samba - Sep 2006 - Samba 3 PDC - trouble renaming domain member computer

All,

I've got a Samba 3 PDC serving numerous XP clients, and I'm getting an
error I wouldn't have expected. When trying to rename an XP machine joined
to the domain (via "netdom renamecomputer"), the command fails unless
the specified domain user has UID 0.

The command in question:

netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:DOMAIN\USER 
/passwordd:PASSWORD /force

fails with "error 5: Access is denied" for UID >0 accounts, and
succeeds for an account with UID 0.

Some background:

I have the following group mappings:
net groupmap list
Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain
Admins
Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests

Domain Admins has a few members; among them, account testadmin has UID 0, and
account printsetup has UID 12632.

Domain Admins has the following rights:
net rpc rights list "Domain Admins"
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege

"Domain Admins" members have no individual rights assigned; rights are
assigned to the group only.

So, it comes down to this: printsetup and testadmin have the same rights, the
same group memberships, the same everything except UID. I've looked through
the available rights list in the Samba docs and didn't see a specific
"rename computer" right, and I would have expected membership in
"Domain Admins" to be sufficient. However, I've found that UID
>0 accounts can't rename domain computers; UID 0 accounts can.

Is this a known issue? I haven't seen anything in the docs, but I'll be
digging in again shortly. High-level debugs available upon request.

Thanks,
Ryan
-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------

Sorry, forgot the obvious stuff:

Samba 3.0.14a on Debian Sarge (stock install).
LDAP backend, using ldapsam_compat.

Everything else works great, so I don't think it's a Samba config
problem.
>>> "ryan punt" <rpunt@good-sam.com> 9/15/2006 9:04:09
AM >>>
All,

I've got a Samba 3 PDC serving numerous XP clients, and I'm getting an
error I wouldn't have expected. When trying to rename an XP machine joined
to the domain (via "netdom renamecomputer"), the command fails unless
the specified domain user has UID 0.

The command in question:

netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:DOMAIN\USER 
/passwordd:PASSWORD /force

fails with "error 5: Access is denied" for UID >0 accounts, and
succeeds for an account with UID 0.

Some background:

I have the following group mappings:
net groupmap list
Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) -> Domain
Admins
Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain Users
Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain Guests

Domain Admins has a few members; among them, account testadmin has UID 0, and
account printsetup has UID 12632.

Domain Admins has the following rights:
net rpc rights list "Domain Admins"
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege

"Domain Admins" members have no individual rights assigned; rights are
assigned to the group only.

So, it comes down to this: printsetup and testadmin have the same rights, the
same group memberships, the same everything except UID. I've looked through
the available rights list in the Samba docs and didn't see a specific
"rename computer" right, and I would have expected membership in
"Domain Admins" to be sufficient. However, I've found that UID
>0 accounts can't rename domain computers; UID 0 accounts can.

Is this a known issue? I haven't seen anything in the docs, but I'll be
digging in again shortly. High-level debugs available upon request.

Thanks,
Ryan
-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/15/2006 11:04 AM, ryan punt escreveu:
> All,
> 
> I've got a Samba 3 PDC serving numerous XP clients, and I'm 
> getting an error I wouldn't have expected. When trying to
> rename an XP machine joined to the domain (via "netdom
> renamecomputer"), the command fails unless the specified
> domain user has UID 0.
> 
> The command in question:
> 
> netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:DOMAIN\USER 
/passwordd:PASSWORD /force
> 
> fails with "error 5: Access is denied" for UID >0 accounts,
and succeeds for an account with UID 0.
> 
> Some background:
> 
> I have the following group mappings:
> net groupmap list
> Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) ->
Domain Admins
> Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain
Users
> Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain
Guests
> 
> Domain Admins has a few members; among them, account testadmin has UID 0,
and account printsetup has UID 12632.
> 
> Domain Admins has the following rights:
> net rpc rights list "Domain Admins"
> SeMachineAccountPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeRemoteShutdownPrivilege
> SeDiskOperatorPrivilege
> 
> "Domain Admins" members have no individual rights assigned; 
> rights are assigned to the group only.
> 
> So, it comes down to this: printsetup and testadmin have 
> the same rights, the same group memberships, the same
> everything except UID. I've looked through the available
> rights list in the Samba docs and didn't see a specific
> "rename computer" right, and I would have expected
> membership in "Domain Admins" to be sufficient. However,
> I've found that UID >0 accounts can't rename domain computers;
> UID 0 accounts can.
> 
> Is this a known issue? I haven't seen anything in the docs, 
> but I'll be digging in again shortly. High-level debugs
> available upon request.
	Those users (with UID>0) can join a machine in the
domain? If yes I would say it is a bug, if not I would say
you need to set the privileges per user. Maybe it is a bug
anyway and you should report it to

		https://bugzilla.samba.org/

> Thanks,
> Ryan
	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFDqJBCj65ZxU4gPQRAowUAJ9aKOI7oRQ/twZV4pOS71AwxXGdQgCcDKPb
vqrCrFAq8GWM6n4ThqOxxD8=WvXg
-----END PGP SIGNATURE-----

Yes, users with UID >0 can join machines to the domain, but can't rename
domain machines. I'll file a bug report, and try per-user privs.  I'll
also try building the latest source and see if it's still happening.

Thanks for the reply!
>>> felipe@paranacidade.org.br 9/18/2006 8:42:25 AM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Those users (with UID>0) can join a machine in the
domain? If yes I would say it is a bug, if not I would say
you need to set the privileges per user. Maybe it is a bug
anyway and you should report it to

		https://bugzilla.samba.org/ 



On 09/15/2006 11:04 AM, ryan punt escreveu:
> All,
> 
> I've got a Samba 3 PDC serving numerous XP clients, and I'm 
> getting an error I wouldn't have expected. When trying to
> rename an XP machine joined to the domain (via "netdom
> renamecomputer"), the command fails unless the specified
> domain user has UID 0.
> 
> The command in question:
> 
> netdom renamecomputer %COMPUTERNAME% /newname:%NEWNAME% /userD:DOMAIN\USER 
/passwordd:PASSWORD /force
> 
> fails with "error 5: Access is denied" for UID >0 accounts,
and succeeds for an account with UID 0.
> 
> Some background:
> 
> I have the following group mappings:
> net groupmap list
> Domain Administrators (S-1-5-21-1079125125-2089603153-60846589-512) ->
Domain Admins
> Domain Users (S-1-5-21-1079125125-2089603153-60846589-513) -> Domain
Users
> Domain Guests (S-1-5-21-1079125125-2089603153-60846589-514) -> Domain
Guests
> 
> Domain Admins has a few members; among them, account testadmin has UID 0,
and account printsetup has UID 12632.
> 
> Domain Admins has the following rights:
> net rpc rights list "Domain Admins"
> SeMachineAccountPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeRemoteShutdownPrivilege
> SeDiskOperatorPrivilege
> 
> "Domain Admins" members have no individual rights assigned; 
> rights are assigned to the group only.
> 
> So, it comes down to this: printsetup and testadmin have 
> the same rights, the same group memberships, the same
> everything except UID. I've looked through the available
> rights list in the Samba docs and didn't see a specific
> "rename computer" right, and I would have expected
> membership in "Domain Admins" to be sufficient. However,
> I've found that UID >0 accounts can't rename domain computers;
> UID 0 accounts can.
> 
> Is this a known issue? I haven't seen anything in the docs, 
> but I'll be digging in again shortly. High-level debugs
> available upon request.


-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------

As it turns out, I've got the same problem with the 3.0.23c .debs (I was
using 3.0.14a debian stock). Again, to summarize:

Samba 3 PDC, using LDAPSAM. 

Group mappings are correct, my domain admins group has privileges:
SeMachineAccountPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

Members of the domain admins group can join machines to the domain, but
can't rename domain computers (either via netdom or the GUI). XP throws
error, "access is denied."  Everything else work perfectly.

I've filed a bug report, #4116.

Does anyone have any ideas?

Thanks,
Ryan

-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------

When the passdb is set to "tdbsam" or "smbpasswd",
inserting "rename user script = /usr/sbin/usermod -l
'%unew' '%uold'" and restarting/SIGHUP Samba
erradicates the problem. I think you must find out how
to rename a LDAP user from the console, and then set
the parameter above according (I don't have any
experience with LDAP, sorry).

[]s
> > De: "ryan punt" <rpunt@good-sam.com>
> Assunto: Re: [Samba] Samba 3 PDC - trouble renaming
> domain member
> 	computer
> Data: Thu, 28 Sep 2006 08:38:30 -0500
> Para: <samba@lists.samba.org>
> 
> As it turns out, I've got the same problem with the
> 3.0.23c .debs (I was using 3.0.14a debian stock).
> Again, to summarize:
> 
> Samba 3 PDC, using LDAPSAM. 
> 
> Group mappings are correct, my domain admins group
> has privileges:
> SeMachineAccountPrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
> 
> Members of the domain admins group can join machines
> to the domain, but can't rename domain computers
> (either via netdom or the GUI). XP throws error,
> "access is denied."  Everything else work perfectly.
> 
> I've filed a bug report, #4116.
> 
> Does anyone have any ideas?
> 
> Thanks,
> Ryan


"Tudo o que sei ? que n?o sei de nada" (S?crates)


		
_______________________________________________________ 
Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular.
Registre seu aparelho agora!
http://br.mobile.yahoo.com/mailalertas/