Bug 6481 - net ads leave needs to try account deletion, NetUnjoinDomain not.
Summary: net ads leave needs to try account deletion, NetUnjoinDomain not.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-17 10:13 UTC by Guenther Deschner
Modified: 2009-06-30 02:10 UTC (History)
0 users

See Also:
gd: review+

Attachments
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.3 (7.64 KB, patch)
2009-06-20 13:01 UTC, Jim McDonough 		no flags Details
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.3 (7.37 KB, patch)
2009-06-21 06:50 UTC, Jim McDonough 		no flags Details
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.2 (7.29 KB, patch)
2009-06-21 06:52 UTC, Jim McDonough 		no flags Details
updated backport to 3.4 (8.10 KB, patch)
2009-06-29 08:08 UTC, Jim McDonough 		gd: review+
Details
updated backport to 3.3 (7.81 KB, patch)
2009-06-29 08:52 UTC, Jim McDonough 		gd: review+
Details
updated backport to 3.2 (7.73 KB, patch)
2009-06-29 09:08 UTC, Jim McDonough 		gd: review+
Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2009-06-17 10:13:35 UTC 
net ads leave needs to try account deletion, NetUnjoinDomain not.

Reference: 
http://msdn.microsoft.com/en-us/library/aa370644%28VS.85%29.aspx
Comment 1 Jim McDonough 2009-06-19 12:28:33 UTC 
NetDomainUnjoin() never deletes accounts.  The delete flag is deceiving, because it actually disables the account rather than deleting it.

We need to change libnetapi to do the same.  However, libnet still needs to be able to delete in order to perform "net ads leave" as we have in the past.

Also, libnet DomainUnjoin needs to be able to delete the local secrets data without first disabling or deleting, if so requested.  This matches windows behavior.  (e.g. try using local admin to leave a domain...the account will still exist and be enabled on the DC, but the machine will no longer think it is in the domain).
Comment 2 Jim McDonough 2009-06-19 12:51:01 UTC 
pushed fix with 7930f15f5dce0dd72b354f903a758b03988371b8
Comment 3 Jim McDonough 2009-06-20 13:01:18 UTC 
Created attachment 4335 [details]
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.3
Comment 4 Jim McDonough 2009-06-21 06:50:50 UTC 
Created attachment 4338 [details]
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.3

Previous one had a compile error
Comment 5 Jim McDonough 2009-06-21 06:52:37 UTC 
Created attachment 4339 [details]
7930f15f5dce0dd72b354f903a758b03988371b8 backported to 3.2
Comment 6 Jim McDonough 2009-06-21 06:53:34 UTC 
Günther, can you look at these?
Comment 7 Guenther Deschner 2009-06-22 15:18:17 UTC 
We found a small error still in the patch that would break the use of NetUnJoin() in non-AD setups.
Comment 8 Jim McDonough 2009-06-29 08:08:58 UTC 
Created attachment 4361 [details]
updated backport to 3.4
Comment 9 Jim McDonough 2009-06-29 08:52:29 UTC 
Created attachment 4362 [details]
updated backport to 3.3
Comment 10 Jim McDonough 2009-06-29 09:08:53 UTC 
Created attachment 4363 [details]
updated backport to 3.2
Comment 11 Guenther Deschner 2009-06-29 12:32:19 UTC 
Karolin, your turn now :)
Comment 12 Karolin Seeger 2009-06-30 02:10:52 UTC 
Pushed to v3-2-test, v3-3-test and v3-4-test.
Closing out bug report.

Thanks!