[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory

Michael Tokarev mjt at tls.msk.ru
Mon Oct 31 15:03:58 UTC 2022

31.10.2022 17:52, Michael Tokarev via samba пишет:

> Found it.
> # tdb -D /var/lib/samba/winbindd_idmap.tdb
> GID\s5004\0 S-1-5-7\0
> S-1-5-11\0 GID\s5002\0
> S-1-5-18\0 GID\s5003\0
> USER\sHWM\0 \x88\x13\0\0
> S-1-5-7\0 GID\s5004\0
> GID\s5000\0 S-1-1-0\0
> GID\s5001\0 S-1-5-2\0
> GID\s5002\0 S-1-5-11\0
> S-1-1-0\0 GID\s5000\0
> S-1-5-2\0 GID\s5001\0
> GROUP\sHWM\0 \x8d\x13\0\0
> GID\s5003\0 S-1-5-18\0
> IDMAP_VERSION\0 \x02\0\0\0
> Here are the first 4 or so entries from the 5000..50099
> range allocated during first year of operations.

# getent group 5000 5001 5002 5003 5004
NT Authority\network:x:5001:
NT Authority\system:x:5003:
NT Authority\anonymous logon:x:5004:

I was looking in the wrong category: it is group not user,
so getent group, not getent passwd.

And this is why nss lookup fails when you don't configure
idmap config * entries.  To me, when I first come across
these, it looked unnecessary to have "*" entries, because
the description somewhere near that was about "other domains"
which I don't have.  I thought I'll add them once I will
really have some "other" domains.  But it didn't work.

It is a good find really, there's once mystery less about
samba now.



More information about the samba mailing list