If I call 'net changesecretpw -f' with an empty secrets.tdb I get: # net changesecretpw -f Enter machine password: secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(ADBASEOS) failed Unable to write the machine account password in the secrets database Even after adding the Domain SID it fails: # net setdomainsid S-1-5-21-123-456-789 # net changesecretpw -f Enter machine password: secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(ADBASEOS) failed Unable to write the machine account password in the secrets database Only after adding: # tdbtool /var/lib/samba/private/secrets.tdb insert SECRETS/MACHINE_PASSWORD/ADBASEOS 1 # tdbtool /var/lib/samba/private/secrets.tdb insert SECRETS/MACHINE_LAST_CHANGE_TIME/ADBASEOS 1 It works: # net changesecretpw -f Enter machine password: Modified trust account password in secrets database Tools like msktutil or adcli may use 'net changesecretpw' to set the machine account password for Samba if they are used to join a domain or update the machine account password. While updating the password is still working, joining with an empty secrects.tdb currently fails but was working with older versions of Samba. If think the changes to solve https://bugzilla.samba.org/show_bug.cgi?id=12782 and https://bugzilla.samba.org/show_bug.cgi?id=13376 might have caused the change in behavior. Although I understand that 'change' in 'changesecretpw' somewhat implies that there already is something to change I would appreciate if 'changesecretpw' can be used to set the machine account password as well.
Reassign to Metze.
Closing as WONTFIX. We need to implement a 'net ads offlinejoin'. Please open a feature request for implementing this.
(In reply to Andreas Schneider from comment #2) I think the 'net primarytrust import' could be used when its ready, see https://lists.samba.org/archive/samba-technical/2019-January/132183.html