Bug 14657 - Use of machine account creds leads to "ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory" error messages
Summary: Use of machine account creds leads to "ldb: Unable to open tdb '/var/lib/samb...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.14.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-09 11:57 UTC by Björn Baumbach
Modified: 2024-02-09 10:36 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Baumbach 2021-03-09 11:57:59 UTC
Different commands print ldb error messages when using the own machine account credentials. We should avoid this.

Example:

root@dm3:~# smbclient -L 127.0.0.1 -P
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory

        Sharename       Type      Comment
        ---------       ----      -------
        share           Disk


smbclient uses by default the log level 1, which is used here for these error messages. So this is printed unless smbclient is called with "-d0".

With a log level of 1 also other tools print these error messages:

# samba-gpupdate -d1
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory

Older Samba versions auto created a /var/lib/samba/private/secrets.ldb on access, so this does only happen on newer setups, where no secrets.ldb exists.
Comment 1 Christian Naumer 2021-07-06 07:11:08 UTC
I have the same Problem with a new installation on 4.14.5.

Normal member server tht acts as printserver. In the logs I see this:

[2021/07/06 08:39:36.246452,  1] ../../lib/ldb samba/ldb_wrap.c:79(ldb_wrap_debug)
Jul 06 08:39:36 printserver winbindd[1530]:   ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory


In the directory there is only a "secrets.tdb" not ldb.

I have older installations that where updated to 4.14 and do not see this there.
Comment 2 Andrew Bartlett 2021-07-06 09:47:11 UTC
This was done intentionally (not the error, but the behaviour) by:

commit 6cbd7d1a32cc7ccfb8d06eacdcade41d96b54519
Author: Stefan Metzmacher <metze@samba.org>
Date:   Tue Feb 4 16:16:48 2020 +0100

    s4:param: make sure secrets_db_connect() no longer creates on empty secrets.ldb
    
    Signed-off-by: Stefan Metzmacher <metze@samba.org>
    Reviewed-by: Andreas Schneider <asn@samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
    Autobuild-Date(master): Wed Feb  5 10:13:02 UTC 2020 on sn-devel-184

The new behaviour prints the error but doesn't create empty secrets.ldb files any more.

Sorry about that.
Comment 3 Michael Tokarev 2022-11-21 08:16:32 UTC
(In reply to Andrew Bartlett from comment #2)

So, why this is done this way? The new behavior is scaring users.

Samba does quite create quite some files which it is not using - for example, on my system there are /var/cache/samba/netsamlogon_cache.tdb and ../smbprofile.tdb which are always empty; there are quite a few files in /run/samba/ which are caches but empty as well.  For the latter - /run/samba/*.tdb - samba even requires /run/samba/ dir to be PRE-created, or else testparm errors out, even if all daemons create this directory on demand now (and my patch to testparm to change this from error to warning (I still think the whole test is pointless and just gives users false concerns) got no single comment, just like my patch to move sockets out of /var/lib/samba to /run/samba where they belongs).

If we stopped creating this file on demand, we should stop the errors too, because it is obviously okay to have no secrets.ldb file. Or we should create it.  The current state is just wrong. In my opinion anyway.

Do you disagree?
Comment 4 Roel van Meer 2022-11-23 20:02:27 UTC
Today I joined a Samba 4.16.5 to a Samba AD domain. This succeeded, although several errors were printed about missing ldb files. After joining, it was not possible to connect to the member server (I kept getting a "tree connect failed: NT_STATUS_UNSUCCESSFUL" error).

After creating an empty secrets.ldb and an empty sam.ldb on the member server, it became possible to connect.

Commands issued were:
  ldbadd -H /var/lib/samba/private/secrets.ldb </dev/null
  ldbadd -H /var/lib/samba/private/sam.ldb </dev/null

So at least in our case this was a bit more than just a scary error message.

If needed, I can probably reproduce this and provide more information.