Bug 15733 - include parameter in smb.conf can destroy sysvol during online backup
Summary: include parameter in smb.conf can destroy sysvol during online backup
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.19.7
Hardware: All All
: P5 critical (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-11 07:23 UTC by Arnaud Cruzel
Modified: 2024-10-13 14:20 UTC (History)
1 user (show)

See Also:


Attachments
file generated by samba-tool backup (1.54 KB, text/plain)
2024-10-11 07:23 UTC, Arnaud Cruzel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arnaud Cruzel 2024-10-11 07:23:17 UTC
Created attachment 18468 [details]
file generated by samba-tool backup

I had a serious issue that erased sysvol; after several tests, I managed to identify where the problem came from.

On a domain controller, if you use include in the smb.conf file for the sysvol section, "samba-tool domain backup online" fails and the backup cleanup process destroys sysvol.

"samba-tool domain backup online" generates a temporary DC to perform the online backup and to generate its temporary smb.conf file it seems to use "testparm" which keeps in the output the include instructions that refer to the DC share in production.

In order to work around the problem, you can use the --configfile option after generating a temporary configuration file with the command: "testparm -s | grep -vE "^[^ ]*include" > /tmp/smb4.conf".

The problem seems to originate from the file sources3/utils/testparm.c.

I attached smb.conf file generated by samba-tool backup : smb-confbackup.smb
Comment 1 Douglas Bagnall 2024-10-11 07:50:12 UTC
thanks for the report.

what are the contents of /usr/local/etc/smb4.conf.d/ansible_netlogon.conf and /usr/local/etc/smb4.conf.d/ansible_sysvol.conf (redacted if necessary)?
Comment 2 Arnaud Cruzel 2024-10-11 08:33:35 UTC
* Content of /usr/local/etc/smb4.conf.d/ansible_netlogon.conf:

# Ansible managed
[netlogon]
  path = /home/samba/netlogon
  nfs4:chown = yes
  nfs4:acedup = merge
  read only = no
  root preexec = /usr/local/admin/sysutils/sambaserver/netlogon/netlogon.pl %U %G %I


* Content of /usr/local/etc/smb4.conf.d/ansible_sysvol.conf:

# Ansible managed
[sysvol]
  path = /var/db/samba4/sysvol
  nfs4:chown = yes
  nfs4:acedup = merge
  read only = no
Comment 3 Rowland Penny 2024-10-12 09:35:36 UTC
(In reply to Arnaud Cruzel from comment #2)

From 'man smbconf'

       include (S)

           This allows you to include one config file inside another. The file
           is included literally, as though typed in place.

So, from that:

[sysvol]
	include = /usr/local/etc/smb4.conf.d/ansible_netlogon.conf
	path = /home/sauv/samba4/ADbackup/tmpzb1zkxx1/state/sysvol
	read only = No

Becomes:

[sysvol]
	[netlogon]
  path = /home/samba/netlogon
  nfs4:chown = yes
  nfs4:acedup = merge
  read only = no
  root preexec = /usr/local/admin/sysutils/sambaserver/netlogon/netlogon.pl %U %G %I
	path = /home/sauv/samba4/ADbackup/tmpzb1zkxx1/state/sysvol
	read only = No

Why was 'include' changed from 'Global' scope to 'Share' scope at 4.4.0 ?
Comment 4 Arnaud Cruzel 2024-10-12 13:01:14 UTC
(In reply to Rowland Penny from comment #3)

* The smb.conf file contain:

[global]
  workgroup = <NETBIOSName>
  server string = <hostname>
  netbios name = <hostname>
  realm = <realm>
  printing = bsd
  load printers = NO
  disable spoolss = yes
  printcap name = /dev/null
  aio read size = 16384
  aio write size = 16384
  use sendfile = Yes
  kernel change notify = no
  max log size = 50
  server role = active directory domain controller
  log level = 3
  lm announce = no
  unix charset = utf8
  dos charset = cp850
  dns forwarder = <DNS IPs>
  ldap server require strong auth = yes
  tls enabled = yes
  tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
  tls certfile = tls/cert.crt
  tls keyfile = tls/cert.key
  idmap_ldb:use rfc2307 = yes
  server min protocol = SMB2_02
  restrict anonymous = 2
  disable netbios = no
  smb ports = 445
  ntlm auth = mschapv2-and-ntlmv2-only
  rpc server dynamic port range = 50000-55000
  machine password timeout = 604800

include = /usr/local/etc/smb4.conf.d/local.conf
include = /usr/local/etc/smb4.conf.d/ansible_sysvol.conf
include = /usr/local/etc/smb4.conf.d/ansible_netlogon.conf


All "includes" are at the end of the file (local.conf is empty but exists).
"testparm" gives the same result as the configuration file generated by the "samba-tool backup online" command (see attachement on description). It keeps the "include" parameters and the "include" parameters are misplaced.

I think that the incorrectly placed "include" parameters cause the backup to fail and the presence of "include /usr/local/etc/smb4.conf.d/ansible_sysvol.conf" in the temporary configuration file causes the destruction of the sysvol folder of the domain controller during the backup cleaning process.
Comment 5 Rowland Penny 2024-10-12 14:50:59 UTC
(In reply to Arnaud Cruzel from comment #4)

That looks better, so where and why did you get the attached smb4.conf from ?
Speaking of smb4.conf, is this on freebsd and if so, what Samba version ?

As far as I can see, 'samba-tool domain backup online' doesn't use testparm (it should be 'samba-tool testparm on a DC anyway), it uses 'make_smbconf' to create a new smb.conf file.
Comment 6 Douglas Bagnall 2024-10-12 22:51:35 UTC
(In reply to Rowland Penny from comment #5)

> As far as I can see, 'samba-tool domain backup online' doesn't use testparm (it should be 'samba-tool testparm on a DC anyway), it uses 'make_smbconf' to create a new smb.conf file.

Yes. The problem is this doesn't flatten the includes into the new smb.conf, so the sysvol path doesn't get re-written. On failure the backup code tries to remove what it thinks is its temporary sysvol, but it clobbers the real one instead.

Either we need to flatten out the smb.conf by including the includes first, or alter the includes separately. Flattening out seems simpler and more robust unless the rewritten smb.conf is pacakged in the tarball and used in restore.
Comment 7 Rowland Penny 2024-10-13 08:07:53 UTC
(In reply to Douglas Bagnall from comment #6)
I now think we should do neither, I think we should copy the smb.conf as is, follow any includes and copy them and then when it comes to the restore, create a new smb.conf with instructions pointing to the old smb.conf files.

Then when we have fixed samba-tool backup offline, we need to fix samba-tool backup online.

I have been backing up my Domain every hour on a Unix domain member for a long time, never needed the backups. However I have just opened one of the tarballs to see what 'offline' backs up in the smb.conf, to find that I have a very interesting smb.conf, it is comprised of the DCs smb.conf combined with the smb.conf from the Unix domain member.

I will open a new bug.
Comment 8 Arnaud Cruzel 2024-10-13 14:20:30 UTC
(In reply to Rowland Penny from comment #5)

You're right it's on freebsd 14 and samba 4.19.7.

To get this smb.conf file I made a loop with rsync on the temporary folder during the backup to keep all files before the cleaning of the failed backup.