[Samba] Samba 4.11.6 cannot JOIN - 'Could not find machine account'

Rick Hollinbeck rickh-samba at westernwares.com
Fri Feb 14 19:47:53 UTC 2020

Dug deeper (i.e. into the source code)... no answer yet.

The samba join process is failing when fetching the domain's machine password
from the secrets.tdb database, which presumably it has just built as part of the JOIN..

Specifically, it is looking for an entry: "SECRETS/$MACHINE.ACC/OFFICE" in secrets.tdb.

When that fails, samba looks in secrets.ldb in "cn=Primary Domains".
That cn does not exist in my Windows DNS (this is not a legacy NT4 style domain).
So, this search fails also and the whole JOIN then fails.

So the question is: Why isn't "SECRETS/$MACHINE.ACC/OFFICE" found in secrets.tdb?

Grepping the samba source code only shows two places where this key is referenced:
files: machine_account_secrets.c and samba3/_init_.py.
Both uses are READ accesses.
So, who WRITES this key - somewhere in the code, I would think.
Or, does it come from the Windows side during the join and replication?

Here's the relevant log entries in log.winbindd...

[2020/02/14 16:59:37.564101,  3] 
  add_trusted_domain: Added domain [BUILTIN] [(null)] [S-1-5-32]
[2020/02/14 16:59:37.564782,  3] 
  add_trusted_domain: Added domain [OFFICE] [office.example.com] 


[2020/02/14 16:59:37.564842,  5] ../../source3/passdb/passdb.c:2396(get_trust_pw_clear2)
  get_trust_pw_clear2: could not fetch clear text trust account password for domain OFFICE
[2020/02/14 16:59:37.564857,  5] 
  secrets_fetch failed!
[2020/02/14 16:59:37.564866,  5] ../../source3/passdb/passdb.c:2475(get_trust_pw_hash2)
  get_trust_pw_hash: could not fetch trust account password for domain OFFICE
[2020/02/14 16:59:37.566881,  3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2020/02/14 16:59:37.566960,  1] 
  Could not find machine account in secrets database: Failed to fetch machine account 
password for OFFICE
   from both secrets.ldb
    (Could not find entry to match filter: '(&(flatname=OFFICE)(objectclass=primaryDomain))' 
base: 'cn=Primary Domains':
      No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733)
   and from /var/lib/samba/private/secrets.tdb:
[2020/02/14 16:59:37.566995,  0] 
  Failed to fetch our own, local AD domain join password for winbindd's internal use,
   both from secrets.tdb and secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2020/02/14 16:59:37.567595,  0] ../../source3/winbindd/winbindd_util.c:1217(init_domain_list)
  Failed to migrate our own, local AD domain join password for winbindd's internal use into 
[2020/02/14 16:59:37.567761,  0] 
  unable to initialize domain list


secrets.ldb does show a record for "Primary Domains":

# record 2
dn: CN=Primary Domains
cn: Primary Domains
objectClass: top
objectClass: container
objectGUID: 8ca0a56e-d...e5524c75
whenCreated: 20200213164429.0Z
whenChanged: 20200213164429.0Z
uSNCreated: 6
uSNChanged: 6
name: Primary Domains
distinguishedName: CN=Primary Domains


I tried running:
sudo samba_upgradedns --dns-backend=BIND9_DLZ
to see what it reports:
Processing section "[sysvol]"
Processing section "[netlogon]"
pm_process() returned Yes
schema_fsmo_init: we are master[no] updates allowed[no]
Traceback (most recent call last):
  File "/usr/sbin/samba_upgradedns", line 292, in <module>
    paths, lp.configfile, lp)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 209, in 
    names.netbiosname = str(res[0]["sAMAccountName"]).replace("$", "")
IndexError: list index out of range

I am wondering if the Windows server's DNS SHOULD have a Primary Domains CN 

It is missing on the Windows side.
Is this what my problem is?
If so, how can I recreate it on the Windows Server?

More information about the samba mailing list