cannot rename windows xp machine in samba4

> So now in Computer properties in XP, what's the name ?

>> So now in Computer properties in XP, what's the name ?
>>
>> I have the feeling that XP is sending a create when it should in fact
>> send a rename, to help us it would be great to:
>>
>> * leave XP from the domain
>> * join the domain
>> * stop the vm
>> * start a tcpdump capture (check
>> https://wiki.samba.org/index.php/Capture_Packets) on the ubuntu box
>> * export the keytab of the domain (attention with this we have access to
>> ALL the password so do it on a test domain with password that you
>> _never_ use in production), check
>> https://wiki.samba.org/index.php/Keytab_Extraction for the method to
>> export the keytab
>> * start the vm
>> * log in with the admin, if possible note the packet number after the
>> user has logged in
>> * rename the workstation
>>
>> Send us the capture it might be helpful.
>>
> in computer properties the name was still ws1
>
> I followed your instructions:
> * left XP from domain
> * changed winxp computer name to ws3 and sid with newsid utility (I had to
> do it because I got the error saying smth like "cannot correlate user
> names", sorry for my bad translation from russian)
> * joined winxp to domain under name WS3
> * powered off the vm
> * started packet capture with "tcpdump -i eth1 -p -s 0 -w samba4.dump.txt
> port 445 or port 139"

> On 05/01/2012 08:43 PM, Vladimir Obukhov wrote:
>
>> So now in Computer properties in XP, what's the name ?
>>>
>>> I have the feeling that XP is sending a create when it should in fact
>>> send a rename, to help us it would be great to:
>>>
>>> * leave XP from the domain
>>> * join the domain
>>> * stop the vm
>>> * start a tcpdump capture (check
>>> https://wiki.samba.org/index.**php/Capture_Packets<https://wiki.samba.org/index.php/Capture_Packets>)
>>> on the ubuntu box
>>> * export the keytab of the domain (attention with this we have access to
>>> ALL the password so do it on a test domain with password that you
>>> _never_ use in production), check
>>> https://wiki.samba.org/index.**php/Keytab_Extraction<https://wiki.samba.org/index.php/Keytab_Extraction>for the method to
>>> export the keytab
>>> * start the vm
>>> * log in with the admin, if possible note the packet number after the
>>> user has logged in
>>> * rename the workstation
>>>
>>> Send us the capture it might be helpful.
>>>
>>>  in computer properties the name was still ws1
>>
>> I followed your instructions:
>> * left XP from domain
>> * changed winxp computer name to ws3 and sid with newsid utility (I had to
>> do it because I got the error saying smth like "cannot correlate user
>> names", sorry for my bad translation from russian)
>> * joined winxp to domain under name WS3
>> * powered off the vm
>> * started packet capture with "tcpdump -i eth1 -p -s 0 -w samba4.dump.txt
>> port 445 or port 139"
>>
> Don't filter the port we need LDAP, kerberos and all the rest ...
>
>  * exported keytab with "samba-tool domain exportkeytab ./samba4.keytab"
>> * powered on winxp
>> * logged in as admin and tried to rename WS3 to WS4, twice, both times a
>> got an error but they seem to be a bit different, first time it said smth
>> like the file exists already, the second time something like username is
>> not found.
>>
> The "funny" part of it is that it seems that the samaccountname of the XP
> box has been changed SAMR response #393 shows that the name WS4$ can be
> resolved.
>
> Maybe with a complete trace we can understand what is denied when renaming
> the workstation (change of the account name is at request #330).
>
>
>
>
>  I wasn't able to note the packet number after I've logged on, packets are
>> in raw. I zipped samba4 dump and keytab files and attached it.
>> Thanks!
>
>

>   ok, I that's what I've done step by step again:
>
> * left XP from domain
> * changed winxp computer name to WS5 and sid with newsid utility
> * joined winxp to domain under name WS5
> * powered off the vm
> * started packet capture with "tcpdump -p -s 0 -w samba4.dump.txt
> * exported keytab with "samba-tool domain exportkeytab ./samba4.keytab"
> * powered on winxp
> * logged in as admin (I entered wrong username one time, if that's
> important) and tried to rename WS5 to WS6, twice, both times I got error
> but they seem to be a bit different, first time it said smth
>
> the dump files were too large for the maillist (I cancelled that posting)
> so I have put it to rapidshare here's the link:
> https://rapidshare.com/files/3805994593/samba4.zip

> Hi Vladimir,
>
>
>>   ok, I that's what I've done step by step again:
>>
>> * left XP from domain
>> * changed winxp computer name to WS5 and sid with newsid utility
>> * joined winxp to domain under name WS5
>> * powered off the vm
>> * started packet capture with "tcpdump -p -s 0 -w samba4.dump.txt
>> * exported keytab with "samba-tool domain exportkeytab ./samba4.keytab"
>> * powered on winxp
>> * logged in as admin (I entered wrong username one time, if that's
>> important) and tried to rename WS5 to WS6, twice, both times I got error
>> but they seem to be a bit different, first time it said smth
>>
>> the dump files were too large for the maillist (I cancelled that
>> posting)
>> so I have put it to rapidshare here's the link:
>> https://rapidshare.com/files/3805994593/samba4.zip
> Now with this trace I have the reason of the problem.
> I put Matthias in copy as he might be the most aware of this.
> The problem lies in samldb_service_principal_names_change() function
> as we try to add a new principal that is also specified in the request.
>
> Before adding a SPN we should check that this SPN is not already
> specified in the request, then I suspect that the rename will work.
>
> Matthieu.

> Cheers,
> Matthias
>
> Matthieu Patou schrieb:
>> Hi Vladimir,
>>
>>
>>>   ok, I that's what I've done step by step again:
>>>
>>> * left XP from domain
>>> * changed winxp computer name to WS5 and sid with newsid utility
>>> * joined winxp to domain under name WS5
>>> * powered off the vm
>>> * started packet capture with "tcpdump -p -s 0 -w samba4.dump.txt
>>> * exported keytab with "samba-tool domain exportkeytab ./samba4.keytab"
>>> * powered on winxp
>>> * logged in as admin (I entered wrong username one time, if that's
>>> important) and tried to rename WS5 to WS6, twice, both times I got
>>> error
>>> but they seem to be a bit different, first time it said smth
>>>
>>> the dump files were too large for the maillist (I cancelled that
>>> posting)
>>> so I have put it to rapidshare here's the link:
>>> https://rapidshare.com/files/3805994593/samba4.zip
>> Now with this trace I have the reason of the problem.
>> I put Matthias in copy as he might be the most aware of this.
>> The problem lies in samldb_service_principal_names_change() function
>> as we try to add a new principal that is also specified in the request.
>>
>> Before adding a SPN we should check that this SPN is not already
>> specified in the request, then I suspect that the rename will work.
>>
>> Matthieu.
>

> Matthias,
>
> On 05/03/2012 02:04 PM, Matthias Dieter Wallnöfer wrote:
>> Matthieu, Andrew,
>>
>> this has been a tricky issue. Here you can find my patch and the
>> reason explained in the commit notice:
>> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=commitdiff;h=b2d3ef922913de635be559df624ef53fccce598e.
>> Please review & merge it!
>>
> Your patch didn't address the real problem, my logic might be affected
> but it looks like your patch is try to prevent duplicates in the
> servicePrincipalName that are due to dnsHostName change.
>
> This seems pretty unefficient, why not adding all the value in an
> array, and then check for duplicate only once instead of doing it for
> all the entries that are about to be modified instead of iterating
> several time.
>
> But most important your patch didn't address the issue of Vladimir
> which is the following: there is 2 modifications in the request one
> for dnsHostName and one for servicePrincipalName, the modification in
> servicePrincipalName is the same as one triggered by the dnsHostName
> change resulting in two entries for the same value causing ldb to
> reject the change.
>
> I think the correct approach is the following:
>
> 1 in samldb_service_principal_names_change() check if there is a
> servicePrincipalName in the change message
> 2 if so get the values
> 3 create a list changed value for the servicePrincipalName due to
> dnsHostname or samaccountname change
> 4 Once the list is complete check if there is no duplicate values with
> those obtained in step 2
>
> Apart from that there is a test missing on the unicity
> (case-insensitive) of values for the attribute servicePrincipalName,
> because for the moment we can add HOST/MYHOST when the entry
> HOST/myhost already exists (Windows 2003R2 do not allow this).
>
> Matthieu.
>
>> Cheers,
>> Matthias
>>
>> Matthieu Patou schrieb:
>>> Hi Vladimir,
>>>
>>>
>>>>   ok, I that's what I've done step by step again:
>>>>
>>>> * left XP from domain
>>>> * changed winxp computer name to WS5 and sid with newsid utility
>>>> * joined winxp to domain under name WS5
>>>> * powered off the vm
>>>> * started packet capture with "tcpdump -p -s 0 -w samba4.dump.txt
>>>> * exported keytab with "samba-tool domain exportkeytab
>>>> ./samba4.keytab"
>>>> * powered on winxp
>>>> * logged in as admin (I entered wrong username one time, if that's
>>>> important) and tried to rename WS5 to WS6, twice, both times I got
>>>> error
>>>> but they seem to be a bit different, first time it said smth
>>>>
>>>> the dump files were too large for the maillist (I cancelled that
>>>> posting)
>>>> so I have put it to rapidshare here's the link:
>>>> https://rapidshare.com/files/3805994593/samba4.zip
>>> Now with this trace I have the reason of the problem.
>>> I put Matthias in copy as he might be the most aware of this.
>>> The problem lies in samldb_service_principal_names_change() function
>>> as we try to add a new principal that is also specified in the request.
>>>
>>> Before adding a SPN we should check that this SPN is not already
>>> specified in the request, then I suspect that the rename will work.
>>>
>>> Matthieu.
>>
>

> On Thu, 2012-05-24 at 22:33 +0200, Matthias Dieter Wallnöfer wrote:
> > Hi Andrew, Matthieu,
> >
> > in my "master" branch you can find the necessary patches beside some
> > other work which I find ready to push.
>
> This looks quite reasonable, but the repl_meta_data changes need a
> careful look, and the performance impact of the increased inner cost in
> the O^2 need a careful examination.
>
> Also note that some DNs may appear identical to the comparison fn, but
> actually be different (deleted members of a group) due to the
> differences being in the extended DN components.
>
> We may need to honour a flag passed down from repl_meta_data in that
> case.