The Samba-Bugzilla – Bug 4116
renaming of domain computers fails if admin account has non-0 UID
Last modified: 2006-10-19 08:27:32 UTC
When trying to rename an XP-SP1 machine joined to the domain (via "netdom renamecomputer"), the command fails unless the specified domain user has UID 0.
Samba 3.0.14a on Debian Sarge (default .deb install), using LDAPSAM.
I have the following group mappings:
Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain Admins
Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests
Domain Admins has 2 members: account testadmin has UID 0, and account printsetup has UID 12632. The two accounts are structurally identical.
The "Domain Admins" group has the following privileges:
Individual group members have no privileges assigned. However, assigning individual privileges to accounts makes no difference - the operation still fails under the same parameters.
The command in question:
netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:GSS\USERNAME /passwordd:PASSWORD/force
All things being equal, this command works if the "/userD" account has UID 0; the command fails if the "/userD" account has a UID > 0.
Other than this problem, Samba works perfectly. Unfortunately, it's a show-stopper for me, as our sysprep'd client image has to rename itself as part of the deployment process.
workgroup = GSS
netbios name = GSS-PDC
server string = Samba 3 PDC
passwd program = . /opt/java/support/profile; java ChangePasswordSecure %u
passwd chat timeout = 60000
passwd chat = *new*password* %n\n *new*password* %n\n *successfully* .
unix password sync = Yes
log level = 1
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
os level = 255
preferred master = True
domain master = True
dns proxy = No
wins support = Yes
preexec = sh -c 'echo Welcome to domain | /usr/bin/smbclient -M "%m" -I "%i" ' &
enable privileges = yes
; SAMBA-LDAP declarations
passdb backend = ldapsam:"ldap://ldapserver.domain.tld"
ldap admin dn = cn=Directory Manager
ldap suffix = o=good-sam.com
add machine script = /usr/sbin/smbldap-useradd -w %u
; opLocks = False
comment = Network Logon Service
path = /opt/samba/netlogon
write list = user1, user2
guest ok = Yes
Not sure if it'll help, but the "verbose" error on XP is as follows:
This operation will rename the computer NAME1 to NAME2.
The computer rename attempt failed with error 5.
Access is denied.
The command failed to comlete successfully.
Changed the version to reflect that I'm having the same problem in 3.0.23c.
From a level-6 log:
[2006/09/28 08:36:33, 0] rpc_server/srv_samr_nt.c:set_user_info_21(3125)
set_user_info_21: failed to rename account: NT_STATUS_ACCESS_DENIED
[2006/09/28 08:36:33, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (15184, 490) - sec_ctx_stack_ndx = 0
[2006/09/28 08:36:33, 5] rpc_parse/parse_prs.c:prs_debug(84)
[2006/09/28 08:36:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
0000 status: NT_STATUS_ACCESS_DENIED
"rename script" parameter works in 3.0.23c.
I guess the solution is to upgrade?