netcmd: Avoid conflicting SIDs when creating an offline backup

To allow the new DC object to be created in a restored domain while
avoiding conflicts with existing SIDS, we fetch a SID that is available
at the time of backing up and store it in the backed-up database.
However, if a new security principal is created on this DC during the
backup process, the stored SID may be reused for that object, resulting
in an error on restoration.

By getting the SID for restore only after all the database files have
been backed up, we ensure that the chosen SID does not conflict with any
objects in the backed-up database.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python/samba/netcmd/domain_backup.py

@@ -1074,7 +1074,6 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
 
         samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp,
                       flags=ldb.FLG_RDONLY)
-        sid = get_sid_for_restore(samdb, logger)
 
         # Iterating over the directories in this specific order ensures that
         # when the private directory contains hardlinks that are also contained
@@ -1126,6 +1125,8 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
         dom_sid_str = samdb.get_domain_sid()
         dom_sid = security.dom_sid(dom_sid_str)
 
+        sid = get_sid_for_restore(samdb, logger)
+
         # Close the original samdb
         samdb = None