[Samba] Samba 3 PDC - trouble renaming domain member computer
Felipe Augusto van de Wiel
felipe at paranacidade.org.br
Mon Sep 18 13:42:25 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/15/2006 11:04 AM, ryan punt escreveu:
> All,
>
> I've got a Samba 3 PDC serving numerous XP clients, and I'm
> getting an error I wouldn't have expected. When trying to
> rename an XP machine joined to the domain (via "netdom
> renamecomputer"), the command fails unless the specified
> domain user has UID 0.
>
> The command in question:
>
> netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:DOMAIN\USER /passwordd:PASSWORD /force
>
> fails with "error 5: Access is denied" for UID >0 accounts, and succeeds for an account with UID 0.
>
> Some background:
>
> I have the following group mappings:
> net groupmap list
> Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain Admins
> Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
> Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests
>
> Domain Admins has a few members; among them, account testadmin has UID 0, and account printsetup has UID 12632.
>
> Domain Admins has the following rights:
> net rpc rights list "Domain Admins"
> SeMachineAccountPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeRemoteShutdownPrivilege
> SeDiskOperatorPrivilege
>
> "Domain Admins" members have no individual rights assigned;
> rights are assigned to the group only.
>
> So, it comes down to this: printsetup and testadmin have
> the same rights, the same group memberships, the same
> everything except UID. I've looked through the available
> rights list in the Samba docs and didn't see a specific
> "rename computer" right, and I would have expected
> membership in "Domain Admins" to be sufficient. However,
> I've found that UID >0 accounts can't rename domain computers;
> UID 0 accounts can.
>
> Is this a known issue? I haven't seen anything in the docs,
> but I'll be digging in again shortly. High-level debugs
> available upon request.
Those users (with UID>0) can join a machine in the
domain? If yes I would say it is a bug, if not I would say
you need to set the privileges per user. Maybe it is a bug
anyway and you should report it to
https://bugzilla.samba.org/
> Thanks,
> Ryan
Kind regards,
- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFFDqJBCj65ZxU4gPQRAowUAJ9aKOI7oRQ/twZV4pOS71AwxXGdQgCcDKPb
vqrCrFAq8GWM6n4ThqOxxD8=
=WvXg
-----END PGP SIGNATURE-----
More information about the samba
mailing list