It's not a Samba issue. It's a Windows issue. Windows associates the
account name with a particular SID, whether it's a machine or a user
account. You can't just change the name like you can in Unix.
Now I admit I haven't worked on Windows Servers newer than W2K but the
NT domain stuff hasn't changed. The only way to change an account name
for a SID is to remove it first then re-add it under the new name. With
Samba and machine accounts this can be done by dropping the machine
account from the database then changing the machine name on the local
machine while adding it back into the Domain.
Again however, if you are re-assigning machines without re-imaging them,
you've got a security problem to deal with. I'm not saying you have to
do a DoD-type erase, but at least don't leave files around that can be
easily undeleted. Re-imaging has been around for more than a decade.
It's not that hard to do. And it takes care of your issues with changing
the name - just give the re-imaged machine its new name. The only down
side is (the last time I checked anyway) is you need a commercial
package like Ghost to give each image a unique SID.
Jason Somers wrote:
I guess I am just missing the point here. I am not in the position to
change policy. I must work with what I have inside of standard
operating procedures.
Why is it such a big deal to change the computer name while connected
to the domain? This seems like such a simple thing (that you can do on
ALL Windows domains), and yet it does not seem like it can be done on
Samba...
-Jason
Gaiseric Vandal wrote:
On 01/12/10 15:54, Walter Mautner wrote:
Am Dienstag, 12. Januar 2010 20:24:25 schrieb Jason Somers:
Clients are NFP, and have about 100 workstations. Once or twice a
year,
they get grants for upwards of 10 new systems. These systems get
distributed to those with the most need, and in turn, their systems
get
passed to whomever has computers less powerful than those. System
names
reflect different departments and subdepartments, so if you move a
computer anywhere, its name must change.
Make sense?
Changing policy makes even more sense. Like here, our main office is
getting
crowded while one or the other branch office dies due to financial
cuts.
That makes for a lot of internal moves.
While we had our client computers named that way as well, a while ago,
we soon faced the nightmare (it's not only the samba/ldap, but other
servers
like the av management server, policy-driven services and whatever)
of having
to change a lot of data and database entries on every move.
Now, we just number the boxen (try to change to numbers representing
the SAP-
generated 6-digit asset ids) and keep the location and similar info
in a
single database asset database.
We use LDAP for a backend. At some point when we switched from TDB
to LDAP not all the machine info imported properly. But I was able
to use "smbpasswd -w" to dump out sambaSID's to copy and paste into
LDAP.
So if your backend was ldap you could probably change the machine
name in LDAP as well as on the machine. Or possibly create a new
LDAP entry and cut and paste the LDAP sambaSID. This would probably
be a huge pain with a TDB backend.
Once place I worked we used only dells, which had nice short service
tags, which doubled as their machine names.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
