Backup/restore

[ian]

Hello,

I have an eBox server with several windows xp client computers, it works fine.

The problem now, when i build a new eBox server from scratch and i restore my backup taken from the old server, every thing is restored exept the windows client computer accounts it means that the windows xp clients could not connect to the eBox domain controller anymore.

How could this be solved ? Where are the client computer accounts stored on the server ?

I could work it out by putting every windows xp client workstation back in the domain again, but it is not a nice solution.

Is there a solution for this problem ?

Thanks

[acidburn]

Same problem here.

The restore imports the machine accounts only in posix but all entries with samba (like sambaNTpassword etc) fail.

i checked it with phpldapadmin.....

have anyone a solution?

[acidburn]

ok, after a lot of hours, i think i have a workaround....

it seems, that some parts of the syntax of the ldap.ldif file, created by ebox, are wrong.
i had to delete 3 user entries in the ldif, before it worked.
the export of one of the passwords (only numbers) failed too. instead of the password, ebox exported the hash.

my scenario:
i ported an ebox from ubuntu 8.04 32bit to ubuntu 8.04 64bit, with 12 users and some network shares.
i have installed "ebox-samba" with his dependencies.

as the configuration restore failed, i got a little desperated, so i tried the 32bit version again, because i thought "maybe there are 2 different versions of ldap in 32bit and 64bit" but it wasn't - the restore failed too.
so i got a nice weekend to get the server running again...

At first, it's the ldif file, created by ebox causes the problems.

its a "try and error" routine, to find out, whats wrong in the ldif file.
you have to pass the next following steps until "slapadd -l"
if slapadd tells you something like

Code: [Select]

"error line xxx"you must delete this entry in the ldif file (the whole section of the user, not only the line)

i also deleted the first entry in the ldif file:

Code: [Select]

dn: dc=ebox
objectClass: top
objectClass: dcObject
objectClass: organization
o: warp
dc: ebox
structuralObjectClass: organization
entryUUID: 9a79842c-088d-102d-8807-35d6366187c8
creatorsName: cn=admin,dc=ebox
createTimestamp: 20080827141010Z
entryCSN: 20080827141010.204442Z#000000#000#000000
modifiersName: cn=admin,dc=ebox
modifyTimestamp: 20080827141010Z
after restoring ebox you must add the deleted users by hand....

you find the ldif file in the tar archive in files.tgz -> users.bak
there is also a list of backuped modules in the tar archive under "modules"

if your ldif file seems to be ok, it's a good idea to setup the machine again (FIRST, SAVE THE FILE TO ANOTHER COMPUTER!!!)

here is the workaround (i had a fresh ubuntu 8.04 64bit):

i installed "ebox-samba"

Code: [Select]

aptitude install ebox-samba
i installed phpldapadmin to check the entries in ldap and delete it, if something went wrong

Code: [Select]

aptitude install phpldapadmin
i found an interesting article in the ebox trac, what to do, when ebox restore fails:
http://trac.ebox-platform.com/wiki/Document/HowTo/WhatToDoWhenRestoringABackupFails

stop the slapd

Code: [Select]

/etc/init.d/slapd stop
now, use the cleaned up ldif file and restore the users, groups and computers to ldap

Code: [Select]

slapadd -l file.ldif
start the slapd again

Code: [Select]

/etc/init.d/slapd start
then you have to restore the modules except the modules "users"
in my case i restored:

Code: [Select]

/usr/share/ebox/ebox-restore-backup --module sysinfo --module network --module samba --module objects --module apache --module services --module global --module events eboxbackup.tar
now check your entries with phpldapadmin (eg: under Computers the sambaNTpassword)

Code: [Select]

http://yourserver/phpldapadmin
you will find the password for ldap in

Code: [Select]

/etc/ldap/slapd.confand look for the entry

Code: [Select]

rootpw
copy and paste the password to your phpldapadmin login.

if there are some problems delete with phpldapadmin ALL entries, except of "dc=ebox"
and do the following steps again:

stop the slapd

Code: [Select]

/etc/init.d/slapd stop
now, use the cleaned up ldif file and restore the users, groups and computers to ldap

Code: [Select]

slapadd -l file.ldif
start the slapd again

Code: [Select]

/etc/init.d/slapd start
so, thats it!
i hope this can help somebody else....

[javi]

Any chance you could send me that ldif to juruen at ebox-platform dot com ? It would help us a lot to track down the issue

Oh, and tell us the exact eBox version you are using

[acidburn]

the ebox version was 0.12.4
and ebox-samba 0.12.6.101

this was the last version from the ppa repository

[javi]

Hi,

We  have just figured out what the problem was with the password. It seems that your user changed his password through windows.

If you were using an old version of eBox in your original machine, there was a bug related to password synchronization  between windows and passwords stored in ldap.

This misconfiguration made ldap store the password using a different algorithm. So when the user changed his password through windows, its password got changed with another algorithm and its length was longer than expected.

Backups coming from new eBox version shouldn't have this issue.

Thanks a lot for sending all the info. It's been very helpful

[Javier Amor Garcia]

The problem now, when i build a new eBox server from scratch and i restore my backup taken from the old server, every thing is restored exept the windows client computer accounts it means that the windows xp clients could not connect to the eBox domain controller anymore.

Thanks for your report Ian. We have a bug i nthe restore process and we left out some of the neccesay data. We will try to fix it soon

[acidburn]

Hi,

We  have just figured out what the problem was with the password. It seems that your user changed his password through windows.

If you were using an old version of eBox in your original machine, there was a bug related to password synchronization  between windows and passwords stored in ldap.

This misconfiguration made ldap store the password using a different algorithm. So when the user changed his password through windows, its password got changed with another algorithm and its length was longer than expected.

Backups coming from new eBox version shouldn't have this issue.

Thanks a lot for sending all the info. It's been very helpful

ah, ok!
thx for the information and for the fast answer!
good to know, what happened.....

if you need further information, please contact me.

also thx for this great project. it makes administration much more easier....

[ian]

Hi,

I think that the answers are near the question.

Th problem is only with computer accounts, the backup does not include the windows Xp computer accounts included when an Xp workstation is put in the domain.

There is no problem with the normal user accounts or there password, in case of a backup and restore.

If y use f.e " mondorescue "open source software on an eBox PDC server, than the computer accounts are corectly backupped and restored. The difference between the backup utility from eBox and mondorescue is that mondo recue works with backup on bit level. So if the eBox backup utility was changed with the correct level of backup for the computer accounts ( bit level ) than the problem is solved.

The backup tools of eBox gives some times an error even the backup and restore works correct and the backupped files are correctly restored.

[kerridge0]

I have the same problem. 

i don't know if it's because i forgot to update ebox before running the backup, or if this bug still hasn't been repaired, but what it means is that I must rejoin all the pcs to the domain if i restore from backup on a new server.

What should be done, report as a bug?

[javi]

kerridge0,

We are working on it

[kerridge0]

Thanks, Javi

I just had a thought - since i've still got access to the old server (I just backup/restore to move into kvm on a proxmox host) is there a way to export/import this machine account info into the new server and save me trudging around the office giving a three finger salute to 30-odd PCs this weekend?

for example using some ldap tools mentioned upstream?

[javi]

Hi again,

I just had a thought - since i've still got access to the old server (I just backup/restore to move into kvm on a proxmox host) is there a way to export/import this machine account info into the new server and save me trudging around the office giving a three finger salute to 30-odd PCs this weekend?

If you only problem is that the machine accounts have not been restored properly but the user accounts have, there's an easy solution.

1. Get the ldif file you will find within the eBox backup.
2. sudo /etc/init.d/slapd stop
3. sudo rm -rf /var/lib/ldap/*
4. sudo slapadd < ldap.ldif
5. sudo /etc/init.d/slapd start

That should restore all the machine accounts unless we are missing something

Hope this works and you dont have to salute the 30 PCs

[kerridge0]

Hi

when importing i did get the following warning(?)

/etc/ldap/slapd.conf: line 98: rootdn is always granted unlimited privileges.

and now when I check users or groups I get the following:

"An internal error has ocurred. This is most probably a bug, relevant information can be found in the logs"

..

[kerridge0]

the logs state:

Feb 28 16:52:29 brighton1 slapd[25622]: /etc/ldap/slapd.conf: line 98: rootdn is always granted unlimited privileges.
Feb 28 16:52:29 brighton1 slapd[25623]: hdb_db_open: database "dc=ebox": alock package is unstable.
Feb 28 16:52:29 brighton1 slapd[25623]: backend_startup_one: bi_db_open failed! (-1)
Feb 28 16:52:29 brighton1 slapd[25623]: slapd stopped.
Feb 28 16:52:29 brighton1 slapd[25623]: connections_destroy: nothing to destroy.

I did follow the above instructions after winscp'ing the ldif file into /root

Should I restore my backup i made after reinstalling ebox and restore the whole backup again?