The Samba-Bugzilla – Bug 11482
rename of workstations on domain incomplete
Last modified: 2015-09-02 08:09:53 UTC
If you rename a Windows workstation that has been added to a Samba 4 domain, using the normal Windows "System Properties -> Change... -> Computer Name -> Reboot", the computer isn't entirely renamed in the Samba directory and will still show as the old name in ADUC.
Using ADUC and looking at the Attributes Editor tab it appears that displayName, dNSHostName, name, sAMAccountName, and servicePrincipalName all DO change (might be wrong on 1 of those, going off memory). HOWEVER, what doesn't change is distinguishedName and CN (obviously). This causes the object in ADUC to still show up as the old name.
This is different behavior to a Windows domain. A rename in that case will fully update everything, including distinguishedName and CN.
I found one mention of this in the mailing list back in Feb 2014.
There are two workarounds. Unjoin, rename, join the workstation. Or use ADSI Edit to perform a rename on the object, which will change the distinguishedName and CN.
Unfortunately I'm stuck on an older 4.1 build so can't test if this has been addressed in newer builds. However, it seems this is an edge case since most users wouldn't be renaming workstations or would just unjoin/join instead. So my guess is it still exists and while it isn't a major issue, think it would be worth fixing at some point.
To flesh this out a bit: when a windows domain member server changes
it's name over SAMR, that the changes at the LDAP layer do not match
windows. In particular, that the CN attribute is not updated to match.
- Add cross-protocol tests to demonstrate the matching behaviour
between SAMR and LDAP using python.
- Determine if the CN attribute is attached to the 'full name' or
'account name' in SAMR
- confirming in particular the error cases where there may be a
conflicting object using the new name.
- Update SAMR server in the AD DC to match Windows behaviour
(presumably changing the SetUserInfo call to rename the LDAP entry when
setting the account name as suggested in for create in MS-SAMR
220.127.116.11.1 distinguishedName Generation)