[Samba] authentication problem with samba4 as a dcerpc server

eric gou gouyonggang at gmail.com
Sun Jun 9 11:29:40 MDT 2013

>From: Andrew Bartlett
>Sent: Saturday, June 08, 2013 1:20 AM
>To: eric gou
>Cc: samba at lists.samba.org
>Subject: Re: [Samba] authentication problem with samba4 as a dcerpc server

>>On Thu, 2013-06-06 at 09:44 -0700, eric gou wrote:
>> I made a mistake in the previous letter. I use the command “net ads 
>>  join”, looks that’s not for the samba4,
>> now I use the “samba-tool” to join a DC domain as a member, and it 
>> succeed, I can see some info stored in
>> secrets.ldb.
>> ./samba-tool domain join SMB3.COM MEMBER -Uadministrator --realm=SMB3.COM
>> unfortunately, when I start the “samba”, it still fails to find the 
>> domain info, so as to the latter authenticating for msrpc:
>> task_server_terminate: [dreplsrv: no DSDB replication required in domain 
>> member configuration]
>> single_terminate: reason[dreplsrv: no DSDB replication required in domain 
>> member configuration]
>> ldb_wrap open of secrets.ldb
>> task_server_terminate: [Cannot start Winbind (domain member): Failed to 
>> find record for SMB3 in /usr/local/samba/private/secrets.ldb: No such 
>> object: (null): Have you joined the SMB3 >>domain?]
> >any one can help?

>I think it's the same issue in both cases.  Are you sure you joined the
>domain by the correct netbios domain name?

>I think your workgroup=  setting might not match the netbios domain name
>of the domain, which is why it isn't being found.

Thanks for your reply,  the domain name is SMB3.COM, what I set is: 
workgroup = SMB3

After I joined the domain by samba-tool, the secrets.ldb info is like this:
    # record 1
    dn: flatname=SMB3,cn=Primary Domains
    msDS-KeyVersionNumber: 5
    objectClass: top
    objectClass: primaryDomain
    objectClass: kerberosSecret
    objectSid: S-1-5-21-4046433554-1285089214-3428912259
    privateKeytab: secrets.keytab
    realm: smb3.com
    saltPrincipal: host/suse11-9.smb3.com at SMB3.COM
    samAccountName: SUSE11-9$
W5JP at 4b$yM[dPlQ7)R%5F]!vJ>F#FfSwB$,PPC,)GQDekyU?X(MjZLg-Si=Yeg0oRmTa@&
    iekMLqZ1vNMGCp_xBflL9c at Y#&7g%2FqSsc4nV7E!%RF#bQ.umf7)o)aWvesOVg?5yd6nD~2_h7Q]
    secureChannelType: 2
    servicePrincipalName: HOST/suse11-9
    distinguishedName: flatname=SMB3,cn=Primary Domains

when I start the "samba", it starts the winbind task, by using this 
macro:"SECRETS_PRIMARY_DOMAIN_FILTER" to look for the info in the 

it's defined like this: #define SECRETS_PRIMARY_DOMAIN_FILTER 
the first key is :flatname, it's value is: SMB3,
apparently, there is no key named flatname in the secrets.ldb and it fails.

my solution is to redefine the macro like this:
#define SECRETS_PRIMARY_DOMAIN_FILTER "(&(dn=flatname=%s,cn=Primary 
and use the key= "dn", value="flatname=SMB3,cn=Primary Domains" to query the 
secrets.ldb, and that works.

is this a bug?

another thing im confused is, after I use the "samba-tool" to join the 
domain, it seems that I have to use the "net ads join" too,
because the function "cli_credentials_set_machine_account" in 
credentials_secrets.c will query both the secrets.ldb and secrets.tdb
and compare some items between them.
some items in the secrets.ldb are missing, such as "whenChanged".

and the secrets.keytab seems not be created if I join samba4 as a domain 

More information about the samba mailing list