If I call 'net changesecretpw -f' with an empty secrets.tdb I get: # net changesecretpw -f Enter machine password: secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(ADBASEOS) failed Unable to write the machine account password in the secrets database Even after adding the Domain SID it fails: # net setdomainsid S-1-5-21-123-456-789 # net changesecretpw -f Enter machine password: secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(ADBASEOS) failed Unable to write the machine account password in the secrets database Only after adding: # tdbtool /var/lib/samba/private/secrets.tdb insert SECRETS/MACHINE_PASSWORD/ADBASEOS 1 # tdbtool /var/lib/samba/private/secrets.tdb insert SECRETS/MACHINE_LAST_CHANGE_TIME/ADBASEOS 1 It works: # net changesecretpw -f Enter machine password: Modified trust account password in secrets database Tools like msktutil or adcli may use 'net changesecretpw' to set the machine account password for Samba if they are used to join a domain or update the machine account password. While updating the password is still working, joining with an empty secrects.tdb currently fails but was working with older versions of Samba. If think the changes to solve https://bugzilla.samba.org/show_bug.cgi?id=12782 and https://bugzilla.samba.org/show_bug.cgi?id=13376 might have caused the change in behavior. Although I understand that 'change' in 'changesecretpw' somewhat implies that there already is something to change I would appreciate if 'changesecretpw' can be used to set the machine account password as well.
Reassign to Metze.
Closing as WONTFIX. We need to implement a 'net ads offlinejoin'. Please open a feature request for implementing this.
(In reply to Andreas Schneider from comment #2) I think the 'net primarytrust import' could be used when its ready, see https://lists.samba.org/archive/samba-technical/2019-January/132183.html
Hi, what would be the correct way to fix this nowadays? The 'net primarytrust import' patchset was not merged but on the other hand we have offline joins now. Adding a new netapi function to generate an ODJ blob passing in all required information seems a bit overkill to me. Maybe pass a "initdb" flag to secrets_prepare_password_change() to pre-create these keys if they do not exist?
This bug was referenced in samba master: e4afb211fe32f2aa92cc903df948874046f60305 bdab834dfad55776155915f7ec410b5a192406fa 740e704bd68a6b618b62336ba1583c0edeb82d6f 532701e3cce9d15e95166ee7c24cd1e4af51fcc4 7cabbec2eaf5aefd3751c635c12556eca590f506 a8bd8f22aac2c223e85e318dba7af8b64052b053 4a1f2071a6028a761bbe7efee20e9654851b51f0 b2399b6994c89404f245e1a97ba1c1cf13d7fc86 c14a4f51443f67bc46a670a342eed8cb9e81f37d e92e4b9544231c15eaf0bdbba4505345cd0f6ab5 f3c632e74ba100b455eeac66e8914b11d1d9b0a0
Created attachment 18083 [details] Backport for v4-18-test and v4-19-test
Comment on attachment 18083 [details] Backport for v4-18-test and v4-19-test LGTM, RB+
Jule, please add to 4.18 and 4.19, patch applies and compiles cleanly.
Pushed to autobuild-v4-{19,18}-test.
This bug was referenced in samba v4-18-test: f731d75081fe3fa2330dee26e931b260669d3f27 f8021a241e50a20cd009fe2ad58e01133360e4e9 a85441249de22d2b707bf9a6877720da78f31ea6 fddbff3d44adcfa6715afe0a62d0fd49ed890e7b ad2196fd79247dd133cbba3a5bf39721e741699e 4e43af11c3aa7331789b64e5e7a32287dc67ce0a ca6ba984095512e187528024eee18e3fd9cd9a8c 1f066b595f968a59bdff52b5a54dffa555f832d6 69475590970e2bfc7ee78f6b8c1edfbbe3060276 ce29bbfb7db31c69d5d73bb0ca89e6754ffe7e6d 0a8cf4f1c067754e3f9805f1365d43b8acdeb322
This bug was referenced in samba v4-19-test: 1f91db224fa096bf424b032390d7bdedd8da6820 0f324795d24110bd19b495f6bf684a02f6181cc9 202b817f7be069d887b3e07c2bbcdf0fca2b1c7a dfa8dfaa752789ce3e1f3c117823c3bd952e1942 224b8dffe802a7bd8875871726857c78c86bbfeb 4f81c7801255e1141974e0ee70683b66b3e84d08 df294c92acb0b96949d85f25753c303430c9266a 152d2592f0f2646d923d8bef158705a516bd8308 89e830251d0c0e40cfbe3ef5c57f0b0eb6724068 4deac6a21701ceedf2d8a243a00167fbc31e4b30 e4505c10a766498aa1ea3817dad30b26db287f0f
Closing out bug report. Thanks!