Problem: 96univention-samba4.inst fails with Unable to open tdb

scheinig · April 3, 2024, 2:20pm

Problem:

96univention-samba4.inst fails with:

Join failed - cleaning up
ldb: Unable to open tdb ‘/var/lib/samba/private/secrets.ldb’: No such file or directory
ldb: Failed to connect to ‘/var/lib/samba/private/secrets.ldb’ with backend ‘tdb’: Unable to open tdb ‘/var/lib/samba/private/secrets.ldb’: No such file or directory
Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not open secrets.ldb and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Investigation:

In many cases, the join.log output regarding the missing secrets.ldb is a kind of a red hering. The database should get created by the joinscripts. So something bad happened before that final error message!

Important is here to check the /var/log/samba/log.samba on the UCS system, which the Samba AD/DC is joining to. E.g. in the case of Ticket#2024040221000066 that file showed an error message which was the only visible clue about the origin of the problem.

Usually the messages in join.log from 96univention-samba4.inst (output by the command samba-tool domain join) should show which UCS Samba/AD DC the joining system selected to join to. In most cases it should be the UCS Primary Directory Node. Additionally to checking log.samba on that primary system it can also be useful tu check the Samba/AD database there, e.g. like this:

samba-tool dbcheck --cross-ncs --fix --yes
samba-tool dbcheck --cross-ncs --reindex

Example output from Ticket#2024040221000066: less /var/log/samba/log.samba

[2024/04/03 11:13:28.249189, 0, pid=1415] …/…/source4/dsdb/samdb/ldb_modules/samldb.c:3826(check_spn_alias_collision)
check_spn_alias_collision: trying to add SPN ‘HOST/replica01.schein.me’ on ‘CN=replica01,OU=Domain Controllers,DC=schein,DC=me’ when ‘http/replica01.schein.me’ is on ‘CN=http-proxy-replica01,CN=Users,DC=schein,DC=me’
[2024/04/03 11:13:28.249212, 0, pid=1415] …/…/source4/dsdb/samdb/ldb_modules/samldb.c:4007(samldb_spn_uniqueness_check)
samldb_spn_uniqueness_check: SPN HOST/replica01.schein.me failed alias uniqueness check
[2024/04/03 11:13:33.567406, 1, pid=1353] …/…/source4/dsdb/repl/drepl_out_helpers.c:795(dreplsrv_op_pull_retry_with_flags)
Missing target object when we didn’t set the DRSUAPI_DRS_GET_TGT flag, retrying

Solution for Ticket#2024040221000066:

Check for the duplicate SPN:

univention-s4search servicePrincipalName='HTTP/replica01.schein.me''

Remove the duplicate entry on the primary, it can/will be readded after the successful join.

ldbdel -H /var/lib/samba/private/sam.ldb CN=http-proxy-replica01,CN=Users,DC=schein,DC=me

Root cause in Ticket#2024040221000066 was the initial attempt to install squid with kerberos without samba4 installed. This created the entry on the master, and blocked the samba joinscript. AD has an alias mechanism for SPNs, which aliases HTTP/ with HOST/ (see univention-s4search --cross-ncs sPNMappings=* sPNMappings)

scheinig · April 3, 2024, 2:30pm