6 files changed, 50 insertions, 18 deletions

diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index d4eba5ffee..9970a0655a 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -204,6 +204,7 @@ WERROR NetUnjoinDomain_l(struct libnetapi_ctx *mem_ctx,
 
 	u->in.domain_name = domain;
 	u->in.unjoin_flags = r->in.unjoin_flags;
+	u->in.delete_machine_account = false;
 	u->in.modify_config = true;
 	u->in.debug = true;
 
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index de920949a6..a96fd8c500 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1989,6 +1989,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
 		W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
 	}
 
+	if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && 
+	    !r->in.delete_machine_account) {
+		libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
+		return WERR_OK;
+	}
+
 	if (!r->in.dc_name) {
 		struct netr_DsRGetDCNameInfo *info;
 		const char *dc;
@@ -2014,21 +2020,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
 		W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
 	}
 
-	status = libnet_join_unjoindomain_rpc(mem_ctx, r);
-	if (!NT_STATUS_IS_OK(status)) {
-		libnet_unjoin_set_error_string(mem_ctx, r,
-			"failed to disable machine account via rpc: %s",
-			get_friendly_nt_error_msg(status));
-		if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
-			return WERR_SETUP_NOT_JOINED;
-		}
-		return ntstatus_to_werror(status);
-	}
-
-	r->out.disabled_machine_account = true;
-
 #ifdef WITH_ADS
-	if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
+	/* for net ads leave, try to delete the account.  If it works, 
+	   no sense in disabling.  If it fails, we can still try to 
+	   disable it. jmcd */
+	   
+	if (r->in.delete_machine_account) {
 		ADS_STATUS ads_status;
 		libnet_unjoin_connect_ads(mem_ctx, r);
 		ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r);
@@ -2042,10 +2039,34 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
 			r->out.dns_domain_name = talloc_strdup(mem_ctx,
 							       r->in.ads->server.realm);
 			W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
+			libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
+			return WERR_OK;
 		}
 	}
 #endif /* WITH_ADS */
 
+	/* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means 
+	   "disable".  */
+	if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
+		status = libnet_join_unjoindomain_rpc(mem_ctx, r);
+		if (!NT_STATUS_IS_OK(status)) {
+			libnet_unjoin_set_error_string(mem_ctx, r,
+				"failed to disable machine account via rpc: %s",
+				get_friendly_nt_error_msg(status));
+			if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+				return WERR_SETUP_NOT_JOINED;
+			}
+			return ntstatus_to_werror(status);
+		}
+		
+		r->out.disabled_machine_account = true;
+		r->out.dns_domain_name = talloc_strdup(mem_ctx,
+						       r->in.ads->server.realm);
+	}
+
+	/* If disable succeeded or was not requested at all, we 
+	   should be getting rid of our end of things */
+
 	libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
 
 	return WERR_OK;
diff --git a/source3/librpc/gen_ndr/libnet_join.h b/source3/librpc/gen_ndr/libnet_join.h
index ed49062a78..cf915cbf18 100644
--- a/source3/librpc/gen_ndr/libnet_join.h
+++ b/source3/librpc/gen_ndr/libnet_join.h
@@ -2,13 +2,13 @@
 
 #include <stdint.h>
 
+#include "libcli/util/ntstatus.h"
+
 #include "librpc/gen_ndr/wkssvc.h"
 #include "librpc/gen_ndr/security.h"
 #ifndef _HEADER_libnetjoin
 #define _HEADER_libnetjoin
 
-enum netr_SchannelType;
-
 
 struct libnet_JoinCtx {
 	struct {
@@ -58,6 +58,7 @@ struct libnet_UnjoinCtx {
 		const char * admin_password;
 		const char * machine_password;
 		uint32_t unjoin_flags;
+		uint8_t delete_machine_account;
 		uint8_t modify_config;
 		struct dom_sid *domain_sid;/* [ref] */
 		struct ads_struct *ads;/* [ref] */
diff --git a/source3/librpc/gen_ndr/ndr_libnet_join.c b/source3/librpc/gen_ndr/ndr_libnet_join.c
index 79fcd16a90..ba31ea6365 100644
--- a/source3/librpc/gen_ndr/ndr_libnet_join.c
+++ b/source3/librpc/gen_ndr/ndr_libnet_join.c
@@ -89,6 +89,7 @@ _PUBLIC_ void ndr_print_libnet_UnjoinCtx(struct ndr_print *ndr, const char *name
 		ndr_print_ptr(ndr, "machine_password", r->in.machine_password);
 #endif
 		ndr_print_wkssvc_joinflags(ndr, "unjoin_flags", r->in.unjoin_flags);
+		ndr_print_uint8(ndr, "delete_machine_account", r->in.delete_machine_account);
 		ndr_print_uint8(ndr, "modify_config", r->in.modify_config);
 		ndr_print_ptr(ndr, "domain_sid", r->in.domain_sid);
 		ndr->depth++;
diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
index c600ea094a..80429dc2fd 100644
--- a/source3/librpc/idl/libnet_join.idl
+++ b/source3/librpc/idl/libnet_join.idl
@@ -53,6 +53,7 @@ interface libnetjoin
 		[in] string admin_password,
 		[in] string machine_password,
 		[in] wkssvc_joinflags unjoin_flags,
+		[in] boolean8 delete_machine_account,
 		[in] boolean8 modify_config,
 		[in] dom_sid *domain_sid,
 		[in] ads_struct *ads,
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 38b59d9cdf..d82715eb45 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -904,8 +904,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
 	r->in.admin_account	= get_cmdline_auth_info_username(ai);
 	r->in.admin_password	= get_cmdline_auth_info_password(ai);
 	r->in.modify_config	= lp_config_backend_is_registry();
+
+	/* Try to delete it, but if that fails, disable it.  The 
+	   WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
 	r->in.unjoin_flags	= WKSSVC_JOIN_FLAGS_JOIN_TYPE |
 				  WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+	r->in.delete_machine_account = true;
 
 	werr = libnet_Unjoin(ctx, r);
 	if (!W_ERROR_IS_OK(werr)) {
@@ -915,7 +919,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
 		goto done;
 	}
 
-	if (W_ERROR_IS_OK(werr)) {
+	if (r->out.deleted_machine_account) {
 		d_printf("Deleted account for '%s' in realm '%s'\n",
 			r->in.machine_name, r->out.dns_domain_name);
 		goto done;
@@ -929,7 +933,10 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
 		goto done;
 	}
 
-	d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
+	/* Based on what we requseted, we shouldn't get here, but if
+	   we did, it means the secrets were removed, and therefore
+	   we have left the domain */
+	d_fprintf(stderr, "Machine '%s' Left domain '%s'\n",
 		  r->in.machine_name, r->out.dns_domain_name);
 
  done: