Categories
backup operators backuppc Domain SAMBA windows 7

Backuppc+Samba and Backup Operators confusion

I have been using the excellent backup server Backuppc and if you need a network backup facility which can backup Windows, Unix and Linux systems give it a look.

It does have one flaw in it however and this may catch you out if you get confused by the Backup Operators group.

On every Windows machine there is a group called Backup Operators which if look at the description says:

Backup Operators can override security restrictions for the sole purpose of backing up or restoring files

So you think to yourself, “Great I can put the backuppc user into that group on the Samba PDC and I’ll be able to backup all the files I want”.

Unfortunately it does not work out that way, for two reasons:

  1. The domain Backup Operators can only be used on domain controllers.
  2. Backuppc uses smbclient to connect and not Windows Backup API.

A look on technet explains the privileges the Backup Operator group has. So putting the backuppc user into the domain Backup Operators group does not give it privileges to backup all the PCs.

And putting the backuppc user into the Backup Operators group will not solve the problem either because of no. 2. Samba’s smbclient will login as a normal user and the OS will use the file system ACLs to determine rights. Those rights to read all files regardless of the ACL permissions applies only when the Windows Backup API is being used.

So you have two choices really.

  • Add  read, traverse, list folder contents for the Backup Operators group to the files and folders you want the backup to read. And place the backuppc user into the Backup Operators group on the PC.
  • Use the administrator account

The first choice is obviously very tedious and error prone and the second choice has some security risks with it. I chose the latter and I suspect most users will too.

I have read something about Zmanada’s Windows Client for Amanda but I’m not sure if it uses the Backup API or not and would solve this problem. It is something for me to look into.

Categories
Ash cloud azure dnsmasq Domain Exim Linux oracle SQL Server

Its altogether LDAP

This past week I had two signifiant events. Well, three really. First I one a Innovation Voucher which will hopefully allow some research into a new product offering to occur. I say “hopefully” because so far all the NWDA has done so far is to ensure that my application meets some basic requirements. Then it will be up to some suppliers to show interest and see what happens from there.

Then I upgraded one my Linux Ubuntu machines to the latest Ubuntu. This took quite some time! The machine is quite a slow machine – its a Celeron 667Mhz. But it plays a critical role in the network as it runs DHCP, DNS, Backup, NAS, Samba and WINS. Overall the upgrade went through clean, but Ubuntu needs to ask a few more questions upfront – especially relating to config files. I would walk away from the machine, the display would turn off and then when I came back I was aprehensive to hitting a key lest I answer a critical prompt incorrectly. Maybe there is a way to keep the display on all the time. Another issue I ran into is the GDM login. I had turned this off. So users logging in at the console would login to text and then issue ‘startx’ if they wanted XWindows. The upgrade ignored that setting and reset the GDM login. I removed GDM from the startup but that still didn’t help. So I just removed all the Xstuff. And then I have to tell GRUB2 to go to a text screen.

Once all that is done and you’ve upgrade GRUB fully to GRUB2 the boot time is minimal. It really is fast!

The next event was changing ly local domain. I had a local domain which ended in .local. local is a public domain which, quite often would mess up my VPN users. And in certain versions of Linux, some utilities like ping will not work properly with a .local domain. So I decided to change it – to .localdom. My what a process. I had to change LDAP and all its config files and such. Surprisingly this was the easy part. Then all the ldap.conf files in all the Linux machines and the samba setup on the PDC, DNS settings (of course), my Exim setting – more on this below, Backuppc setting for e-mail domain.

Most things worked, except for the PDC. I determined through the logs that this was because the bind password was not reset. Once that was done things worked. That exposed a configuration issue with the way the NetBIOS browsing was being done. Apparently it is an absolute must that the PDC be the master browser. So back into smb.conf to correct. But nothing I did fixed the problem. Eventually I gave up and rebooted the machine. Things worked! Sigh. All that hassle and it was just a reboot needed.

Then, however a couple of days later I got complaints about e-mails bouncing. Upon enquiry with the receivers it seems the local domain name was being left in outgoing e-mails. The problem? The ldap query inside the exim config file which does that was not updated for the new base DN.

This week I’ve been looking into SQL Azure. This is Microsoft’s cloud version of SQL Server. Its quite basic to start but with Microsoft the best is usually yet to come. I’m sure this will be a very popular service. One that I may use in the future. I’ll be doing some of my data mining testing on it. Oracle does offer Oracle in the cloud, but its through Amazon ECC.