diff options
author | Jim McDonough <jmcd@samba.org> | 2009-06-19 13:46:07 -0400 |
---|---|---|
committer | Jim McDonough <jmcd@samba.org> | 2009-06-19 13:46:07 -0400 |
commit | 7930f15f5dce0dd72b354f903a758b03988371b8 (patch) | |
tree | b3405ea2ccb64b92fad2854cecb5698c517d2fe1 /source3/utils | |
parent | 0524d24fb217813e4939b299b1fabe9a54b4216e (diff) | |
download | samba-7930f15f5dce0dd72b354f903a758b03988371b8.tar.gz samba-7930f15f5dce0dd72b354f903a758b03988371b8.tar.bz2 samba-7930f15f5dce0dd72b354f903a758b03988371b8.zip |
Don't require "Modify property" perms to unjoin bug #6481)
"net ads leave" stopped working when "modify properties"
permissions were not granted (meaning you had to be allowed
to disable the account that you were about to delete).
Libnetapi should not delete machine accounts, as this does not
happen on win32. The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag
really means "disable" (both in practice and docs).
However, to keep the functionality in "net ads leave", we
will still try to do the delete. If this fails, we try
to do the disable.
Additionally, it is possible in windows to not disable or
delete the account, but just tell the local machine that it
is no longer in the account. libnet can now do this as well.
Diffstat (limited to 'source3/utils')
-rw-r--r-- | source3/utils/net_ads.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 38b59d9cdf..d82715eb45 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -904,8 +904,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) r->in.admin_account = get_cmdline_auth_info_username(ai); r->in.admin_password = get_cmdline_auth_info_password(ai); r->in.modify_config = lp_config_backend_is_registry(); + + /* Try to delete it, but if that fails, disable it. The + WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */ r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE; + r->in.delete_machine_account = true; werr = libnet_Unjoin(ctx, r); if (!W_ERROR_IS_OK(werr)) { @@ -915,7 +919,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) goto done; } - if (W_ERROR_IS_OK(werr)) { + if (r->out.deleted_machine_account) { d_printf("Deleted account for '%s' in realm '%s'\n", r->in.machine_name, r->out.dns_domain_name); goto done; @@ -929,7 +933,10 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) goto done; } - d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n", + /* Based on what we requseted, we shouldn't get here, but if + we did, it means the secrets were removed, and therefore + we have left the domain */ + d_fprintf(stderr, "Machine '%s' Left domain '%s'\n", r->in.machine_name, r->out.dns_domain_name); done: |