Rowland Penny
2022-Oct-31 14:14 UTC
[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
On 31/10/2022 14:03, Michael Tokarev wrote:> 31.10.2022 16:27, Rowland Penny via samba wrote: >> On 31/10/2022 13:07, Michael Tokarev via samba wrote: > .. >>> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with >>> backend 'tdb': Unable to open tdb >>> '/var/lib/samba/private/secrets.ldb': No such file or directory >>> Joined domain tls.msk.ru (S-1-5-21-411424318-379842365-2075518510) >>> # _ >>> >>> So it looks like it joined successfully (tho it does not >>> add an uid to the machine account), despite these error >>> messages. >> >> The join doesn't add a Unix ID to a computers object: >> 1) it is only used by the 'ad' idmap backend >> 2) there is nowhere to find the next ID to use. > > Yeah it doesn't, and I remember coming across that already in the past > debugging > this issue, - I had to manually add uidNumber & gidNumber to the > computer object. > But I didn't add these attributes to all of them, - eg, another > (non-test) server > here (which also logs this very error message *alot*, btw) does not have > it too, > while some windows machines have it. > > If it can not be added automatically but is required, maybe it is a good > idea > to add a warning somewhere at the end of `samba-tool domain join' output > about > that?Sorry, but I am not going to try and fight that battle again.> >> Also why are you using such a low range ? > > Well, this is because you said many months ago that having local users with > the same names as in AD is wrong.? So I had to remove local users, but > changing > their UIDs is too problematic as it will result in *lots* of chown'ing. > So I kept > their UIDs the same as before. > >> By starting at 1000, you cannot have any local Unix users or groups. > > This is incorrect because of two reasons. > > 1. Local unix users can have any UIDs too, not only 1000 and up.I accept this, but a normal user doesn't want to jump through hoops to create users, best to stick to standard practices.>> You are going to need more than '99' for the default domain. > > This is interesting. So far I don't see any uids used in there. At least > getent passwd 5000..50099 return nothing (while getent passwd 1006 does > return mjt-adm info).? What these user IDS are used for, and when?Microsoft has the concept of Well Known SIDs and there are nearly 200 of these, they are mapped on a first come basis in the default '*' domain .tdb file, there also need to to be space for anything outside your main domain e.g. another domain. Rowland
Michael Tokarev
2022-Oct-31 14:25 UTC
[Samba] samba-tool domain join: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
31.10.2022 17:14, Rowland Penny via samba wrote: ..>>> The join doesn't add a Unix ID to a computers object: >>> 1) it is only used by the 'ad' idmap backend >>> 2) there is nowhere to find the next ID to use. >> >> Yeah it doesn't, and I remember coming across that already in the past debugging >> this issue, - I had to manually add uidNumber & gidNumber to the computer object. >> But I didn't add these attributes to all of them, - eg, another (non-test) server >> here (which also logs this very error message *alot*, btw) does not have it too, >> while some windows machines have it. >> >> If it can not be added automatically but is required, maybe it is a good idea >> to add a warning somewhere at the end of `samba-tool domain join' output about >> that? > > Sorry, but I am not going to try and fight that battle again.Which battle? Are you saying it is absolutely wrong to print a warning if samba-tool domain join were unable to assign uidNumber to the new object it created? Hmm okay, I'll shut up now, because it looks like I don't understand something fundamental... ..>>> You are going to need more than '99' for the default domain. >> >> This is interesting. So far I don't see any uids used in there. At least >> getent passwd 5000..50099 return nothing (while getent passwd 1006 does >> return mjt-adm info).? What these user IDS are used for, and when? > > Microsoft has the concept of Well Known SIDs and there are nearly 200 of these, they are mapped on a first come basis in the default '*' domain .tdb > file, there also need to to be space for anything outside your main domain e.g. another domain.Are these 200 actually being used in a domain member? I especially assigned a relatively low range to see what goes in there, in a first come basis, and there's nothing in there still (after almost a year of this AD domain operations). Maybe my setup is somehow wrong and these required entries aren't being written? How to debug with lack of entries in this "other" range? Thanks, /mjt