Bug 6481 - net ads leave needs to try account deletion, NetUnjoinDomain not.
net ads leave needs to try account deletion, NetUnjoinDomain not.
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: Domain Control
unspecified
Other Linux
: P3 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-17 10:13 UTC by Guenther Deschner
Modified: 2009-06-30 02:10 UTC (History)
0 users

See Also:
gd: review+


Attachments
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.3 (7.64 KB, patch)
2009-06-20 13:01 UTC, Jim McDonough
no flags Details
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.3 (7.37 KB, patch)
2009-06-21 06:50 UTC, Jim McDonough
no flags Details
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.2 (7.29 KB, patch)
2009-06-21 06:52 UTC, Jim McDonough
no flags Details
updated backport to 3.4 (8.10 KB, patch)
2009-06-29 08:08 UTC, Jim McDonough
gd: review+
Details
updated backport to 3.3 (7.81 KB, patch)
2009-06-29 08:52 UTC, Jim McDonough
gd: review+
Details
updated backport to 3.2 (7.73 KB, patch)
2009-06-29 09:08 UTC, Jim McDonough
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2009-06-17 10:13:35 UTC
net ads leave needs to try account deletion, NetUnjoinDomain not.

Reference: 
http://msdn.microsoft.com/en-us/library/aa370644%28VS.85%29.aspx
Comment 1 Jim McDonough 2009-06-19 12:28:33 UTC
NetDomainUnjoin() never deletes accounts.  The delete flag is deceiving, because it actually disables the account rather than deleting it.

We need to change libnetapi to do the same.  However, libnet still needs to be able to delete in order to perform "net ads leave" as we have in the past.

Also, libnet DomainUnjoin needs to be able to delete the local secrets data without first disabling or deleting, if so requested.  This matches windows behavior.  (e.g. try using local admin to leave a domain...the account will still exist and be enabled on the DC, but the machine will no longer think it is in the domain).
Comment 2 Jim McDonough 2009-06-19 12:51:01 UTC
pushed fix with 7930f15f5dce0dd72b354f903a758b03988371b8
Comment 3 Jim McDonough 2009-06-20 13:01:18 UTC
Created attachment 4335 [details]
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.3
Comment 4 Jim McDonough 2009-06-21 06:50:50 UTC
Created attachment 4338 [details]
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.3

Previous one had a compile error
Comment 5 Jim McDonough 2009-06-21 06:52:37 UTC
Created attachment 4339 [details]
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.2
Comment 6 Jim McDonough 2009-06-21 06:53:34 UTC
Günther, can you look at these?
Comment 7 Guenther Deschner 2009-06-22 15:18:17 UTC
We found a small error still in the patch that would break the use of NetUnJoin() in non-AD setups.
Comment 8 Jim McDonough 2009-06-29 08:08:58 UTC
Created attachment 4361 [details]
updated backport to 3.4
Comment 9 Jim McDonough 2009-06-29 08:52:29 UTC
Created attachment 4362 [details]
updated backport to 3.3
Comment 10 Jim McDonough 2009-06-29 09:08:53 UTC
Created attachment 4363 [details]
updated backport to 3.2
Comment 11 Guenther Deschner 2009-06-29 12:32:19 UTC
Karolin, your turn now :)
Comment 12 Karolin Seeger 2009-06-30 02:10:52 UTC
Pushed to v3-2-test, v3-3-test and v3-4-test.
Closing out bug report.

Thanks!