Rick Hollinbeck
2020-Feb-13 01:37 UTC
[Samba] Samba 4.11.6 cannot JOIN - 'Could not find machine account'
I'm still digging for the solution to this problem... The error seems to be triggered by some failure with talking to the NBTNS service (lmhosts) on the windows machine. (Port 137) Here is the section of the winbindd log where it fails to fetch the machine account: ... [2020/02/13 01:18:42.759943, 3] ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) add_trusted_domain: Added domain [OFFICE] [office.example.com] [S-1-5-21-3876585788-2465688680-3807591480] [2020/02/13 01:18:42.759997, 5] ../../source3/passdb/passdb.c:2396(get_trust_pw_clear2) get_trust_pw_clear2: could not fetch clear text trust account password for domain OFFICE [2020/02/13 01:18:42.760013, 5] ../../source3/passdb/machine_account_secrets.c:343(secrets_fetch_trust_account_password _legacy) secrets_fetch failed! [2020/02/13 01:18:42.760024, 5] ../../source3/passdb/passdb.c:2475(get_trust_pw_hash2) get_trust_pw_hash: could not fetch trust account password for domain OFFICE [2020/02/13 01:18:42.760896, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2020/02/13 01:18:42.760970, 1] ../../auth/credentials/credentials_secrets.c:426(cli_credentials_set_machine_account_db_ctx) Could not find machine account in secrets database: Failed to fetch machine account password for OFFICE from both secrets.ldb (Could not find entry to match filter: '(&(f$ [2020/02/13 01:18:42.761022, 0] ../../source3/winbindd/winbindd_util.c:878(migrate_secrets_tdb_to_ldb) Failed to fetch our own, local AD domain join password for winbindd's internal use, both from secrets.tdb and secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO [2020/02/13 01:18:42.763761, 0] ../../source3/winbindd/winbindd_util.c:1217(init_domain_list) Failed to migrate our own, local AD domain join password for winbindd's internal use into secrets.tdb [2020/02/13 01:18:42.764028, 0] ../../source3/winbindd/winbindd.c:1462(winbindd_register_handlers) unable to initialize domain list ----- A windows server network trace shows several NbtNs "Registration Request"s around the time of this failure. (which curiously are not answered on the port 137 by the W8K server - this seems suspicious.) But the lmhosts service is running on W8K and nbtstatus looks ok. Also, the Windows firewall allows traffic on port 137 in both directions, so I can't explain this. Very frustrating!
Rowland penny
2020-Feb-13 08:33 UTC
[Samba] Samba 4.11.6 cannot JOIN - 'Could not find machine account'
On 13/02/2020 01:37, Rick Hollinbeck via samba wrote:> I'm still digging for the solution to this problem... > > The error seems to be triggered by some failure with talking to the NBTNS service (lmhosts) > on the windows machine. (Port 137) > > Here is the section of the winbindd log where it fails to fetch the machine account: > ... > [2020/02/13 01:18:42.759943, 3] > ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) > add_trusted_domain: Added domain [OFFICE] [office.example.com] > [S-1-5-21-3876585788-2465688680-3807591480] > [2020/02/13 01:18:42.759997, 5] ../../source3/passdb/passdb.c:2396(get_trust_pw_clear2) > get_trust_pw_clear2: could not fetch clear text trust account password for domain OFFICE > [2020/02/13 01:18:42.760013, 5] > ../../source3/passdb/machine_account_secrets.c:343(secrets_fetch_trust_account_password > _legacy) > secrets_fetch failed! > [2020/02/13 01:18:42.760024, 5] ../../source3/passdb/passdb.c:2475(get_trust_pw_hash2) > get_trust_pw_hash: could not fetch trust account password for domain OFFICE > [2020/02/13 01:18:42.760896, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2020/02/13 01:18:42.760970, 1] > ../../auth/credentials/credentials_secrets.c:426(cli_credentials_set_machine_account_db_ctx) > Could not find machine account in secrets database: Failed to fetch machine account > password for OFFICE from both secrets.ldb (Could not find entry to match filter: '(&(f$ > [2020/02/13 01:18:42.761022, 0] > ../../source3/winbindd/winbindd_util.c:878(migrate_secrets_tdb_to_ldb) > Failed to fetch our own, local AD domain join password for winbindd's internal use, both > from secrets.tdb and secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > [2020/02/13 01:18:42.763761, 0] ../../source3/winbindd/winbindd_util.c:1217(init_domain_list) > Failed to migrate our own, local AD domain join password for winbindd's internal use into > secrets.tdb > [2020/02/13 01:18:42.764028, 0] > ../../source3/winbindd/winbindd.c:1462(winbindd_register_handlers) > unable to initialize domain list > > ----- > > A windows server network trace shows several NbtNs "Registration Request"s around the > time of this failure. (which curiously are not answered on the port 137 by the W8K server - > this seems suspicious.) > > But the lmhosts service is running on W8K and nbtstatus looks ok. > Also, the Windows firewall allows traffic on port 137 in both directions, so I can't explain this. > > Very frustrating!From a log you posted earlier, there is this: cli_credentials(OFFICE\administrator) without realm, cannot use kerberos for this connection host/SERVI.OFFICE.XXXXXXXXXXXX.COM Perhaps try adding '@OFFICE.XXXXXXXXXXXX.COM' to the Administrator name in in the join command. Also, in the same log, you get a python exception after it tries to access secrets.ldb and, lower down, there is this: Join failed - cleaning up In every other case that I have seen, it is the other way around, the join fails and then the exception occurs, it is an artefact of the failure and not the cause. Rowland