[Samba] Samba 3 PDC - trouble renaming domain member
computer
ryan punt
rpunt at good-sam.com
Mon Sep 18 14:19:29 GMT 2006
Yes, users with UID >0 can join machines to the domain, but can't rename domain machines. I'll file a bug report, and try per-user privs. I'll also try building the latest source and see if it's still happening.
Thanks for the reply!
>>> felipe at paranacidade.org.br 9/18/2006 8:42:25 AM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Those users (with UID>0) can join a machine in the
domain? If yes I would say it is a bug, if not I would say
you need to set the privileges per user. Maybe it is a bug
anyway and you should report it to
https://bugzilla.samba.org/
On 09/15/2006 11:04 AM, ryan punt escreveu:
> All,
>
> I've got a Samba 3 PDC serving numerous XP clients, and I'm
> getting an error I wouldn't have expected. When trying to
> rename an XP machine joined to the domain (via "netdom
> renamecomputer"), the command fails unless the specified
> domain user has UID 0.
>
> The command in question:
>
> netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:DOMAIN\USER /passwordd:PASSWORD /force
>
> fails with "error 5: Access is denied" for UID >0 accounts, and succeeds for an account with UID 0.
>
> Some background:
>
> I have the following group mappings:
> net groupmap list
> Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain Admins
> Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
> Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests
>
> Domain Admins has a few members; among them, account testadmin has UID 0, and account printsetup has UID 12632.
>
> Domain Admins has the following rights:
> net rpc rights list "Domain Admins"
> SeMachineAccountPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeRemoteShutdownPrivilege
> SeDiskOperatorPrivilege
>
> "Domain Admins" members have no individual rights assigned;
> rights are assigned to the group only.
>
> So, it comes down to this: printsetup and testadmin have
> the same rights, the same group memberships, the same
> everything except UID. I've looked through the available
> rights list in the Samba docs and didn't see a specific
> "rename computer" right, and I would have expected
> membership in "Domain Admins" to be sufficient. However,
> I've found that UID >0 accounts can't rename domain computers;
> UID 0 accounts can.
>
> Is this a known issue? I haven't seen anything in the docs,
> but I'll be digging in again shortly. High-level debugs
> available upon request.
-------------- next part --------------
-------------------------------------------------
This email transmission and any documents, files or previous
email messages attached to it may contain information that is
confidential or legally privileged. If you are not the intended
recipient, you are hereby notified that any disclosure, copying,
printing, distributing or use of this transmission is strictly
prohibited. If you have received this transmission in error,
please immediately notify the sender by telephone or return
email and delete the original transmission and its attachments
without reading or saving in any manner.
The Evangelical Lutheran Good Samaritan Society.
---------------------------------------------------------
More information about the samba
mailing list