[Samba] Samba 4.11.6 cannot JOIN - 'Could not find machine account'

Rowland penny rpenny at samba.org
Thu Feb 13 08:33:06 UTC 2020


On 13/02/2020 01:37, Rick Hollinbeck via samba wrote:
> I'm still digging for the solution to this problem...
>
> The error seems to be triggered by some failure with talking to the NBTNS service (lmhosts)
> on the windows machine. (Port 137)
>
> Here is the section of the winbindd log where it fails to fetch the machine account:
> ...
> [2020/02/13 01:18:42.759943,  3]
> ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain)
>    add_trusted_domain: Added domain [OFFICE] [office.example.com]
> [S-1-5-21-3876585788-2465688680-3807591480]
> [2020/02/13 01:18:42.759997,  5] ../../source3/passdb/passdb.c:2396(get_trust_pw_clear2)
>    get_trust_pw_clear2: could not fetch clear text trust account password for domain OFFICE
> [2020/02/13 01:18:42.760013,  5]
> ../../source3/passdb/machine_account_secrets.c:343(secrets_fetch_trust_account_password
> _legacy)
>    secrets_fetch failed!
> [2020/02/13 01:18:42.760024,  5] ../../source3/passdb/passdb.c:2475(get_trust_pw_hash2)
>    get_trust_pw_hash: could not fetch trust account password for domain OFFICE
> [2020/02/13 01:18:42.760896,  3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
>    ldb_wrap open of secrets.ldb
> [2020/02/13 01:18:42.760970,  1]
> ../../auth/credentials/credentials_secrets.c:426(cli_credentials_set_machine_account_db_ctx)
>    Could not find machine account in secrets database: Failed to fetch machine account
> password for OFFICE from both secrets.ldb (Could not find entry to match filter: '(&(f$
> [2020/02/13 01:18:42.761022,  0]
> ../../source3/winbindd/winbindd_util.c:878(migrate_secrets_tdb_to_ldb)
>    Failed to fetch our own, local AD domain join password for winbindd's internal use, both
> from secrets.tdb and secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> [2020/02/13 01:18:42.763761,  0] ../../source3/winbindd/winbindd_util.c:1217(init_domain_list)
>    Failed to migrate our own, local AD domain join password for winbindd's internal use into
> secrets.tdb
> [2020/02/13 01:18:42.764028,  0]
> ../../source3/winbindd/winbindd.c:1462(winbindd_register_handlers)
>    unable to initialize domain list
>
> -----
>
> A windows server network trace shows several NbtNs "Registration Request"s around the
> time of this failure. (which curiously are not answered on the port 137 by the W8K server -
> this seems suspicious.)
>
> But the lmhosts service is running on W8K and nbtstatus looks ok.
> Also, the Windows firewall allows traffic on port 137 in both directions, so I can't explain this.
>
> Very frustrating!

 From a log you posted earlier, there is this:

cli_credentials(OFFICE\administrator) without realm, cannot use kerberos 
for this connection host/SERVI.OFFICE.XXXXXXXXXXXX.COM

Perhaps try adding '@OFFICE.XXXXXXXXXXXX.COM' to the Administrator name 
in in the join command.

Also, in the same log, you get a python exception after it tries to 
access secrets.ldb and, lower down, there is this:

Join failed - cleaning up

In every other case that I have seen, it is the other way around, the 
join fails and then the exception occurs, it is an artefact of the 
failure and not the cause.

Rowland





More information about the samba mailing list