Is there a way to generate SECRETS/SID/<DOMAIN> without smbpasswd -j <DOMAIN> -r <PDC>?

Eric Boehm boehm at
Tue Apr 15 14:20:43 GMT 2003

I experienced some problems when upgrading to 2.2.8 (now 2.2.8a) from

The Samba server with a member of the domain. Samba 2.2.8 merged
<DOMAIN>.<HOSTNAME>.mac and MACHINE.SID into secrets.tdb. However, I
was getting error messages that it was no longer able to change the
machine password.

[2003/04/01 12:35:12, 0, pid=28443] rpc_client/cli_trust.c:(46)
  domain_client_validate: unable to fetch domain sid.
[2003/04/01 12:35:12, 0, pid=28443] rpc_client/cli_trust.c:(247)
  2003/04/01 12:35:12 : change_trust_account_password: Failed to change password for domain AMERICASE.

I did some more digging by putting some debug statements in
passdb/secrets.c and tdb/tdb.c. I found that the samba was looking for
a key in secrets.tdb SECRETS/SID/<DOMAIN>.

I found that if I refreshed the machine account and rejoined the
domain, it would create this key.

Is there a way to generate this key without rejoining the domain

Or, to put it another way, why isn't this key generated when
2.2.8a reads the old 2.0.7 files?

One final observation. When I rejoined the domain, I noticed that
there was no longer a SECRETS/SID/<HOSTNAME> key. Why is this key
generated from the old 2.0.7 files if rejoining the domain leaves it

Eric M. Boehm                  /"\  ASCII Ribbon Campaign
boehm at       \ /  No HTML or RTF in mail
                                X   No proprietary word-processing
Respect Open Standards         / \  files in mail

More information about the samba-technical mailing list