Bug 4116 - renaming of domain computers fails if admin account has non-0 UID
renaming of domain computers fails if admin account has non-0 UID
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.14a
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-21 13:57 UTC by Ryan Punt
Modified: 2006-10-19 08:27 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Punt 2006-09-21 13:57:56 UTC
When trying to rename an XP-SP1 machine joined to the domain (via "netdom renamecomputer"), the command fails unless the specified domain user has UID 0.

Environment:
Samba 3.0.14a on Debian Sarge (default .deb install), using LDAPSAM.

Account Settings:
I have the following group mappings:
Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain Admins
Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests
 
Domain Admins has 2 members: account testadmin has UID 0, and account printsetup has UID 12632. The two accounts are structurally identical.

The "Domain Admins" group has the following privileges:
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege

Individual group members have no privileges assigned. However, assigning individual privileges to accounts makes no difference - the operation still fails under the same parameters.

The command in question:
netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:GSS\USERNAME /passwordd:PASSWORD/force
All things being equal, this command works if the "/userD" account has UID 0; the command fails if the "/userD" account has a UID > 0.


Other than this problem, Samba works perfectly. Unfortunately, it's a show-stopper for me, as our sysprep'd client image has to rename itself as part of the deployment process.

smb.conf:
[global]
workgroup = GSS
netbios name = GSS-PDC
server string = Samba 3 PDC
passwd program = . /opt/java/support/profile; java ChangePasswordSecure %u
passwd chat timeout = 60000
passwd chat = *new*password* %n\n *new*password* %n\n *successfully* .
unix password sync = Yes
log level = 1
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
os level = 255
preferred master = True
domain master = True
dns proxy = No
wins support = Yes
preexec = sh -c 'echo Welcome to domain | /usr/bin/smbclient -M "%m" -I "%i" ' &
enable privileges = yes
; SAMBA-LDAP declarations
passdb backend = ldapsam:"ldap://ldapserver.domain.tld"
ldap admin dn = cn=Directory Manager
ldap suffix = o=good-sam.com
add machine script = /usr/sbin/smbldap-useradd -w %u
; opLocks = False

[netlogon]
comment = Network Logon Service
path = /opt/samba/netlogon
write list = user1, user2
guest ok = Yes
Comment 1 Ryan Punt 2006-09-21 14:08:36 UTC
Not sure if it'll help, but the "verbose" error on XP is as follows:

This operation will rename the computer NAME1 to NAME2.
The computer rename attempt failed with error 5.
Access is denied.

The command failed to comlete successfully.
Comment 2 Ryan Punt 2006-09-28 08:19:34 UTC
Changed the version to reflect that I'm having the same problem in 3.0.23c.
Comment 3 Ryan Punt 2006-09-28 08:51:51 UTC
From a level-6 log:

[2006/09/28 08:36:33, 0] rpc_server/srv_samr_nt.c:set_user_info_21(3125)
  set_user_info_21: failed to rename account: NT_STATUS_ACCESS_DENIED
[2006/09/28 08:36:33, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (15184, 490) - sec_ctx_stack_ndx = 0
[2006/09/28 08:36:33, 5] rpc_parse/parse_prs.c:prs_debug(84)
  000000 samr_io_r_set_userinfo2
[2006/09/28 08:36:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
      0000 status: NT_STATUS_ACCESS_DENIED
Comment 4 Ryan Punt 2006-10-19 08:27:32 UTC
"rename script" parameter works in 3.0.23c.

I guess the solution is to upgrade?