On Thu, Sep 15, 2016 at 03:07:07AM +0000, Joakim Tjernlund wrote: > On Wed, 2016-09-14 at 10:39 +0200, Sumit Bose wrote: > > On Tue, Sep 13, 2016 at 01:43:06PM +0000, Joakim Tjernlund wrote: > > > ... > > > > > > > > > > I swapped the computer to our new domain and now windbind could not find > > > is SID: > > > "Could not fetch our SID - did we join?" > > > no matter what I did. > > > > How did you join the domain? adcli (currently) does not add some needed > > data to Samba's internal databases, you have to use 'net ads join' or > > tell realmd to use Samba as membership-software. > > Lost this for a while, found it now :) > I used adcli, can you be a bit more specific? Is it a DB(which?) under > /var/lib/samba/ ?
There is more than one. There is e.g. /var/lib/samba/private/secrets.tdb which stores the machine password, iirc the domain SIDs are stored in /var/lib/samba/gencache.tdb. Btw, you can set the domain SID with 'net setdomainsid' but this won't help much because you need the machine account password as well. And although you can set it with 'net changesecretpw' it would be hard to recover the random password adcli used during the join. > How can samba store such vital info there ? Where else? Please note that SSSD as well stores domain SID and other information in the "internal" database, aka the cache. But there is an important difference there. With SSSD we were free to say we only want to support specific protocols with AD, basically LDAP and Kerberos, which allows us to bootstrap SSSD if a Kerberos keytab with suitable keys is available. Samba's goal is to support all kind of legacy AD/NT/Samba domains as well. Some of the protocols used here require plain text password and cannot work with a hashed key form the Kerberos keytab and in some environment details about the domain are only available during the join and cannot be discovered later. So, when you plan to use Samba on a host it is recommended to use 'net ads join' instead of adcli to join the domain. But fell free to open a RFE for adcli to to create the needed entries in the Samba databases as well. HTH bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
