[Samba] "net getdomainsid" reporting "Could not fetch local SID" -- am I using this command appropriately?

Tue Dec 17 09:29:58 MST 2013

Good evening,

Distro: ClearOS 6.3 (RHEL-derived with a distro-specific web
configuration tool for samba) I'm only about 90% sure it's version
6.3.
Samba version: 3.6.10-1.v6
Intended use: NT4-style PDC for Windows XP clients

Issue:
My distro's "add machine script" uses the output of "net getdomainsid"
to help populate the new machine account's sambaSID field in the ldap
directory. Samba is already configured to use this information via the
ldap passdb backend. Unfortunately, "net getdomainsid" is returning
"Could not fetch local SID" instead of the PDC's domain SID, resulting
in an invalid sambaSID value in the ldap directory and preventing the
machine from joining the domain.

Question 1: Is parsing the output of "net getdomainsid" the best way
for the add machine script to get the domain SID, or is there a better
way to do it?

Regardless of whether "net getdomainsid" is the right way to implement
an add machine script, I'm still interested in fixing this issue so it
won't cause other problems in the future.

I was not able to get useful debugging information out of the net
command that comes with the distro because it was stripped. However, I
was able to get some information by following this procedure:

1. Downloaded and unpacked the source code for samba 3.6.22
2. cd'd to samba-3.6.22/source3
3. Ran ./configure --enable-debug && make -j 8
4. cd'd to bin
5. Ran ./net getdomainsid
6. It complained about not being able to find a shared library, so I
ran export LD_LIBRARY_PATH=. and tried again.
7. It complained about not being able to find
/usr/local/samba/private/secrets.tdb. This is odd because on my distro
that file is located at /var/lib/samba/private/secrets.tdb. I ran
mkdir -p /usr/local/samba/private && cp
/var/lib/samba/private/secrets.tdb /usr/local/samba/private/ to
satisfy it temporarily.
8. It gave me another error that I didn't write down. However, it
indicated that ./net wasn't using the right smb.conf, so I ran: ./net
-s /etc/samba/smb.conf getdomainsid.
9. Finally, I was able to reproduce the "Could not fetch local SID"
error message.

Running gdb --args ./net -s /etc/samba/smb.conf getdomainsid revealed
that net makes four calls to the secrets_fetch function before
failing.

Call to secrets_fetch 1: Retrieves the LDAP backend password.
Call to secrets_fetch 2: Retrieves the SID for the domain (i.e.
SECRETS/SID/RECREATION)
Call to secrets_fetch 3: Retrieves the SID for the domain a second time.
Call to secrets_fetch 4: Attempts to retrieve the secret SECRETS/SID/GATEWAY.

GATEWAY is the netbios name of the PDC. Further investigation reveals
that "net -s /etc/samba/smb.conf getdomainsid" is looking in
/usr/local/samba/private/secrets.tdb for the SID associated with the
PDC's netbios name. However, running tdbdump
/usr/local/samba/private/secrets.tdb reveals that SECRETS/SID/GATEWAY
is not present in that file.

Question 2: Should "net -s /etc/samba/smb.conf getdomainsid" even be
trying to use a local secrets.tdb file to look up SECRETS/SID/(netbios
name) when /etc/samba/smb.conf indicates that the ldap passdb backend
is in use?

At this point, looking at the output of tdbdump
/usr/local/samba/private/secrets.tdb, I noticed that it did have an
entry for SECRETS/SID/MYSERVER. MYSERVER was the default netbios name
of the server when I first installed the "Windows Networking" package.
I had used the distro's web configuration tool to change the name to
GATEWAY and the domain to RECREATION after the installation. Changing
the netbios name back to MYSERVER fixed the problem and allowed
workstations to join the domain without issues.

Question 3: This kind of ties in with question 2, but if a program
wants to change a samba PDC's netbios name, is it responsible for
updating the PDC's secrets.tdb at the same time? If so, is that the
*only* thing it needs to update in addition to /etc/samba/smb.conf?

Thanks,
Eric