Bug 4116 - renaming of domain computers fails if admin account has non-0 UID
Summary: renaming of domain computers fails if admin account has non-0 UID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.14a
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-09-21 13:57 UTC by Ryan Punt
Modified: 2006-10-19 08:27 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Punt 2006-09-21 13:57:56 UTC
When trying to rename an XP-SP1 machine joined to the domain (via "netdom renamecomputer"), the command fails unless the specified domain user has UID 0.

Samba 3.0.14a on Debian Sarge (default .deb install), using LDAPSAM.

Account Settings:
I have the following group mappings:
Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain Admins
Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests
Domain Admins has 2 members: account testadmin has UID 0, and account printsetup has UID 12632. The two accounts are structurally identical.

The "Domain Admins" group has the following privileges:

Individual group members have no privileges assigned. However, assigning individual privileges to accounts makes no difference - the operation still fails under the same parameters.

The command in question:
netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:GSS\USERNAME /passwordd:PASSWORD/force
All things being equal, this command works if the "/userD" account has UID 0; the command fails if the "/userD" account has a UID > 0.

Other than this problem, Samba works perfectly. Unfortunately, it's a show-stopper for me, as our sysprep'd client image has to rename itself as part of the deployment process.

workgroup = GSS
netbios name = GSS-PDC
server string = Samba 3 PDC
passwd program = . /opt/java/support/profile; java ChangePasswordSecure %u
passwd chat timeout = 60000
passwd chat = *new*password* %n\n *new*password* %n\n *successfully* .
unix password sync = Yes
log level = 1
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
os level = 255
preferred master = True
domain master = True
dns proxy = No
wins support = Yes
preexec = sh -c 'echo Welcome to domain | /usr/bin/smbclient -M "%m" -I "%i" ' &
enable privileges = yes
; SAMBA-LDAP declarations
passdb backend = ldapsam:"ldap://ldapserver.domain.tld"
ldap admin dn = cn=Directory Manager
ldap suffix = o=good-sam.com
add machine script = /usr/sbin/smbldap-useradd -w %u
; opLocks = False

comment = Network Logon Service
path = /opt/samba/netlogon
write list = user1, user2
guest ok = Yes
Comment 1 Ryan Punt 2006-09-21 14:08:36 UTC
Not sure if it'll help, but the "verbose" error on XP is as follows:

This operation will rename the computer NAME1 to NAME2.
The computer rename attempt failed with error 5.
Access is denied.

The command failed to comlete successfully.
Comment 2 Ryan Punt 2006-09-28 08:19:34 UTC
Changed the version to reflect that I'm having the same problem in 3.0.23c.
Comment 3 Ryan Punt 2006-09-28 08:51:51 UTC
From a level-6 log:

[2006/09/28 08:36:33, 0] rpc_server/srv_samr_nt.c:set_user_info_21(3125)
  set_user_info_21: failed to rename account: NT_STATUS_ACCESS_DENIED
[2006/09/28 08:36:33, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (15184, 490) - sec_ctx_stack_ndx = 0
[2006/09/28 08:36:33, 5] rpc_parse/parse_prs.c:prs_debug(84)
  000000 samr_io_r_set_userinfo2
[2006/09/28 08:36:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
      0000 status: NT_STATUS_ACCESS_DENIED
Comment 4 Ryan Punt 2006-10-19 08:27:32 UTC
"rename script" parameter works in 3.0.23c.

I guess the solution is to upgrade?