[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
Rowland Penny
rpenny at samba.org
Mon Oct 31 14:14:44 UTC 2022
On 31/10/2022 14:03, Michael Tokarev wrote:
> 31.10.2022 16:27, Rowland Penny via samba wrote:
>> On 31/10/2022 13:07, Michael Tokarev via samba wrote:
> ..
>>> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
>>> backend 'tdb': Unable to open tdb
>>> '/var/lib/samba/private/secrets.ldb': No such file or directory
>>> Joined domain tls.msk.ru (S-1-5-21-411424318-379842365-2075518510)
>>> # _
>>>
>>> So it looks like it joined successfully (tho it does not
>>> add an uid to the machine account), despite these error
>>> messages.
>>
>> The join doesn't add a Unix ID to a computers object:
>> 1) it is only used by the 'ad' idmap backend
>> 2) there is nowhere to find the next ID to use.
>
> Yeah it doesn't, and I remember coming across that already in the past
> debugging
> this issue, - I had to manually add uidNumber & gidNumber to the
> computer object.
> But I didn't add these attributes to all of them, - eg, another
> (non-test) server
> here (which also logs this very error message *alot*, btw) does not have
> it too,
> while some windows machines have it.
>
> If it can not be added automatically but is required, maybe it is a good
> idea
> to add a warning somewhere at the end of `samba-tool domain join' output
> about
> that?
Sorry, but I am not going to try and fight that battle again.
>
>> Also why are you using such a low range ?
>
> Well, this is because you said many months ago that having local users with
> the same names as in AD is wrong. So I had to remove local users, but
> changing
> their UIDs is too problematic as it will result in *lots* of chown'ing.
> So I kept
> their UIDs the same as before.
>
>> By starting at 1000, you cannot have any local Unix users or groups.
>
> This is incorrect because of two reasons.
>
> 1. Local unix users can have any UIDs too, not only 1000 and up.
I accept this, but a normal user doesn't want to jump through hoops to
create users, best to stick to standard practices.
>> You are going to need more than '99' for the default domain.
>
> This is interesting. So far I don't see any uids used in there. At least
> getent passwd 5000..50099 return nothing (while getent passwd 1006 does
> return mjt-adm info). What these user IDS are used for, and when?
Microsoft has the concept of Well Known SIDs and there are nearly 200 of
these, they are mapped on a first come basis in the default '*' domain
.tdb file, there also need to to be space for anything outside your main
domain e.g. another domain.
Rowland
More information about the samba
mailing list