16020 – samba-tool domain backup does not update dsaSignature attribute

Bug 16020 - samba-tool domain backup does not update dsaSignature attribute

Summary: samba-tool domain backup does not update dsaSignature attribute

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.24.0rc*
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-03-10 10:51 UTC by Denis Cardon
Modified:	2026-03-10 10:51 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Denis Cardon 2026-03-10 10:51:38 UTC

Hi everyone,

This is not a bug per se nor a security issue, just a cosmetic one.

The dsaSignature attribute on the root of each partition should be updated when the domain is backup'ed, cf. [1]. This does trigger security audit alerts on some tools, like PingCastle for example.

So samba-tool domain backup should update that value in order to make auditors happy.

Moreover people can also backup the AD using lvm snapshot or other tools, and perhaps there could be a command line helper to just update the value without doing the backup itself (domain backup still have rough edges).

Cheers,

Denis


[1] https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ntds-replication-event-2089-backup-latency-interval