When trying to rename an XP-SP1 machine joined to the domain (via "netdom renamecomputer"), the command fails unless the specified domain user has UID 0. Environment: Samba 3.0.14a on Debian Sarge (default .deb install), using LDAPSAM. Account Settings: I have the following group mappings: Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain Admins Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests Domain Admins has 2 members: account testadmin has UID 0, and account printsetup has UID 12632. The two accounts are structurally identical. The "Domain Admins" group has the following privileges: SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege Individual group members have no privileges assigned. However, assigning individual privileges to accounts makes no difference - the operation still fails under the same parameters. The command in question: netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:GSS\USERNAME /passwordd:PASSWORD/force All things being equal, this command works if the "/userD" account has UID 0; the command fails if the "/userD" account has a UID > 0. Other than this problem, Samba works perfectly. Unfortunately, it's a show-stopper for me, as our sysprep'd client image has to rename itself as part of the deployment process. smb.conf: [global] workgroup = GSS netbios name = GSS-PDC server string = Samba 3 PDC passwd program = . /opt/java/support/profile; java ChangePasswordSecure %u passwd chat timeout = 60000 passwd chat = *new*password* %n\n *new*password* %n\n *successfully* . unix password sync = Yes log level = 1 max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = Yes os level = 255 preferred master = True domain master = True dns proxy = No wins support = Yes preexec = sh -c 'echo Welcome to domain | /usr/bin/smbclient -M "%m" -I "%i" ' & enable privileges = yes ; SAMBA-LDAP declarations passdb backend = ldapsam:"ldap://ldapserver.domain.tld" ldap admin dn = cn=Directory Manager ldap suffix = o=good-sam.com add machine script = /usr/sbin/smbldap-useradd -w %u ; opLocks = False [netlogon] comment = Network Logon Service path = /opt/samba/netlogon write list = user1, user2 guest ok = Yes
Not sure if it'll help, but the "verbose" error on XP is as follows: This operation will rename the computer NAME1 to NAME2. The computer rename attempt failed with error 5. Access is denied. The command failed to comlete successfully.
Changed the version to reflect that I'm having the same problem in 3.0.23c.
From a level-6 log: [2006/09/28 08:36:33, 0] rpc_server/srv_samr_nt.c:set_user_info_21(3125) set_user_info_21: failed to rename account: NT_STATUS_ACCESS_DENIED [2006/09/28 08:36:33, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (15184, 490) - sec_ctx_stack_ndx = 0 [2006/09/28 08:36:33, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 samr_io_r_set_userinfo2 [2006/09/28 08:36:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 0000 status: NT_STATUS_ACCESS_DENIED
"rename script" parameter works in 3.0.23c. I guess the solution is to upgrade?