[Samba] Samba 3 PDC - trouble renaming domain member computer

[Simo Sorce]

On Mon, 2006-09-18 at 10:42 -0300, Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 09/15/2006 11:04 AM, ryan punt escreveu:
> > All,
> > 
> > I've got a Samba 3 PDC serving numerous XP clients, and I'm 
> > getting an error I wouldn't have expected. When trying to
> > rename an XP machine joined to the domain (via "netdom
> > renamecomputer"), the command fails unless the specified
> > domain user has UID 0.
> > 
> > The command in question:
> > 
> > netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:DOMAIN\USER  /passwordd:PASSWORD /force
> > 
> > fails with "error 5: Access is denied" for UID >0 accounts, and succeeds for an account with UID 0.
> > 
> > Some background:
> > 
> > I have the following group mappings:
> > net groupmap list
> > Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain Admins
> > Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
> > Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests
> > 
> > Domain Admins has a few members; among them, account testadmin has UID 0, and account printsetup has UID 12632.
> > 
> > Domain Admins has the following rights:
> > net rpc rights list "Domain Admins"
> > SeMachineAccountPrivilege
> > SePrintOperatorPrivilege
> > SeAddUsersPrivilege
> > SeRemoteShutdownPrivilege
> > SeDiskOperatorPrivilege
> > 
> > "Domain Admins" members have no individual rights assigned; 
> > rights are assigned to the group only.
> > 
> > So, it comes down to this: printsetup and testadmin have 
> > the same rights, the same group memberships, the same
> > everything except UID. I've looked through the available
> > rights list in the Samba docs and didn't see a specific
> > "rename computer" right, and I would have expected
> > membership in "Domain Admins" to be sufficient. However,
> > I've found that UID >0 accounts can't rename domain computers;
> > UID 0 accounts can.
> > 
> > Is this a known issue? I haven't seen anything in the docs, 
> > but I'll be digging in again shortly. High-level debugs
> > available upon request.
> 
> 	Those users (with UID>0) can join a machine in the
> domain? If yes I would say it is a bug, if not I would say
> you need to set the privileges per user. Maybe it is a bug
> anyway and you should report it to

If the group these users are part of has the SeMachineAccountPrivilege
it is perfectly fine that thay can join machines to a domain, it is what
this privilege has been built for.

Renaming a computer should be probably be allowed by
SeMachineAccountPrivilege,
please file a bug if you have troubles only with it.

Simo.