[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
Rowland Penny
rpenny at samba.org
Mon Oct 31 13:27:49 UTC 2022
On 31/10/2022 13:07, Michael Tokarev via samba wrote:
> I come across an interesting thing here.
>
> When joining to a samba AD DC domain with samba-tool domain join,
> it gives the error message at the end, and later, winbindd
> does the same thing a *lot*.
>
> # samba-tool domain join tls.msk.ru -U mjt-adm
> Password for [TLS\mjt-adm]:
> libnet_join_precreate_machine_acct: Machine account successfully created
> join: struct secrets_domain_infoB
> [skip large dump of struct secrets_domain_infoB...]
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
> file or directory
That is a bug, not that the .ldb file doesn't exist, it doesn't exist on
a Unix domain member. However, it shouldn't log that it cannot find
something that is known not to exist.
> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb':
> No such file or directory
> Joined domain tls.msk.ru (S-1-5-21-411424318-379842365-2075518510)
> # _
>
> So it looks like it joined successfully (tho it does not
> add an uid to the machine account), despite these error
> messages.
The join doesn't add a Unix ID to a computers object:
1) it is only used by the 'ad' idmap backend
2) there is nowhere to find the next ID to use.
>
> However, after starting winbindd and smbd, and trying to
> connect to the new member server, the following errors
> are logged in /var/log/samba/log.wb-TLS:
>
> [2022/10/31 16:02:43.434454, 1]
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
> file or directory
> [2022/10/31 16:02:43.434499, 1]
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb':
> No such file or directory
> [2022/10/31 16:02:43.961810, 1]
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
> file or directory
> [2022/10/31 16:02:43.961859, 1]
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb':
> No such file or directory
> ...
>
At one time, on a Unix domain member, just doing something that would
ask for secrets.ldb would result in an empty file being created. This
was stopped sometime ago.
> And indeed, there's only secrets.tdb there, but not secrets.ldb.
>
> When rejoining the domain, I clear all files in /var/lib/samba,
> /var/cache/samba
> and /run/samba, so it is all fresh new.
>
> What's wrong?
>
> Thanks!
>
> /mjt
>
> smb.conf:
> # Global parameters
> [global]
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = Yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/log.%m
> log level = 1
> max log size = 1000
> netbios name = WH
> realm = TLS.MSK.RU
> workgroup = TLS
> security = ADS
> server role = member server
> winbind use default domain = Yes
> idmap config tls : backend = ad
> idmap config tls : range = 1000-4999
Have you added uidNumber & gidNumber attributes to your AD ?
They are not added automatically.
Also why are you using such a low range ?
By starting at 1000, you cannot have any local Unix users or groups.
> idmap config tls : schema_mode = rfc2307
> idmap config tls : unix_primary_group = yes
> idmap config * : backend = tdb
> idmap config * : range = 5000-5099
You are going to need more than '99' for the default domain.
> hosts allow = 192.168.177.0/26 127.0.0.0/8
> [homes]
> browseable = No
> comment = Home Directories
> read only = No
>
>
Rowland
More information about the samba
mailing list