[Samba] Samba 3 PDC - trouble renaming domain member computer

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Mon Sep 18 13:42:25 GMT 2006

Hash: SHA1

On 09/15/2006 11:04 AM, ryan punt escreveu:
> All,
> I've got a Samba 3 PDC serving numerous XP clients, and I'm 
> getting an error I wouldn't have expected. When trying to
> rename an XP machine joined to the domain (via "netdom
> renamecomputer"), the command fails unless the specified
> domain user has UID 0.
> The command in question:
> netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:DOMAIN\USER  /passwordd:PASSWORD /force
> fails with "error 5: Access is denied" for UID >0 accounts, and succeeds for an account with UID 0.
> Some background:
> I have the following group mappings:
> net groupmap list
> Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain Admins
> Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
> Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests
> Domain Admins has a few members; among them, account testadmin has UID 0, and account printsetup has UID 12632.
> Domain Admins has the following rights:
> net rpc rights list "Domain Admins"
> SeMachineAccountPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeRemoteShutdownPrivilege
> SeDiskOperatorPrivilege
> "Domain Admins" members have no individual rights assigned; 
> rights are assigned to the group only.
> So, it comes down to this: printsetup and testadmin have 
> the same rights, the same group memberships, the same
> everything except UID. I've looked through the available
> rights list in the Samba docs and didn't see a specific
> "rename computer" right, and I would have expected
> membership in "Domain Admins" to be sufficient. However,
> I've found that UID >0 accounts can't rename domain computers;
> UID 0 accounts can.
> Is this a known issue? I haven't seen anything in the docs, 
> but I'll be digging in again shortly. High-level debugs
> available upon request.

	Those users (with UID>0) can join a machine in the
domain? If yes I would say it is a bug, if not I would say
you need to set the privileges per user. Maybe it is a bug
anyway and you should report it to


> Thanks,
> Ryan

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org


More information about the samba mailing list