[Samba] Can't add DNS records when joining Windows DC (Was Can't find machine account)

Tim Beale timbeale at catalyst.net.nz
Thu Jul 18 02:24:53 UTC 2019

On 18/07/19 7:12 AM, Rowland penny via samba wrote:
> On 17/07/2019 19:31, Robert A Wooldridge via samba wrote:
>> Here's the full error:
>> Could not find machine account in secrets database: Failed to fetch
>> machine account password for EDM from both secrets.ldb (Could not
>> find entry to match filter:
>> '(&(flatname=EDM)(objectclass=primaryDomain))' base: 'cn=Primary
>> Domains': No such object: dsdb_search at
>> ../source4/dsdb/common/util.c:4705) and from
>> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Problem is (so I have been told) neither secrets.tdb or secrets.ldb
> will have been created at this point, so this could be a red herring.

Yeah, I think that's a red herring. If we had more log context around
the error, you'd probably see the following messages beforehand.

>> Adding 1 remote DNS records for <blah-DC>
>> Join failed - cleaning up
>> Could not find machine account in secrets database: ...

i.e. the 'machine account' message gets logged as part of the cleanup,
after the join has already failed.

A few people have noticed this problem. It mostly seems to occur when
joining Samba to an older Windows DC.

The join has basically completed successfully at this point, and
samba-tool is trying to create DNS records on the Windows DC for the new
Samba DC that's just joined. That part is failing, due to the Windows DC
rejecting it.

There's more details about the DNS records it's trying to add here:

One option might be to hack the join code to skip this step, and then
try to fix up these DNS records manually later. To do so, apply the
attached patch and retry the join, e.g.
cd /usr/lib/python2.7/dist-packages/samba
patch -p1 < join.patch

However, it'd be good to understand what exactly Windows doesn't like
about what Samba is telling it to do, so we could come up with a better

-------------- next part --------------
From 0de2a4f67e9edd116fa725f5fdc97152cf9e92aa Mon Sep 17 00:00:00 2001
From: Garming Sam <garming at catalyst.net.nz>
Date: Fri, 10 May 2019 02:24:28 +0000
Subject: [PATCH] HACK: remove the code to add DNS records in join

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
 samba/join.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/samba/join.py b/samba/join.py
index da8dcb050d3..b61d7bf53c1 100644
--- a/samba/join.py
+++ b/samba/join.py
@@ -1432,9 +1432,9 @@ class DCJoinContext(object):
-            if ctx.dns_backend != "NONE":
-                ctx.join_add_dns_records()
-                ctx.join_replicate_new_dns_records()
+            # if ctx.dns_backend != "NONE":
+            #    ctx.join_add_dns_records()
+            #    ctx.join_replicate_new_dns_records()

More information about the samba mailing list