[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory

Rowland Penny rpenny at samba.org
Mon Oct 31 13:27:49 UTC 2022 


On 31/10/2022 13:07, Michael Tokarev via samba wrote:
> I come across an interesting thing here.
> 
> When joining to a samba AD DC domain with samba-tool domain join,
> it gives the error message at the end, and later, winbindd
> does the same thing a *lot*.
> 
> # samba-tool domain join tls.msk.ru -U mjt-adm
> Password for [TLS\mjt-adm]:
> libnet_join_precreate_machine_acct: Machine account successfully created
>       join: struct secrets_domain_infoB
>   [skip large dump of struct secrets_domain_infoB...]
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> Host account for WH does not have msDS-AdditionalDnsHostName.
> ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such 
> file or directory

That is a bug, not that the .ldb file doesn't exist, it doesn't exist on 
a Unix domain member. However, it shouldn't log that it cannot find 
something that is known not to exist.

> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with 
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': 
> No such file or directory
> Joined domain tls.msk.ru (S-1-5-21-411424318-379842365-2075518510)
> # _
> 
> So it looks like it joined successfully (tho it does not
> add an uid to the machine account), despite these error
> messages.

The join doesn't add a Unix ID to a computers object:
1) it is only used by the 'ad' idmap backend
2) there is nowhere to find the next ID to use.

> 
> However, after starting winbindd and smbd, and trying to
> connect to the new member server, the following errors
> are logged in /var/log/samba/log.wb-TLS:
> 
> [2022/10/31 16:02:43.434454,  1] 
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>    ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such 
> file or directory
> [2022/10/31 16:02:43.434499,  1] 
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>    ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with 
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': 
> No such file or directory
> [2022/10/31 16:02:43.961810,  1] 
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>    ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such 
> file or directory
> [2022/10/31 16:02:43.961859,  1] 
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>    ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with 
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': 
> No such file or directory
> ...
>

At one time, on a Unix domain member, just doing something that would 
ask for secrets.ldb would result in an empty file being created. This 
was stopped sometime ago.

> And indeed, there's only secrets.tdb there, but not secrets.ldb.
> 
> When rejoining the domain, I clear all files in /var/lib/samba, 
> /var/cache/samba
> and /run/samba, so it is all fresh new.
> 
> What's wrong?
> 
> Thanks!
> 
> /mjt
> 
> smb.conf:
> # Global parameters
> [global]
>          dedicated keytab file = /etc/krb5.keytab
>          disable spoolss = Yes
>          kerberos method = secrets and keytab
>          log file = /var/log/samba/log.%m
>          log level = 1
>          max log size = 1000
>          netbios name = WH
>          realm = TLS.MSK.RU
>          workgroup = TLS
>          security = ADS
>          server role = member server
>          winbind use default domain = Yes
>          idmap config tls : backend = ad
>          idmap config tls : range = 1000-4999

Have you added uidNumber & gidNumber attributes to your AD ?
They are not added automatically.
Also why are you using such a low range ?
By starting at 1000, you cannot have any local Unix users or groups.

>          idmap config tls : schema_mode = rfc2307
>          idmap config tls : unix_primary_group = yes
>          idmap config * : backend = tdb
>          idmap config * : range = 5000-5099

You are going to need more than '99' for the default domain.

>          hosts allow = 192.168.177.0/26 127.0.0.0/8
> [homes]
>          browseable = No
>          comment = Home Directories
>          read only = No
> 
> 

Rowland

More information about the samba mailing list