Michael Tokarev
2022-Oct-31 13:07 UTC
[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
I come across an interesting thing here.
When joining to a samba AD DC domain with samba-tool domain join,
it gives the error message at the end, and later, winbindd
does the same thing a *lot*.
# samba-tool domain join tls.msk.ru -U mjt-adm
Password for [TLS\mjt-adm]:
libnet_join_precreate_machine_acct: Machine account successfully created
join: struct secrets_domain_infoB
[skip large dump of struct secrets_domain_infoB...]
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
Host account for WH does not have msDS-AdditionalDnsHostName.
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such
file or directory
Joined domain tls.msk.ru (S-1-5-21-411424318-379842365-2075518510)
# _
So it looks like it joined successfully (tho it does not
add an uid to the machine account), despite these error
messages.
However, after starting winbindd and smbd, and trying to
connect to the new member server, the following errors
are logged in /var/log/samba/log.wb-TLS:
[2022/10/31 16:02:43.434454, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
[2022/10/31 16:02:43.434499, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such
file or directory
[2022/10/31 16:02:43.961810, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
[2022/10/31 16:02:43.961859, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such
file or directory
...
And indeed, there's only secrets.tdb there, but not secrets.ldb.
When rejoining the domain, I clear all files in /var/lib/samba, /var/cache/samba
and /run/samba, so it is all fresh new.
What's wrong?
Thanks!
/mjt
smb.conf:
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
log level = 1
max log size = 1000
netbios name = WH
realm = TLS.MSK.RU
workgroup = TLS
security = ADS
server role = member server
winbind use default domain = Yes
idmap config tls : backend = ad
idmap config tls : range = 1000-4999
idmap config tls : schema_mode = rfc2307
idmap config tls : unix_primary_group = yes
idmap config * : backend = tdb
idmap config * : range = 5000-5099
hosts allow = 192.168.177.0/26 127.0.0.0/8
[homes]
browseable = No
comment = Home Directories
read only = No
Rowland Penny
2022-Oct-31 13:27 UTC
[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
On 31/10/2022 13:07, Michael Tokarev via samba wrote:> I come across an interesting thing here. > > When joining to a samba AD DC domain with samba-tool domain join, > it gives the error message at the end, and later, winbindd > does the same thing a *lot*. > > # samba-tool domain join tls.msk.ru -U mjt-adm > Password for [TLS\mjt-adm]: > libnet_join_precreate_machine_acct: Machine account successfully created > ???? join: struct secrets_domain_infoB > ?[skip large dump of struct secrets_domain_infoB...] > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > Host account for WH does not have msDS-AdditionalDnsHostName. > ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such > file or directoryThat is a bug, not that the .ldb file doesn't exist, it doesn't exist on a Unix domain member. However, it shouldn't log that it cannot find something that is known not to exist.> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with > backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': > No such file or directory > Joined domain tls.msk.ru (S-1-5-21-411424318-379842365-2075518510) > # _ > > So it looks like it joined successfully (tho it does not > add an uid to the machine account), despite these error > messages.The join doesn't add a Unix ID to a computers object: 1) it is only used by the 'ad' idmap backend 2) there is nowhere to find the next ID to use.> > However, after starting winbindd and smbd, and trying to > connect to the new member server, the following errors > are logged in /var/log/samba/log.wb-TLS: > > [2022/10/31 16:02:43.434454,? 1] > ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) > ? ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such > file or directory > [2022/10/31 16:02:43.434499,? 1] > ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) > ? ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with > backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': > No such file or directory > [2022/10/31 16:02:43.961810,? 1] > ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) > ? ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such > file or directory > [2022/10/31 16:02:43.961859,? 1] > ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) > ? ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with > backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': > No such file or directory > ... >At one time, on a Unix domain member, just doing something that would ask for secrets.ldb would result in an empty file being created. This was stopped sometime ago.> And indeed, there's only secrets.tdb there, but not secrets.ldb. > > When rejoining the domain, I clear all files in /var/lib/samba, > /var/cache/samba > and /run/samba, so it is all fresh new. > > What's wrong? > > Thanks! > > /mjt > > smb.conf: > # Global parameters > [global] > ??????? dedicated keytab file = /etc/krb5.keytab > ??????? disable spoolss = Yes > ??????? kerberos method = secrets and keytab > ??????? log file = /var/log/samba/log.%m > ??????? log level = 1 > ??????? max log size = 1000 > ??????? netbios name = WH > ??????? realm = TLS.MSK.RU > ??????? workgroup = TLS > ??????? security = ADS > ??????? server role = member server > ??????? winbind use default domain = Yes > ??????? idmap config tls : backend = ad > ??????? idmap config tls : range = 1000-4999Have you added uidNumber & gidNumber attributes to your AD ? They are not added automatically. Also why are you using such a low range ? By starting at 1000, you cannot have any local Unix users or groups.> ??????? idmap config tls : schema_mode = rfc2307 > ??????? idmap config tls : unix_primary_group = yes > ??????? idmap config * : backend = tdb > ??????? idmap config * : range = 5000-5099You are going to need more than '99' for the default domain.> ??????? hosts allow = 192.168.177.0/26 127.0.0.0/8 > [homes] > ??????? browseable = No > ??????? comment = Home Directories > ??????? read only = No > >Rowland