[Samba] How to delete an unwanted NS record

James B. Byrne byrnejb at harte-lyne.ca
Wed Jul 8 15:12:46 UTC 2020

Wed Jul 8 14:02:23 UTC 2020, Rowland penny wrote:
>> On 08/07/2020 14:50, James B. Byrne wrote:
>> Why was I be told to remove the secrets.?db files if doing that that prevents
>> the samba_server from starting at all?
> I do not remember telling you to remove secrets.tdb from a running DC.

You did not.  The error message when I attempted to rejoin the domain with the
recently demoted DC said:

ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join,
error: Not removing account SMB4-2$ which looks like a Samba DC account
matching the password we already have.  To override, remove secrets.ldb and

Which I dutifully removed per the instructions.  I did not put that message
into the code.

> You might remove it from a dead or demoted DC, because when it is
> re-joined as a DC, secrets.tdb will be recreated.

The samba_server was demoted first.  It was restarted without issue.  I then
attempted to rejoin the domain with the resultant error given above.  That
error message does not appear to me to have any interpretation other than the
one I acted upon.

Now the samba_server will not start, and it cannot be joined to the domain if
it will not start.  In any case, the server recreates the secrets databases
during the startup process and then fails with the error:

[2020/07/08 09:46:32.561758,  1]
  Could not find machine account in secrets database: Failed to fetch machine
account password from secrets.ldb: Could not find entry to match filter:
'(&(flatname=BROCKLEY)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../../source4/dsdb/common/util.c:4733 and failed to open
/var/db/samba4/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Clearly there exist other artifacts from the previous join that persist (could
not find entry to match filter: '(&(flatname=BROCKLEY)) and which are
preventing the server from restarting.  I can blow away the entire samba
directory contents completely and then reinstall the software of course, but
that would not be acceptable in a production environment. I need a solution to
this that does not require so drastic a step.

I appreciate the help.  I had no intention to imply that anyone had mislead me.
 But the error message cannot be gainsaid.


***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the samba mailing list