u->in.domain_name = domain;
u->in.unjoin_flags = r->in.unjoin_flags;
+ u->in.delete_machine_account = false;
u->in.modify_config = true;
u->in.debug = true;
W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
}
+ if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
+ !r->in.delete_machine_account) {
+ libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
+ return WERR_OK;
+ }
+
if (!r->in.dc_name) {
struct netr_DsRGetDCNameInfo *info;
const char *dc;
W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
}
- status = libnet_join_unjoindomain_rpc(mem_ctx, r);
- if (!NT_STATUS_IS_OK(status)) {
- libnet_unjoin_set_error_string(mem_ctx, r,
- "failed to disable machine account via rpc: %s",
- get_friendly_nt_error_msg(status));
- if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
- return WERR_SETUP_NOT_JOINED;
- }
- return ntstatus_to_werror(status);
- }
-
- r->out.disabled_machine_account = true;
-
#ifdef WITH_ADS
- if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
+ /* for net ads leave, try to delete the account. If it works,
+ no sense in disabling. If it fails, we can still try to
+ disable it. jmcd */
+
+ if (r->in.delete_machine_account) {
ADS_STATUS ads_status;
libnet_unjoin_connect_ads(mem_ctx, r);
ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r);
r->out.dns_domain_name = talloc_strdup(mem_ctx,
r->in.ads->server.realm);
W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
+ libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
+ return WERR_OK;
}
}
#endif /* WITH_ADS */
+ /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
+ "disable". */
+ if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
+ status = libnet_join_unjoindomain_rpc(mem_ctx, r);
+ if (!NT_STATUS_IS_OK(status)) {
+ libnet_unjoin_set_error_string(mem_ctx, r,
+ "failed to disable machine account via rpc: %s",
+ get_friendly_nt_error_msg(status));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ return WERR_SETUP_NOT_JOINED;
+ }
+ return ntstatus_to_werror(status);
+ }
+
+ r->out.disabled_machine_account = true;
+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
+ r->in.ads->server.realm);
+ }
+
+ /* If disable succeeded or was not requested at all, we
+ should be getting rid of our end of things */
+
libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
return WERR_OK;
#include <stdint.h>
+#include "libcli/util/ntstatus.h"
+
#include "librpc/gen_ndr/wkssvc.h"
#include "librpc/gen_ndr/security.h"
#ifndef _HEADER_libnetjoin
#define _HEADER_libnetjoin
-enum netr_SchannelType;
-
struct libnet_JoinCtx {
struct {
const char * admin_password;
const char * machine_password;
uint32_t unjoin_flags;
+ uint8_t delete_machine_account;
uint8_t modify_config;
struct dom_sid *domain_sid;/* [ref] */
struct ads_struct *ads;/* [ref] */
ndr_print_ptr(ndr, "machine_password", r->in.machine_password);
#endif
ndr_print_wkssvc_joinflags(ndr, "unjoin_flags", r->in.unjoin_flags);
+ ndr_print_uint8(ndr, "delete_machine_account", r->in.delete_machine_account);
ndr_print_uint8(ndr, "modify_config", r->in.modify_config);
ndr_print_ptr(ndr, "domain_sid", r->in.domain_sid);
ndr->depth++;
[in] string admin_password,
[in] string machine_password,
[in] wkssvc_joinflags unjoin_flags,
+ [in] boolean8 delete_machine_account,
[in] boolean8 modify_config,
[in] dom_sid *domain_sid,
[in] ads_struct *ads,
r->in.admin_account = get_cmdline_auth_info_username(ai);
r->in.admin_password = get_cmdline_auth_info_password(ai);
r->in.modify_config = lp_config_backend_is_registry();
+
+ /* Try to delete it, but if that fails, disable it. The
+ WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+ r->in.delete_machine_account = true;
werr = libnet_Unjoin(ctx, r);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
- if (W_ERROR_IS_OK(werr)) {
+ if (r->out.deleted_machine_account) {
d_printf("Deleted account for '%s' in realm '%s'\n",
r->in.machine_name, r->out.dns_domain_name);
goto done;
goto done;
}
- d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
+ /* Based on what we requseted, we shouldn't get here, but if
+ we did, it means the secrets were removed, and therefore
+ we have left the domain */
+ d_fprintf(stderr, "Machine '%s' Left domain '%s'\n",
r->in.machine_name, r->out.dns_domain_name);
done: