summaryrefslogtreecommitdiff
path: root/source3/utils
diff options
context:
space:
mode:
authorJim McDonough <jmcd@samba.org>2009-06-19 13:46:07 -0400
committerJim McDonough <jmcd@samba.org>2009-06-19 13:46:07 -0400
commit7930f15f5dce0dd72b354f903a758b03988371b8 (patch)
treeb3405ea2ccb64b92fad2854cecb5698c517d2fe1 /source3/utils
parent0524d24fb217813e4939b299b1fabe9a54b4216e (diff)
downloadsamba-7930f15f5dce0dd72b354f903a758b03988371b8.tar.gz
samba-7930f15f5dce0dd72b354f903a758b03988371b8.tar.bz2
samba-7930f15f5dce0dd72b354f903a758b03988371b8.zip
Don't require "Modify property" perms to unjoin bug #6481)
"net ads leave" stopped working when "modify properties" permissions were not granted (meaning you had to be allowed to disable the account that you were about to delete). Libnetapi should not delete machine accounts, as this does not happen on win32. The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means "disable" (both in practice and docs). However, to keep the functionality in "net ads leave", we will still try to do the delete. If this fails, we try to do the disable. Additionally, it is possible in windows to not disable or delete the account, but just tell the local machine that it is no longer in the account. libnet can now do this as well.
Diffstat (limited to 'source3/utils')
-rw-r--r--source3/utils/net_ads.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 38b59d9cdf..d82715eb45 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -904,8 +904,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
r->in.admin_account = get_cmdline_auth_info_username(ai);
r->in.admin_password = get_cmdline_auth_info_password(ai);
r->in.modify_config = lp_config_backend_is_registry();
+
+ /* Try to delete it, but if that fails, disable it. The
+ WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+ r->in.delete_machine_account = true;
werr = libnet_Unjoin(ctx, r);
if (!W_ERROR_IS_OK(werr)) {
@@ -915,7 +919,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
goto done;
}
- if (W_ERROR_IS_OK(werr)) {
+ if (r->out.deleted_machine_account) {
d_printf("Deleted account for '%s' in realm '%s'\n",
r->in.machine_name, r->out.dns_domain_name);
goto done;
@@ -929,7 +933,10 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
goto done;
}
- d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
+ /* Based on what we requseted, we shouldn't get here, but if
+ we did, it means the secrets were removed, and therefore
+ we have left the domain */
+ d_fprintf(stderr, "Machine '%s' Left domain '%s'\n",
r->in.machine_name, r->out.dns_domain_name);
done: