cannot rename windows xp machine in samba4

Matthias Dieter Wallnöfer mdw at
Thu May 24 14:33:10 MDT 2012

Hi Andrew, Matthieu,

in my "master" branch you can find the necessary patches beside some 
other work which I find ready to push.


Matthieu Patou schrieb:
> Matthias,
> On 05/03/2012 02:04 PM, Matthias Dieter Wallnöfer wrote:
>> Matthieu, Andrew,
>> this has been a tricky issue. Here you can find my patch and the 
>> reason explained in the commit notice: 
>> Please review & merge it!
> Your patch didn't address the real problem, my logic might be affected 
> but it looks like your patch is try to prevent duplicates in the 
> servicePrincipalName that are due to dnsHostName change.
> This seems pretty unefficient, why not adding all the value in an 
> array, and then check for duplicate only once instead of doing it for 
> all the entries that are about to be modified instead of iterating 
> several time.
> But most important your patch didn't address the issue of Vladimir 
> which is the following: there is 2 modifications in the request one 
> for dnsHostName and one for servicePrincipalName, the modification in 
> servicePrincipalName is the same as one triggered by the dnsHostName 
> change resulting in two entries for the same value causing ldb to 
> reject the change.
> I think the correct approach is the following:
> 1 in samldb_service_principal_names_change() check if there is a 
> servicePrincipalName in the change message
> 2 if so get the values
> 3 create a list changed value for the servicePrincipalName due to 
> dnsHostname or samaccountname change
> 4 Once the list is complete check if there is no duplicate values with 
> those obtained in step 2
> Apart from that there is a test missing on the unicity 
> (case-insensitive) of values for the attribute servicePrincipalName, 
> because for the moment we can add HOST/MYHOST when the entry 
> HOST/myhost already exists (Windows 2003R2 do not allow this).
> Matthieu.
>> Cheers,
>> Matthias
>> Matthieu Patou schrieb:
>>> Hi Vladimir,
>>>>   ok, I that's what I've done step by step again:
>>>> * left XP from domain
>>>> * changed winxp computer name to WS5 and sid with newsid utility
>>>> * joined winxp to domain under name WS5
>>>> * powered off the vm
>>>> * started packet capture with "tcpdump -p -s 0 -w samba4.dump.txt
>>>> * exported keytab with "samba-tool domain exportkeytab 
>>>> ./samba4.keytab"
>>>> * powered on winxp
>>>> * logged in as admin (I entered wrong username one time, if that's
>>>> important) and tried to rename WS5 to WS6, twice, both times I got 
>>>> error
>>>> but they seem to be a bit different, first time it said smth
>>>> the dump files were too large for the maillist (I cancelled that 
>>>> posting)
>>>> so I have put it to rapidshare here's the link:
>>> Now with this trace I have the reason of the problem.
>>> I put Matthias in copy as he might be the most aware of this.
>>> The problem lies in samldb_service_principal_names_change() function 
>>> as we try to add a new principal that is also specified in the request.
>>> Before adding a SPN we should check that this SPN is not already 
>>> specified in the request, then I suspect that the rename will work.
>>> Matthieu.

More information about the samba-technical mailing list