability bug -- we should be able to notice we don't need a password and not ask for it, but let's call that a different problem.