[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory

Michael Tokarev mjt at tls.msk.ru
Mon Oct 31 14:03:38 UTC 2022

31.10.2022 16:27, Rowland Penny via samba wrote:
> On 31/10/2022 13:07, Michael Tokarev via samba wrote:
>> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such 
>> file or directory
>> Joined domain tls.msk.ru (S-1-5-21-411424318-379842365-2075518510)
>> # _
>> So it looks like it joined successfully (tho it does not
>> add an uid to the machine account), despite these error
>> messages.
> The join doesn't add a Unix ID to a computers object:
> 1) it is only used by the 'ad' idmap backend
> 2) there is nowhere to find the next ID to use.

Yeah it doesn't, and I remember coming across that already in the past debugging
this issue, - I had to manually add uidNumber & gidNumber to the computer object.
But I didn't add these attributes to all of them, - eg, another (non-test) server
here (which also logs this very error message *alot*, btw) does not have it too,
while some windows machines have it.

If it can not be added automatically but is required, maybe it is a good idea
to add a warning somewhere at the end of `samba-tool domain join' output about

>> [2022/10/31 16:02:43.961859,  1] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>>    ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No 
>> such file or directory
> At one time, on a Unix domain member, just doing something that would ask for secrets.ldb would result in an empty file being created. This was 
> stopped sometime ago.

It seems there's any sort of activity which result in that.. :)

>> # Global parameters
>> [global]
>>          dedicated keytab file = /etc/krb5.keytab
>>          disable spoolss = Yes
>>          kerberos method = secrets and keytab
>>          log file = /var/log/samba/log.%m
>>          log level = 1
>>          max log size = 1000
>>          netbios name = WH
>>          realm = TLS.MSK.RU
>>          workgroup = TLS
>>          security = ADS
>>          server role = member server
>>          winbind use default domain = Yes
>>          idmap config tls : backend = ad
>>          idmap config tls : range = 1000-4999
> Have you added uidNumber & gidNumber attributes to your AD ?
> They are not added automatically.

I've added uidNumber now.  The error message in $subj, obviously, is still being logged.

> Also why are you using such a low range ?

Well, this is because you said many months ago that having local users with
the same names as in AD is wrong.  So I had to remove local users, but changing
their UIDs is too problematic as it will result in *lots* of chown'ing. So I kept
their UIDs the same as before.

> By starting at 1000, you cannot have any local Unix users or groups.

This is incorrect because of two reasons.

1. Local unix users can have any UIDs too, not only 1000 and up.  Yes, *by default*,
adduser will start at 1000 and find the next unused UID. But a) adduser is not the
only tool to manage /etc/passwd, even echo "user:pw:uid:gid:..." >> /etc/passwd will
do, and b) these are just the defaults, one can fix them in /etc/adduser.conf.
And second, nss_winbind is listed *second* in nsswitch.conf, with first being
nss_files. So any getpwuid() lookup will first look up a local uid, and only if
that fails, nss_winbind will do its work, - and if you're accurate, there will
be no conflicts in there.  idmap config range is just a quick filter for winbindd
to route this uid to the right domain, at least as far as I see.

>>          idmap config tls : schema_mode = rfc2307
>>          idmap config tls : unix_primary_group = yes
>>          idmap config * : backend = tdb
>>          idmap config * : range = 5000-5099
> You are going to need more than '99' for the default domain.

This is interesting. So far I don't see any uids used in there. At least
getent passwd 5000..50099 return nothing (while getent passwd 1006 does
return mjt-adm info).  What these user IDS are used for, and when?

Thank you!


More information about the samba mailing list