ioguix
2008-Apr-01 17:16 UTC
[Samba] renaming a computer fail on a samba domain using ldap backend
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I am trying to rename a computer on my samba domain but it fails telling me I hadn't rights to do it. Obviously, I use the same admin account (root) than the one which add this computer on the domain some seconds before. I am using samba 3.0.24 on Debian etch with a openldap SAM backend and smbldap-tools scripts using these conf params : ~~~~~~~~~~~~~~~~~~~~~~~~~~ add user script = /usr/sbin/smbldap-useradd -c "Samba user account" -m -s /bin/false '%u' add machine script = /usr/sbin/smbldap-useradd -c "Samba computer account" -g 515 -w -s /bin/false '%u' add group script = /usr/sbin/smbldap-groupadd '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' ~~~~~~~~~~~~~~~~~~~~~~~~~~ So far, I can add a computer on a domain, but I can't rename it. I tried to rename the computer using smbldap-usermod before updating it in WinXP, but obviously, it fails telling me the user is unknown. The only way I found is to add a computer with the new name to the domain using smbldap-useradd, leaving the domain from WinXP, renaming it under WinXP, re-join the domain, then drop the old computer account. Here the content of log.root when I try to rename the computer (using "log file = /var/log/samba/log.%U" and log level = 3) http://pastebin.org/26701 The ACCESS denied is at line 771 : "set_user_info_21: failed to rename account: NT_STATUS_ACCESS_DENIED" I could give a more verbose log file, but this one is pretty huge... So, where did I fail ? Do we can rename a computer on a samba domain ? Feel free to ask me anything more you need to help me :) - -- Guillaume (ioguix) de Rorthais -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH8mxOxWGfaAgowiIRApA7AJ9p/7m2G3wH/1YvR/0f9MkxNZ3DGACfZbOl e6Mz3mQS2bIS6yzJ++cu66A=B3vK -----END PGP SIGNATURE-----
ioguix
2008-Apr-02 14:55 UTC
[Samba] renaming a computer fail on a samba domain using ldap backend
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Replying to myself : Add the following conf line to smb.conf: rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold' ioguix a ?crit :> Hello, > > I am trying to rename a computer on my samba domain but it fails telling me I hadn't rights to do it. > Obviously, I use the same admin account (root) than the one which add this computer on the domain some seconds before. > > I am using samba 3.0.24 on Debian etch with a openldap SAM backend and smbldap-tools scripts using these conf params : > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > add user script = /usr/sbin/smbldap-useradd -c "Samba user account" -m -s /bin/false '%u' > add machine script = /usr/sbin/smbldap-useradd -c "Samba computer account" -g 515 -w -s /bin/false '%u' > add group script = /usr/sbin/smbldap-groupadd '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user script = /usr/sbin/smbldap-userdel '%u' > delete group script = /usr/sbin/smbldap-groupdel '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > So far, I can add a computer on a domain, but I can't rename it. > > I tried to rename the computer using smbldap-usermod before updating it in WinXP, but obviously, it fails telling me the user is > unknown. > > The only way I found is to add a computer with the new name to the domain using smbldap-useradd, leaving the domain from WinXP, > renaming it under WinXP, re-join the domain, then drop the old computer account. > > Here the content of log.root when I try to rename the computer (using "log file = /var/log/samba/log.%U" and log level = 3) > http://pastebin.org/26701 > The ACCESS denied is at line 771 : "set_user_info_21: failed to rename account: NT_STATUS_ACCESS_DENIED" > > I could give a more verbose log file, but this one is pretty huge... > > So, where did I fail ? > > Do we can rename a computer on a samba domain ? > > Feel free to ask me anything more you need to help me :) >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH853fxWGfaAgowiIRAv69AJwKCpGF6nOgeTAqJPO+PTTFc89vSACfRXhi boB8PEzyPb1m8LHv15laWTc=CgVf -----END PGP SIGNATURE-----
ioguix
2008-Apr-02 15:02 UTC
[Samba] renaming a computer fail on a samba domain using ldap backend
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Replying to myself : Add the following conf line to smb.conf: rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold' ioguix a ?crit :> Hello, > > I am trying to rename a computer on my samba domain but it fails telling me I hadn't rights to do it. > Obviously, I use the same admin account (root) than the one which add this computer on the domain some seconds before. > > I am using samba 3.0.24 on Debian etch with a openldap SAM backend and smbldap-tools scripts using these conf params : > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > add user script = /usr/sbin/smbldap-useradd -c "Samba user account" -m -s /bin/false '%u' > add machine script = /usr/sbin/smbldap-useradd -c "Samba computer account" -g 515 -w -s /bin/false '%u' > add group script = /usr/sbin/smbldap-groupadd '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user script = /usr/sbin/smbldap-userdel '%u' > delete group script = /usr/sbin/smbldap-groupdel '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > So far, I can add a computer on a domain, but I can't rename it. > > I tried to rename the computer using smbldap-usermod before updating it in WinXP, but obviously, it fails telling me the user is > unknown. > > The only way I found is to add a computer with the new name to the domain using smbldap-useradd, leaving the domain from WinXP, > renaming it under WinXP, re-join the domain, then drop the old computer account. > > Here the content of log.root when I try to rename the computer (using "log file = /var/log/samba/log.%U" and log level = 3) > http://pastebin.org/26701 > The ACCESS denied is at line 771 : "set_user_info_21: failed to rename account: NT_STATUS_ACCESS_DENIED" > > I could give a more verbose log file, but this one is pretty huge... > > So, where did I fail ? > > Do we can rename a computer on a samba domain ? > > Feel free to ask me anything more you need to help me :) >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH853fxWGfaAgowiIRAv69AJwKCpGF6nOgeTAqJPO+PTTFc89vSACfRXhi boB8PEzyPb1m8LHv15laWTc=CgVf -----END PGP SIGNATURE-----