[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
Michael Tokarev
mjt at tls.msk.ru
Mon Oct 31 14:25:18 UTC 2022
31.10.2022 17:14, Rowland Penny via samba wrote:
..
>>> The join doesn't add a Unix ID to a computers object:
>>> 1) it is only used by the 'ad' idmap backend
>>> 2) there is nowhere to find the next ID to use.
>>
>> Yeah it doesn't, and I remember coming across that already in the past debugging
>> this issue, - I had to manually add uidNumber & gidNumber to the computer object.
>> But I didn't add these attributes to all of them, - eg, another (non-test) server
>> here (which also logs this very error message *alot*, btw) does not have it too,
>> while some windows machines have it.
>>
>> If it can not be added automatically but is required, maybe it is a good idea
>> to add a warning somewhere at the end of `samba-tool domain join' output about
>> that?
>
> Sorry, but I am not going to try and fight that battle again.
Which battle? Are you saying it is absolutely wrong to print a warning if
samba-tool domain join were unable to assign uidNumber to the new object
it created? Hmm okay, I'll shut up now, because it looks like I don't
understand something fundamental...
..
>>> You are going to need more than '99' for the default domain.
>>
>> This is interesting. So far I don't see any uids used in there. At least
>> getent passwd 5000..50099 return nothing (while getent passwd 1006 does
>> return mjt-adm info). What these user IDS are used for, and when?
>
> Microsoft has the concept of Well Known SIDs and there are nearly 200 of these, they are mapped on a first come basis in the default '*' domain .tdb
> file, there also need to to be space for anything outside your main domain e.g. another domain.
Are these 200 actually being used in a domain member? I especially
assigned a relatively low range to see what goes in there, in a
first come basis, and there's nothing in there still (after almost
a year of this AD domain operations). Maybe my setup is somehow
wrong and these required entries aren't being written? How to
debug with lack of entries in this "other" range?
Thanks,
/mjt
More information about the samba
mailing list