Created attachment 18468 [details] file generated by samba-tool backup I had a serious issue that erased sysvol; after several tests, I managed to identify where the problem came from. On a domain controller, if you use include in the smb.conf file for the sysvol section, "samba-tool domain backup online" fails and the backup cleanup process destroys sysvol. "samba-tool domain backup online" generates a temporary DC to perform the online backup and to generate its temporary smb.conf file it seems to use "testparm" which keeps in the output the include instructions that refer to the DC share in production. In order to work around the problem, you can use the --configfile option after generating a temporary configuration file with the command: "testparm -s | grep -vE "^[^ ]*include" > /tmp/smb4.conf". The problem seems to originate from the file sources3/utils/testparm.c. I attached smb.conf file generated by samba-tool backup : smb-confbackup.smb
thanks for the report. what are the contents of /usr/local/etc/smb4.conf.d/ansible_netlogon.conf and /usr/local/etc/smb4.conf.d/ansible_sysvol.conf (redacted if necessary)?
* Content of /usr/local/etc/smb4.conf.d/ansible_netlogon.conf: # Ansible managed [netlogon] path = /home/samba/netlogon nfs4:chown = yes nfs4:acedup = merge read only = no root preexec = /usr/local/admin/sysutils/sambaserver/netlogon/netlogon.pl %U %G %I * Content of /usr/local/etc/smb4.conf.d/ansible_sysvol.conf: # Ansible managed [sysvol] path = /var/db/samba4/sysvol nfs4:chown = yes nfs4:acedup = merge read only = no
(In reply to Arnaud Cruzel from comment #2) From 'man smbconf' include (S) This allows you to include one config file inside another. The file is included literally, as though typed in place. So, from that: [sysvol] include = /usr/local/etc/smb4.conf.d/ansible_netlogon.conf path = /home/sauv/samba4/ADbackup/tmpzb1zkxx1/state/sysvol read only = No Becomes: [sysvol] [netlogon] path = /home/samba/netlogon nfs4:chown = yes nfs4:acedup = merge read only = no root preexec = /usr/local/admin/sysutils/sambaserver/netlogon/netlogon.pl %U %G %I path = /home/sauv/samba4/ADbackup/tmpzb1zkxx1/state/sysvol read only = No Why was 'include' changed from 'Global' scope to 'Share' scope at 4.4.0 ?
(In reply to Rowland Penny from comment #3) * The smb.conf file contain: [global] workgroup = <NETBIOSName> server string = <hostname> netbios name = <hostname> realm = <realm> printing = bsd load printers = NO disable spoolss = yes printcap name = /dev/null aio read size = 16384 aio write size = 16384 use sendfile = Yes kernel change notify = no max log size = 50 server role = active directory domain controller log level = 3 lm announce = no unix charset = utf8 dos charset = cp850 dns forwarder = <DNS IPs> ldap server require strong auth = yes tls enabled = yes tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 tls certfile = tls/cert.crt tls keyfile = tls/cert.key idmap_ldb:use rfc2307 = yes server min protocol = SMB2_02 restrict anonymous = 2 disable netbios = no smb ports = 445 ntlm auth = mschapv2-and-ntlmv2-only rpc server dynamic port range = 50000-55000 machine password timeout = 604800 include = /usr/local/etc/smb4.conf.d/local.conf include = /usr/local/etc/smb4.conf.d/ansible_sysvol.conf include = /usr/local/etc/smb4.conf.d/ansible_netlogon.conf All "includes" are at the end of the file (local.conf is empty but exists). "testparm" gives the same result as the configuration file generated by the "samba-tool backup online" command (see attachement on description). It keeps the "include" parameters and the "include" parameters are misplaced. I think that the incorrectly placed "include" parameters cause the backup to fail and the presence of "include /usr/local/etc/smb4.conf.d/ansible_sysvol.conf" in the temporary configuration file causes the destruction of the sysvol folder of the domain controller during the backup cleaning process.
(In reply to Arnaud Cruzel from comment #4) That looks better, so where and why did you get the attached smb4.conf from ? Speaking of smb4.conf, is this on freebsd and if so, what Samba version ? As far as I can see, 'samba-tool domain backup online' doesn't use testparm (it should be 'samba-tool testparm on a DC anyway), it uses 'make_smbconf' to create a new smb.conf file.
(In reply to Rowland Penny from comment #5) > As far as I can see, 'samba-tool domain backup online' doesn't use testparm (it should be 'samba-tool testparm on a DC anyway), it uses 'make_smbconf' to create a new smb.conf file. Yes. The problem is this doesn't flatten the includes into the new smb.conf, so the sysvol path doesn't get re-written. On failure the backup code tries to remove what it thinks is its temporary sysvol, but it clobbers the real one instead. Either we need to flatten out the smb.conf by including the includes first, or alter the includes separately. Flattening out seems simpler and more robust unless the rewritten smb.conf is pacakged in the tarball and used in restore.
(In reply to Douglas Bagnall from comment #6) I now think we should do neither, I think we should copy the smb.conf as is, follow any includes and copy them and then when it comes to the restore, create a new smb.conf with instructions pointing to the old smb.conf files. Then when we have fixed samba-tool backup offline, we need to fix samba-tool backup online. I have been backing up my Domain every hour on a Unix domain member for a long time, never needed the backups. However I have just opened one of the tarballs to see what 'offline' backs up in the smb.conf, to find that I have a very interesting smb.conf, it is comprised of the DCs smb.conf combined with the smb.conf from the Unix domain member. I will open a new bug.
(In reply to Rowland Penny from comment #5) You're right it's on freebsd 14 and samba 4.19.7. To get this smb.conf file I made a loop with rsync on the temporary folder during the backup to keep all files before the cleaning of the failed backup.