Different commands print ldb error messages when using the own machine account credentials. We should avoid this. Example: root@dm3:~# smbclient -L 127.0.0.1 -P ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory Sharename Type Comment --------- ---- ------- share Disk smbclient uses by default the log level 1, which is used here for these error messages. So this is printed unless smbclient is called with "-d0". With a log level of 1 also other tools print these error messages: # samba-gpupdate -d1 ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory Older Samba versions auto created a /var/lib/samba/private/secrets.ldb on access, so this does only happen on newer setups, where no secrets.ldb exists.
I have the same Problem with a new installation on 4.14.5. Normal member server tht acts as printserver. In the logs I see this: [2021/07/06 08:39:36.246452, 1] ../../lib/ldb samba/ldb_wrap.c:79(ldb_wrap_debug) Jul 06 08:39:36 printserver winbindd[1530]: ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory In the directory there is only a "secrets.tdb" not ldb. I have older installations that where updated to 4.14 and do not see this there.
This was done intentionally (not the error, but the behaviour) by: commit 6cbd7d1a32cc7ccfb8d06eacdcade41d96b54519 Author: Stefan Metzmacher <metze@samba.org> Date: Tue Feb 4 16:16:48 2020 +0100 s4:param: make sure secrets_db_connect() no longer creates on empty secrets.ldb Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Feb 5 10:13:02 UTC 2020 on sn-devel-184 The new behaviour prints the error but doesn't create empty secrets.ldb files any more. Sorry about that.
(In reply to Andrew Bartlett from comment #2) So, why this is done this way? The new behavior is scaring users. Samba does quite create quite some files which it is not using - for example, on my system there are /var/cache/samba/netsamlogon_cache.tdb and ../smbprofile.tdb which are always empty; there are quite a few files in /run/samba/ which are caches but empty as well. For the latter - /run/samba/*.tdb - samba even requires /run/samba/ dir to be PRE-created, or else testparm errors out, even if all daemons create this directory on demand now (and my patch to testparm to change this from error to warning (I still think the whole test is pointless and just gives users false concerns) got no single comment, just like my patch to move sockets out of /var/lib/samba to /run/samba where they belongs). If we stopped creating this file on demand, we should stop the errors too, because it is obviously okay to have no secrets.ldb file. Or we should create it. The current state is just wrong. In my opinion anyway. Do you disagree?
Today I joined a Samba 4.16.5 to a Samba AD domain. This succeeded, although several errors were printed about missing ldb files. After joining, it was not possible to connect to the member server (I kept getting a "tree connect failed: NT_STATUS_UNSUCCESSFUL" error). After creating an empty secrets.ldb and an empty sam.ldb on the member server, it became possible to connect. Commands issued were: ldbadd -H /var/lib/samba/private/secrets.ldb </dev/null ldbadd -H /var/lib/samba/private/sam.ldb </dev/null So at least in our case this was a bit more than just a scary error message. If needed, I can probably reproduce this and provide more information.