S 6.135 Regular backup of important system components of a Samba server

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Person responsible for the data backup

The failure of a Samba server may have a serious effect on the business processes of a government agency or a company. Unintentional changes, for example misconfigurations or hardware errors, may make it necessary to recover important system components. The important system components only include the actual system files (such as the smbd daemon of the Samba package, for example), but also configuration data (such as the data in smb.conf), status information (in the trivial database (TDB) files, for example), and logged data (such as the log file of the smbd daemon). The data backup must be performed in accordance with the specifications of the data backup policy (see module S 1.4 Data backup policy).

When restoring configuration data, status information, and system files, it should be ensured that they are compatible with each other. For example, if configuration data is used to restore the configuration of a Samba server that was originally used with a newer version of the Samba package, this may lead to problems. It is possible that the older version of Samba does not evaluate some of the parameters in the configuration, because they were introduced for the first time in a later version of Samba. This may lead to undesired (side) effects or may even completely impede the operation of Samba. In addition, it should be ensured before restoration that the basic operating system is set up exactly as it was before (see also S 4.331 Secure configuration of the operating system of a Samba server).

Based on the availability requirements and the role as a server, the restoration itself and the time it takes for restoration should be tested and improved regularly within the framework of a business continuity plan for the server.

In order to be able to restore a Samba server to a previous state, the following data / information should be backed up regularly:

• the smb.conf file (configuration data)
• important TDB files (configuration data and status information)
• account information (status information)
• the directory containing the log files (logged data)

The following sections contain safeguards for backing up this data / information.

The smb.conf file (configuration data)

The smb.conf file is the main configuration file of Samba. The settings specified in this file control the response of the Samba services (nmbd, smbd, and winbindd).

Where this file is actually stored depends on the options with which Samba was compiled. The storage location of the file can be displayed using the command "smbd -b | grep smb.conf".

TDB files (configuration data and status information)

Samba stores a variety of information in the TDB files. Here are some examples:

• Samba, when operated as a member of a domain, stores the password of the computer account in the file secrets.tdb. The computer account is a normal user account in the domain user database, which is available for every member computer. Based on the password of this computer account, the domain members and domain controller mutually authenticate each other. If the password of the computer account is lost, Samba must rejoin the domain.
• When operated as a primary domain controller (PDC), Samba stores the domain security identifier (SID) in secrets.tdb. Under some circumstances, the loss of the SID means that all clients need to rejoin the domain and that all user profiles need to be changed to reflect the new domain.
• The other TDB files are generally only used to temporarily store information and the loss of such information is basically of no consequence.

Samba stores TDB files in two different directories. Using "smbd - b | grep PRIVATE_DIR", it is possible to determine the location of the PRIVATE_DIR directory except when the "private dir" option is used in the smb.conf file. The TDB files containing confidential information are stored in this folder. The second directory used is the LOCKDIR directory. This directory is used to store TDB files containing information that is not confidential. The storage location of the LOCKDIR directory can be output using "smbd -b | grep LOCKDIR", unless the "lock directory" option is used in smb.conf.

It is recommended to create backup copies of all TDB files in both directories regularly. TDB files stored in the subdirectories of these two directories do not need to be backed up. These files do not contain any information needed for restoration. It must be ensured that the TDB files are backed up properly (see the section "Correct backup of TDB files").

Account information (status information)

Depending on which backend ("passdb backend" parameter in smb.conf) Samba uses to store the account information, it may be necessary to select a different method for the backup. Several backends can be used simultaneously in Samba 3.0.0 to Samba 3.0.23. Earlier versions as well as later versions of Samba do not support this function.

For restoration purposes, it is necessary to regularly back up the account information from all backends used. The following approaches are recommended for backing up the account information depending on which backend or which backends are used:

• smbpasswd
  
  Unless configured differently using the parameter "passdb backend" in smb.conf (for example "passdb backend = smbpasswd:/etc/smb/ priv/datafile"), the storage location of this text file depends on which options were used to compile Samba. If the parameter "passdb backend" was not used, the storage location can be output using the command "smbd -b | grep SMB_PASSWD_FILE". Since this file is a simple text file, there are no special aspects to take into consideration for the backup.
• tdbsam
  
  By default, the account information is stored in the passdb.tdb file in the PRIVATE_DIR directory. The storage location can be changed using the "passdb backend" parameter in smb.conf (for example "passdb backend = tdbsam:/etc/smb/priv/datafile.tdb"). It must be ensured that the backups of this TDB file were executed properly (see the section "Correct backup of TDB files").
• ldapsam
  
  If there is no procedure available in the government agency or company for regularly backing up the entire Lightweight Directory Access Protocol (LDAP) directory, a separate process must be established for backing up the account information relevant to Samba.

The directory containing the log files (logged data)

The nmbd, smbd, and winbindd daemons store their log files in this directory. This data is not needed to restore a Samba server to a previous state. However, this data should be backed up regularly nevertheless so that it is possible to track down the causes of errors.

Unless configured differently in smb.conf ("log file" option), the location of the directory depends on which options were used to compile Samba. In this case, the directory can be determined by entering the command "smbd -b | grep LOGFILEBASE".

Correct backup of TDB files

The TDB is a database in a binary database format similar to the Berkeley DB format that supports concurrent write accesses from several processes, as well as locking. One particularity of the TDB files is that the content of the databases is often stored temporarily by the daemons (nmbd, smbd, and winbindd) for longer periods of time and the content on the hard disk must not necessarily always be up to date at runtime. Furthermore, the time stamps of the TDB files are not updated when data is written to these files.

If TDB files are backed up during live operation using unsuitable programs (for example "cp"), such programs will not take these particularities into consideration. The backups created in this case may be useless under some circumstances. Backup mechanisms such as "rsync" have problems during normal operation due to the fact that the time stamps of the TDB files do not change after write operations. Rsync is not able to detect whether or not the content of the TDB files has changed since the last backup, for example.

In order to create consistent backups of the databases while Samba is running, the "tdbbackup" application must be used. The command "tdbbackup /etc/samba/passdb.tdb" creates the backup file /etc/samba/ passdb.tdb.bak. The command "tdbbackup -v etc/samba/passdb.tdb" can be used to check the integrity of the database. If corrupt data is found, a backup file (if one exists) is used to restore the database. When called with the parameter's, tdbbackup can determine which file name extensions should be used for the backup and the integrity check. Instead of ".bak", a date specification such as ".20080303" may also be used.

Review questions:

• Are the system components needed for the restoration of a Samba server backed up within the framework of the organisation-wide data backup policy?
• Are the particularities of TDB files taken into consideration for the backups?
• When restoring configuration data, status information, or system files, are they checked to ensure that they are compatible with each other?
• Are the recovery procedure and the time required for recovery tested and improved within the framework of a business continuity plan for the server based on the server role and the availability requirements?
• Is the account information of all backends used backed up regularly and properly?