Bug 13577 - net changesecretpw cannot set the machine account password if secrets.tdb is empty
Summary: net changesecretpw cannot set the machine account password if secrets.tdb is ...
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.8.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-16 16:17 UTC by Sumit Bose
Modified: 2019-10-18 15:49 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sumit Bose 2018-08-16 16:17:44 UTC
If I call 'net changesecretpw -f' with an empty secrets.tdb I get:

# net changesecretpw -f
Enter machine password: 
secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(ADBASEOS) failed
Unable to write the machine account password in the secrets database

Even after adding the Domain SID it fails:

# net setdomainsid S-1-5-21-123-456-789
# net changesecretpw -f
Enter machine password: 
secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(ADBASEOS) failed
Unable to write the machine account password in the secrets database

Only after adding:

# tdbtool /var/lib/samba/private/secrets.tdb insert SECRETS/MACHINE_PASSWORD/ADBASEOS 1
# tdbtool /var/lib/samba/private/secrets.tdb insert SECRETS/MACHINE_LAST_CHANGE_TIME/ADBASEOS 1

It works:

# net changesecretpw -f
Enter machine password: 
Modified trust account password in secrets database


Tools like msktutil or adcli may use 'net changesecretpw' to set the machine account password for Samba if they are used to join a domain or update the machine account password. While updating the password is still working, joining with an empty secrects.tdb currently fails but was working with older versions of Samba. If think the changes to solve https://bugzilla.samba.org/show_bug.cgi?id=12782 and https://bugzilla.samba.org/show_bug.cgi?id=13376 might have caused the change in behavior.

Although I understand that 'change' in 'changesecretpw' somewhat implies that there already is something to change I would appreciate if 'changesecretpw' can be used to set the machine account password as well.
Comment 1 Alexander Bokovoy 2018-08-16 16:23:49 UTC
Reassign to Metze.
Comment 2 Andreas Schneider 2019-02-12 13:50:35 UTC
Closing as WONTFIX.

We need to implement a 'net ads offlinejoin'. Please open a feature request for implementing this.
Comment 3 Stefan Metzmacher 2019-02-12 19:14:41 UTC
(In reply to Andreas Schneider from comment #2)

I think the 'net primarytrust import' could be used when its ready, see
https://lists.samba.org/archive/samba-technical/2019-January/132183.html