summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJim McDonough <jmcd@samba.org>2009-06-19 13:46:07 -0400
committerJim McDonough <jmcd@samba.org>2009-06-19 13:46:07 -0400
commit7930f15f5dce0dd72b354f903a758b03988371b8 (patch)
treeb3405ea2ccb64b92fad2854cecb5698c517d2fe1
parent0524d24fb217813e4939b299b1fabe9a54b4216e (diff)
downloadsamba-7930f15f5dce0dd72b354f903a758b03988371b8.tar.gz
samba-7930f15f5dce0dd72b354f903a758b03988371b8.tar.bz2
samba-7930f15f5dce0dd72b354f903a758b03988371b8.zip
Don't require "Modify property" perms to unjoin bug #6481)
"net ads leave" stopped working when "modify properties" permissions were not granted (meaning you had to be allowed to disable the account that you were about to delete). Libnetapi should not delete machine accounts, as this does not happen on win32. The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means "disable" (both in practice and docs). However, to keep the functionality in "net ads leave", we will still try to do the delete. If this fails, we try to do the disable. Additionally, it is possible in windows to not disable or delete the account, but just tell the local machine that it is no longer in the account. libnet can now do this as well.
-rw-r--r--source3/lib/netapi/joindomain.c1
-rw-r--r--source3/libnet/libnet_join.c49
-rw-r--r--source3/librpc/gen_ndr/libnet_join.h5
-rw-r--r--source3/librpc/gen_ndr/ndr_libnet_join.c1
-rw-r--r--source3/librpc/idl/libnet_join.idl1
-rw-r--r--source3/utils/net_ads.c11
6 files changed, 50 insertions, 18 deletions
diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index d4eba5ffee..9970a0655a 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -204,6 +204,7 @@ WERROR NetUnjoinDomain_l(struct libnetapi_ctx *mem_ctx,
u->in.domain_name = domain;
u->in.unjoin_flags = r->in.unjoin_flags;
+ u->in.delete_machine_account = false;
u->in.modify_config = true;
u->in.debug = true;
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index de920949a6..a96fd8c500 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1989,6 +1989,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
}
+ if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
+ !r->in.delete_machine_account) {
+ libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
+ return WERR_OK;
+ }
+
if (!r->in.dc_name) {
struct netr_DsRGetDCNameInfo *info;
const char *dc;
@@ -2014,21 +2020,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
}
- status = libnet_join_unjoindomain_rpc(mem_ctx, r);
- if (!NT_STATUS_IS_OK(status)) {
- libnet_unjoin_set_error_string(mem_ctx, r,
- "failed to disable machine account via rpc: %s",
- get_friendly_nt_error_msg(status));
- if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
- return WERR_SETUP_NOT_JOINED;
- }
- return ntstatus_to_werror(status);
- }
-
- r->out.disabled_machine_account = true;
-
#ifdef WITH_ADS
- if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
+ /* for net ads leave, try to delete the account. If it works,
+ no sense in disabling. If it fails, we can still try to
+ disable it. jmcd */
+
+ if (r->in.delete_machine_account) {
ADS_STATUS ads_status;
libnet_unjoin_connect_ads(mem_ctx, r);
ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r);
@@ -2042,10 +2039,34 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
r->out.dns_domain_name = talloc_strdup(mem_ctx,
r->in.ads->server.realm);
W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
+ libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
+ return WERR_OK;
}
}
#endif /* WITH_ADS */
+ /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
+ "disable". */
+ if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
+ status = libnet_join_unjoindomain_rpc(mem_ctx, r);
+ if (!NT_STATUS_IS_OK(status)) {
+ libnet_unjoin_set_error_string(mem_ctx, r,
+ "failed to disable machine account via rpc: %s",
+ get_friendly_nt_error_msg(status));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ return WERR_SETUP_NOT_JOINED;
+ }
+ return ntstatus_to_werror(status);
+ }
+
+ r->out.disabled_machine_account = true;
+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
+ r->in.ads->server.realm);
+ }
+
+ /* If disable succeeded or was not requested at all, we
+ should be getting rid of our end of things */
+
libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
return WERR_OK;
diff --git a/source3/librpc/gen_ndr/libnet_join.h b/source3/librpc/gen_ndr/libnet_join.h
index ed49062a78..cf915cbf18 100644
--- a/source3/librpc/gen_ndr/libnet_join.h
+++ b/source3/librpc/gen_ndr/libnet_join.h
@@ -2,13 +2,13 @@
#include <stdint.h>
+#include "libcli/util/ntstatus.h"
+
#include "librpc/gen_ndr/wkssvc.h"
#include "librpc/gen_ndr/security.h"
#ifndef _HEADER_libnetjoin
#define _HEADER_libnetjoin
-enum netr_SchannelType;
-
struct libnet_JoinCtx {
struct {
@@ -58,6 +58,7 @@ struct libnet_UnjoinCtx {
const char * admin_password;
const char * machine_password;
uint32_t unjoin_flags;
+ uint8_t delete_machine_account;
uint8_t modify_config;
struct dom_sid *domain_sid;/* [ref] */
struct ads_struct *ads;/* [ref] */
diff --git a/source3/librpc/gen_ndr/ndr_libnet_join.c b/source3/librpc/gen_ndr/ndr_libnet_join.c
index 79fcd16a90..ba31ea6365 100644
--- a/source3/librpc/gen_ndr/ndr_libnet_join.c
+++ b/source3/librpc/gen_ndr/ndr_libnet_join.c
@@ -89,6 +89,7 @@ _PUBLIC_ void ndr_print_libnet_UnjoinCtx(struct ndr_print *ndr, const char *name
ndr_print_ptr(ndr, "machine_password", r->in.machine_password);
#endif
ndr_print_wkssvc_joinflags(ndr, "unjoin_flags", r->in.unjoin_flags);
+ ndr_print_uint8(ndr, "delete_machine_account", r->in.delete_machine_account);
ndr_print_uint8(ndr, "modify_config", r->in.modify_config);
ndr_print_ptr(ndr, "domain_sid", r->in.domain_sid);
ndr->depth++;
diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
index c600ea094a..80429dc2fd 100644
--- a/source3/librpc/idl/libnet_join.idl
+++ b/source3/librpc/idl/libnet_join.idl
@@ -53,6 +53,7 @@ interface libnetjoin
[in] string admin_password,
[in] string machine_password,
[in] wkssvc_joinflags unjoin_flags,
+ [in] boolean8 delete_machine_account,
[in] boolean8 modify_config,
[in] dom_sid *domain_sid,
[in] ads_struct *ads,
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 38b59d9cdf..d82715eb45 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -904,8 +904,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
r->in.admin_account = get_cmdline_auth_info_username(ai);
r->in.admin_password = get_cmdline_auth_info_password(ai);
r->in.modify_config = lp_config_backend_is_registry();
+
+ /* Try to delete it, but if that fails, disable it. The
+ WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+ r->in.delete_machine_account = true;
werr = libnet_Unjoin(ctx, r);
if (!W_ERROR_IS_OK(werr)) {
@@ -915,7 +919,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
goto done;
}
- if (W_ERROR_IS_OK(werr)) {
+ if (r->out.deleted_machine_account) {
d_printf("Deleted account for '%s' in realm '%s'\n",
r->in.machine_name, r->out.dns_domain_name);
goto done;
@@ -929,7 +933,10 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
goto done;
}
- d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
+ /* Based on what we requseted, we shouldn't get here, but if
+ we did, it means the secrets were removed, and therefore
+ we have left the domain */
+ d_fprintf(stderr, "Machine '%s' Left domain '%s'\n",
r->in.machine_name, r->out.dns_domain_name);
done: