Bug 13577 - net changesecretpw cannot set the machine account password if secrets.tdb is empty
Summary: net changesecretpw cannot set the machine account password if secrets.tdb is ...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.8.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-16 16:17 UTC by Sumit Bose
Modified: 2024-01-31 20:42 UTC (History)
6 users (show)

See Also:


Attachments
Backport for v4-18-test and v4-19-test (39.56 KB, patch)
2023-09-07 15:22 UTC, Samuel Cabrero
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sumit Bose 2018-08-16 16:17:44 UTC
If I call 'net changesecretpw -f' with an empty secrets.tdb I get:

# net changesecretpw -f
Enter machine password: 
secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(ADBASEOS) failed
Unable to write the machine account password in the secrets database

Even after adding the Domain SID it fails:

# net setdomainsid S-1-5-21-123-456-789
# net changesecretpw -f
Enter machine password: 
secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(ADBASEOS) failed
Unable to write the machine account password in the secrets database

Only after adding:

# tdbtool /var/lib/samba/private/secrets.tdb insert SECRETS/MACHINE_PASSWORD/ADBASEOS 1
# tdbtool /var/lib/samba/private/secrets.tdb insert SECRETS/MACHINE_LAST_CHANGE_TIME/ADBASEOS 1

It works:

# net changesecretpw -f
Enter machine password: 
Modified trust account password in secrets database


Tools like msktutil or adcli may use 'net changesecretpw' to set the machine account password for Samba if they are used to join a domain or update the machine account password. While updating the password is still working, joining with an empty secrects.tdb currently fails but was working with older versions of Samba. If think the changes to solve https://bugzilla.samba.org/show_bug.cgi?id=12782 and https://bugzilla.samba.org/show_bug.cgi?id=13376 might have caused the change in behavior.

Although I understand that 'change' in 'changesecretpw' somewhat implies that there already is something to change I would appreciate if 'changesecretpw' can be used to set the machine account password as well.
Comment 1 Alexander Bokovoy 2018-08-16 16:23:49 UTC
Reassign to Metze.
Comment 2 Andreas Schneider 2019-02-12 13:50:35 UTC
Closing as WONTFIX.

We need to implement a 'net ads offlinejoin'. Please open a feature request for implementing this.
Comment 3 Stefan Metzmacher 2019-02-12 19:14:41 UTC
(In reply to Andreas Schneider from comment #2)

I think the 'net primarytrust import' could be used when its ready, see
https://lists.samba.org/archive/samba-technical/2019-January/132183.html
Comment 4 Samuel Cabrero 2023-08-21 15:03:12 UTC
Hi,

what would be the correct way to fix this nowadays? The 'net primarytrust import' patchset was not merged but on the other hand we have offline joins now.

Adding a new netapi function to generate an ODJ blob passing in all required information seems a bit overkill to me.

Maybe pass a "initdb" flag to secrets_prepare_password_change() to pre-create these keys if they do not exist?
Comment 5 Samba QA Contact 2023-09-05 22:12:03 UTC
This bug was referenced in samba master:

e4afb211fe32f2aa92cc903df948874046f60305
bdab834dfad55776155915f7ec410b5a192406fa
740e704bd68a6b618b62336ba1583c0edeb82d6f
532701e3cce9d15e95166ee7c24cd1e4af51fcc4
7cabbec2eaf5aefd3751c635c12556eca590f506
a8bd8f22aac2c223e85e318dba7af8b64052b053
4a1f2071a6028a761bbe7efee20e9654851b51f0
b2399b6994c89404f245e1a97ba1c1cf13d7fc86
c14a4f51443f67bc46a670a342eed8cb9e81f37d
e92e4b9544231c15eaf0bdbba4505345cd0f6ab5
f3c632e74ba100b455eeac66e8914b11d1d9b0a0
Comment 6 Samuel Cabrero 2023-09-07 15:22:25 UTC
Created attachment 18083 [details]
Backport for v4-18-test and v4-19-test
Comment 7 Guenther Deschner 2023-11-29 14:28:27 UTC
Comment on attachment 18083 [details]
Backport for v4-18-test and v4-19-test

LGTM, RB+
Comment 8 Guenther Deschner 2023-11-29 14:29:34 UTC
Jule, please add to 4.18 and 4.19, patch applies and compiles cleanly.
Comment 9 Jule Anger 2023-11-29 14:51:22 UTC
Pushed to autobuild-v4-{19,18}-test.
Comment 10 Samba QA Contact 2023-11-29 15:56:03 UTC
This bug was referenced in samba v4-18-test:

f731d75081fe3fa2330dee26e931b260669d3f27
f8021a241e50a20cd009fe2ad58e01133360e4e9
a85441249de22d2b707bf9a6877720da78f31ea6
fddbff3d44adcfa6715afe0a62d0fd49ed890e7b
ad2196fd79247dd133cbba3a5bf39721e741699e
4e43af11c3aa7331789b64e5e7a32287dc67ce0a
ca6ba984095512e187528024eee18e3fd9cd9a8c
1f066b595f968a59bdff52b5a54dffa555f832d6
69475590970e2bfc7ee78f6b8c1edfbbe3060276
ce29bbfb7db31c69d5d73bb0ca89e6754ffe7e6d
0a8cf4f1c067754e3f9805f1365d43b8acdeb322
Comment 11 Samba QA Contact 2023-11-29 16:00:03 UTC
This bug was referenced in samba v4-19-test:

1f91db224fa096bf424b032390d7bdedd8da6820
0f324795d24110bd19b495f6bf684a02f6181cc9
202b817f7be069d887b3e07c2bbcdf0fca2b1c7a
dfa8dfaa752789ce3e1f3c117823c3bd952e1942
224b8dffe802a7bd8875871726857c78c86bbfeb
4f81c7801255e1141974e0ee70683b66b3e84d08
df294c92acb0b96949d85f25753c303430c9266a
152d2592f0f2646d923d8bef158705a516bd8308
89e830251d0c0e40cfbe3ef5c57f0b0eb6724068
4deac6a21701ceedf2d8a243a00167fbc31e4b30
e4505c10a766498aa1ea3817dad30b26db287f0f
Comment 12 Jule Anger 2023-11-29 20:09:45 UTC
Closing out bug report.

Thanks!
Comment 13 Samba QA Contact 2024-01-08 14:38:41 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.4):

1f91db224fa096bf424b032390d7bdedd8da6820
0f324795d24110bd19b495f6bf684a02f6181cc9
202b817f7be069d887b3e07c2bbcdf0fca2b1c7a
dfa8dfaa752789ce3e1f3c117823c3bd952e1942
224b8dffe802a7bd8875871726857c78c86bbfeb
4f81c7801255e1141974e0ee70683b66b3e84d08
df294c92acb0b96949d85f25753c303430c9266a
152d2592f0f2646d923d8bef158705a516bd8308
89e830251d0c0e40cfbe3ef5c57f0b0eb6724068
4deac6a21701ceedf2d8a243a00167fbc31e4b30
e4505c10a766498aa1ea3817dad30b26db287f0f
Comment 14 Samba QA Contact 2024-01-31 20:42:13 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.10):

f731d75081fe3fa2330dee26e931b260669d3f27
f8021a241e50a20cd009fe2ad58e01133360e4e9
a85441249de22d2b707bf9a6877720da78f31ea6
fddbff3d44adcfa6715afe0a62d0fd49ed890e7b
ad2196fd79247dd133cbba3a5bf39721e741699e
4e43af11c3aa7331789b64e5e7a32287dc67ce0a
ca6ba984095512e187528024eee18e3fd9cd9a8c
1f066b595f968a59bdff52b5a54dffa555f832d6
69475590970e2bfc7ee78f6b8c1edfbbe3060276
ce29bbfb7db31c69d5d73bb0ca89e6754ffe7e6d
0a8cf4f1c067754e3f9805f1365d43b8acdeb322