[Samba] problems with secrets.ldb in samba 4.13.4

Jason Keltz jas at eecs.yorku.ca
Wed Feb 10 01:38:03 UTC 2021

On 2/9/2021 8:15 PM, Andrew Bartlett wrote:
> On Tue, 2021-02-09 at 19:56 -0500, Jason Keltz via samba wrote:
>> Hi..
>> I'm just about to join 300+ hosts to a new AD domain next week. We
>> have
>> upgraded from latest Samba 4.11 to 4.13.4.
>> On a client in the domain, I unjoin the domain, clear the samba
>> directory, and run my script for joining a host to the domain.
>> The join appears to succeed and I can login to the host. winbind
>> appears
>> happy.
>> However, in the samba winbind log, log.wb-<WORKGROUP> I see many many
>> times:
>> ldb: Failed to connect to '/local/samba/private/secrets.ldb' with
>> backend 'tdb': Unable to open tdb '/local/samba/private/secrets.ldb':
>> No
>> such file or directory
>> Sure enough, only the file secrets.tdb exists, and not secrets.ldb.
> Which is fine.
>> Has something changed between 4.11 and 4.13 with respects to
>> secrets.ldb?
> We stopped implicitly creating an empty file without any secrets in
> it.
> It is harmless, we just have some common code to handle the 'member
> server' case (remembering that an AD DC is itself a member servers to
> it's own domain) that tries to cope with the different way this data is
> stored.
>> I'm not even trying to make an old configuration work with the new
>> version.. I'm completely clearing the directory and letting samba
>> re-initialize it.
>> If I go back to the previous Samba version, and re-intialize, I get
>> the
>> secrets.ldb file.
>> Any idea what's happening and what am I missing by not having the
>> secrets.ldb file?  Why do things "appear" to be working.
>> It's really important that I get this right for a succesful
>> migration.
> Don't worry, nothing is wrong here.
> Sorry for the noise.
> BTW, the commit it comes from this this one, only in 4.13 and later:
> commit 6cbd7d1a32cc7ccfb8d06eacdcade41d96b54519
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Tue Feb 4 16:16:48 2020 +0100
>      s4:param: make sure secrets_db_connect() no longer creates on empty secrets.ldb
>      Signed-off-by: Stefan Metzmacher <metze at samba.org>
>      Reviewed-by: Andreas Schneider <asn at samba.org>
>      Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
>      Autobuild-Date(master): Wed Feb  5 10:13:02 UTC 2020 on sn-devel-184
> Andrew Bartlett

Thanks so much Andrew!

That's excellent news.  The noise was concerning, but now that I know 
it's just noise, that's a good thing.

One other potential issue that I just noticed is that in log.wb-<HOST> 
the following:

[2021/02/09 19:51:22.998817,  0, pid=4349, effective(0, 0), real(0, 0)] 
   open_internal_pipe: Could not connect to dssetup pipe: 
[2021/02/09 19:51:22.999193,  0, pid=4349, effective(0, 0), real(0, 0)] 
   rpcint_dispatch: DCE/RPC fault in call lsarpc:2E - 

Again, it doesn't seem to cause any trouble.  Everything seems to be 
otherwise working, but I didn't see this before in 4.11.


More information about the samba mailing list