[Samba] Samba 4.11.6 cannot JOIN - 'Could not find machine account'

Thu Feb 13 08:33:06 UTC 2020

On 13/02/2020 01:37, Rick Hollinbeck via samba wrote:
> I'm still digging for the solution to this problem...
>
> The error seems to be triggered by some failure with talking to the NBTNS service (lmhosts)
> on the windows machine. (Port 137)
>
> Here is the section of the winbindd log where it fails to fetch the machine account:
> ...
> [2020/02/13 01:18:42.759943,  3]
> ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain)
>    add_trusted_domain: Added domain [OFFICE] [office.example.com]
> [S-1-5-21-3876585788-2465688680-3807591480]
> [2020/02/13 01:18:42.759997,  5] ../../source3/passdb/passdb.c:2396(get_trust_pw_clear2)
>    get_trust_pw_clear2: could not fetch clear text trust account password for domain OFFICE
> [2020/02/13 01:18:42.760013,  5]
> ../../source3/passdb/machine_account_secrets.c:343(secrets_fetch_trust_account_password
> _legacy)
>    secrets_fetch failed!
> [2020/02/13 01:18:42.760024,  5] ../../source3/passdb/passdb.c:2475(get_trust_pw_hash2)
>    get_trust_pw_hash: could not fetch trust account password for domain OFFICE
> [2020/02/13 01:18:42.760896,  3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
>    ldb_wrap open of secrets.ldb
> [2020/02/13 01:18:42.760970,  1]
> ../../auth/credentials/credentials_secrets.c:426(cli_credentials_set_machine_account_db_ctx)
>    Could not find machine account in secrets database: Failed to fetch machine account
> password for OFFICE from both secrets.ldb (Could not find entry to match filter: '(&(f$
> [2020/02/13 01:18:42.761022,  0]
> ../../source3/winbindd/winbindd_util.c:878(migrate_secrets_tdb_to_ldb)
>    Failed to fetch our own, local AD domain join password for winbindd's internal use, both
> from secrets.tdb and secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> [2020/02/13 01:18:42.763761,  0] ../../source3/winbindd/winbindd_util.c:1217(init_domain_list)
>    Failed to migrate our own, local AD domain join password for winbindd's internal use into
> secrets.tdb
> [2020/02/13 01:18:42.764028,  0]
> ../../source3/winbindd/winbindd.c:1462(winbindd_register_handlers)
>    unable to initialize domain list
>
> -----
>
> A windows server network trace shows several NbtNs "Registration Request"s around the
> time of this failure. (which curiously are not answered on the port 137 by the W8K server -
> this seems suspicious.)
>
> But the lmhosts service is running on W8K and nbtstatus looks ok.
> Also, the Windows firewall allows traffic on port 137 in both directions, so I can't explain this.
>
> Very frustrating!

 From a log you posted earlier, there is this:

cli_credentials(OFFICE\administrator) without realm, cannot use kerberos 
for this connection host/SERVI.OFFICE.XXXXXXXXXXXX.COM

Perhaps try adding '@OFFICE.XXXXXXXXXXXX.COM' to the Administrator name 
in in the join command.

Also, in the same log, you get a python exception after it tries to 
access secrets.ldb and, lower down, there is this:

Join failed - cleaning up

In every other case that I have seen, it is the other way around, the 
join fails and then the exception occurs, it is an artefact of the 
failure and not the cause.

Rowland