[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory

Michael Tokarev mjt at tls.msk.ru
Mon Oct 31 14:52:36 UTC 2022

31.10.2022 17:25, Michael Tokarev via samba wrote:
>>> This is interesting. So far I don't see any uids used in there. At least
>>> getent passwd 5000..50099 return nothing (while getent passwd 1006 does
>>> return mjt-adm info).  What these user IDS are used for, and when?
>> Microsoft has the concept of Well Known SIDs and there are nearly 200 of these, they are mapped on a first come basis in the default '*' domain .tdb 
>> file, there also need to to be space for anything outside your main domain e.g. another domain.
> Are these 200 actually being used in a domain member? I especially
> assigned a relatively low range to see what goes in there, in a
> first come basis, and there's nothing in there still (after almost
> a year of this AD domain operations).  Maybe my setup is somehow
> wrong and these required entries aren't being written?  How to
> debug with lack of entries in this "other" range?

Found it.

# tdb -D /var/lib/samba/winbindd_idmap.tdb
GID\s5004\0 S-1-5-7\0
S-1-5-11\0 GID\s5002\0
S-1-5-18\0 GID\s5003\0
USER\sHWM\0 \x88\x13\0\0
S-1-5-7\0 GID\s5004\0
GID\s5000\0 S-1-1-0\0
GID\s5001\0 S-1-5-2\0
GID\s5002\0 S-1-5-11\0
S-1-1-0\0 GID\s5000\0
S-1-5-2\0 GID\s5001\0
GROUP\sHWM\0 \x8d\x13\0\0
GID\s5003\0 S-1-5-18\0
IDMAP_VERSION\0 \x02\0\0\0

Here are the first 4 or so entries from the 5000..50099
range allocated during first year of operations.

Why is 99 too low?



More information about the samba mailing list