Univention Bugzilla – Bug 34113
Backup Samba4 Databases
Last modified: 2023-08-30 12:14:47 CEST
Simlarly to univention-ldap-backup we should perform periodic backups of the Samba databases. The basic upstream samba_backup script uses tdbbackup for this purpose. The advantage of this approach is that we get *all* attributes. Doing this with ldbsearch would be a bit more tricky if we still want to dump special attributes like ntsecuritydescriptor, replPropertyMetaData, unicodepwd and supplementalcredentials, which are only returned by ldbsearch if explicitly asked for -- which unfortunately has the drawback that nothing else is returned (there is no * attribute globbing). So this would probably need to be implemented via python-ldb instead. I guess we end up with a similar amount of data. +++ This bug was initially created as a clone of Bug #30216 +++
root@master40:~# du -sh /tmp/samba-backup/* 68K /tmp/samba-backup/hklm.ldb.bak 100K /tmp/samba-backup/idmap.ldb.bak 60K /tmp/samba-backup/privilege.ldb.bak 2,9M /tmp/samba-backup/sam.ldb.bak 21M /tmp/samba-backup/sam.ldb.d 64K /tmp/samba-backup/secrets.ldb.bak 84K /tmp/samba-backup/share.ldb.bak 52K /tmp/samba-backup/wins_config.ldb.bak root@master40:~# du -sh /tmp/samba-backup/sam.ldb.d/* 8,2M /tmp/samba-backup/sam.ldb.d/CN=CONFIGURATION,DC=AR320I1,DC=QA.ldb.bak 7,7M /tmp/samba-backup/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=AR320I1,DC=QA.ldb.bak 1,9M /tmp/samba-backup/sam.ldb.d/DC=AR320I1,DC=QA.ldb.bak 400K /tmp/samba-backup/sam.ldb.d/DC=DOMAINDNSZONES,DC=AR320I1,DC=QA.ldb.bak 2,9M /tmp/samba-backup/sam.ldb.d/DC=FORESTDNSZONES,DC=AR320I1,DC=QA.ldb.bak Compression boils this down to a reasonable size: root@master40:~# tar cjvf samba-backup.tar.bz2 /tmp/samba-backup root@master40:~# du -sh samba-backup.tar.bz2 1,3M samba-backup.tar.bz2 Skipping the CN=SCHEMA Partition cuts this even more, but that's a pretty constant overhead of about 650K (compressed), which might be negligible compared to the growing sizes of the Domain and Configuration partitons.
The drawback of saving ldb in a tar file is that browsing is a bit awkward, and that all the LDB internal index data is contained as well, which is growing with the amount of data and might make up for maybe half of the backend ldb size. We could do a hybrid approach here: * backup the ldbs and tdbs directly under /var/lib/samba/private in raw format These shouldn't take too much space. * save compressed ldifs from the backend sam.ldb.d/*.ldb files (which return all attributes unfiltered) plus some special internal ldb attributes (like @REPLCHANGED and @BASEINFO). It all depends on the use case of this periodic (nightly?) backup. If the goal is to provide fast access to yesterdays directory objects, then the ldif part (plus maybe an ldif of secrets.ldb) would be enough and convenient.
Couldn't we use a modified version of source4/scripting/bin/samba_backup? See https://wiki.samba.org/index.php/Backup_and_Recovery I think we save the old data for one year (default) and do the backup every night.
Added univention-samba4-backup (based on source4/scripting/bin/samba_backup). This script backups everything from /var/lib/samba into a tar file in /var/univention-backup/samba (with tdbbackup for ldb files). The script is executed by the cron job /etc/cron.d/univention-samba4-backup (with 0 3 * * * as default, configurable via samba4/backup/cron) YAML: 2014-03-31-univention-samba4.yaml
Ok, works.
http://errata.univention.de/ucs/3.2/84.html