On Thu, Sep 15, 2016 at 03:07:07AM +0000, Joakim Tjernlund wrote:
> On Wed, 2016-09-14 at 10:39 +0200, Sumit Bose wrote:
> > On Tue, Sep 13, 2016 at 01:43:06PM +0000, Joakim Tjernlund wrote:
> > >
> > > >
> > >
> > > I swapped the computer to our new domain and now windbind could not find
> > > is SID:
> > > "Could not fetch our SID - did we join?"
> > > no matter what I did.
> > How did you join the domain? adcli (currently) does not add some needed
> > data to Samba's internal databases, you have to use 'net ads join' or
> > tell realmd to use Samba as membership-software.
> Lost this for a while, found it now :)
> I used adcli, can you be a bit more specific? Is it a DB(which?) under
> /var/lib/samba/ ?
There is more than one. There is e.g. /var/lib/samba/private/secrets.tdb
which stores the machine password, iirc the domain SIDs are stored in
/var/lib/samba/gencache.tdb. Btw, you can set the domain SID with 'net
setdomainsid' but this won't help much because you need the machine
account password as well. And although you can set it with 'net
changesecretpw' it would be hard to recover the random password adcli
used during the join.
> How can samba store such vital info there ?
Where else? Please note that SSSD as well stores domain SID and other
information in the "internal" database, aka the cache. But there is an
important difference there. With SSSD we were free to say we only want
to support specific protocols with AD, basically LDAP and Kerberos,
which allows us to bootstrap SSSD if a Kerberos keytab with suitable
keys is available.
Samba's goal is to support all kind of legacy AD/NT/Samba domains as
well. Some of the protocols used here require plain text password and
cannot work with a hashed key form the Kerberos keytab and in some
environment details about the domain are only available during the join
and cannot be discovered later.
So, when you plan to use Samba on a host it is recommended to use 'net
ads join' instead of adcli to join the domain. But fell free to open a
RFE for adcli to to create the needed entries in the Samba databases
sssd-users mailing list