Project

General

Profile

Feature #26038

Remove legacy behavior of storing AD Credentials

Added by Andrew Walker almost 2 years ago. Updated 6 months ago.

Status:
Closed
Priority:
Nice to have
Assignee:
Andrew Walker
Category:
Services
Target version:
Estimated time:
Severity:
Medium
Reason for Closing:
Not to be fixed
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

As things currently stand, it's trivially easy for root on the FreeNAS server to 'recover' the AD credentials that are used to join the server to an AD domain. This would not be as big of a problem if we used unprivileged AD accounts. Unfortunately, iX support commonly has clients use "Domain Admin" credentials for this purpose. This means that in many deployments, compromising the root account on a TN server can result in compromising the entire AD Domain. Not a good situation.

Basically, two things we're doing (that aren't terrible in themselves) can severely compromise the security of an AD environment.

Per quick exchange of messages with John, it appears that this behavior (storing AD credentials) is legacy, and can be removed with some code changes. This is consistent with what I've seen from domain-joined linux samba servers, which don't require storing AD credentials (apart from machine account information in secrets.tdb, etc.).

In addition to the code changes, we need to perhaps update our practices regarding how to join a FreeNAS / TrueNAS server to a domain. There is a doc in progress to address this secondary issue.

History

#1 Updated by Dru Lavigne almost 2 years ago

  • Status changed from Untriaged to Unscreened
  • Assignee changed from Release Council to John Hixson

#2 Updated by John Hixson almost 2 years ago

  • Status changed from Unscreened to Screened
  • Priority changed from Important to Nice to have
  • Target version set to 11.2-BETA1

#4 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Target version changed from 11.2-BETA1 to 11.3

#5 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Status changed from Screened to Not Started

#6 Updated by John Hixson over 1 year ago

  • Assignee changed from John Hixson to Timur Bakeyev

#7 Avatar?id=13649&size=24x24 Updated by Ben Gadd about 1 year ago

  • Target version changed from 11.3 to Backlog

#8 Avatar?id=13649&size=24x24 Updated by Ben Gadd about 1 year ago

  • Severity set to New

#9 Updated by John Hixson about 1 year ago

  • Assignee changed from Timur Bakeyev to John Hixson

#10 Updated by John Hixson about 1 year ago

  • Category changed from OS to Services

#12 Updated by John Hixson 12 months ago

  • Severity changed from New to Medium

#13 Updated by Dru Lavigne 9 months ago

  • Assignee changed from John Hixson to William Grzybowski

#14 Updated by William Grzybowski 9 months ago

  • Assignee changed from William Grzybowski to Andrew Walker

#15 Updated by Andrew Walker 6 months ago

  • Status changed from Not Started to Closed
  • Reason for Closing set to Not to be fixed
  • Needs QA changed from Yes to No
  • Needs Doc changed from Yes to No

#17 Updated by Dru Lavigne 6 months ago

  • Target version changed from Backlog to N/A
  • Private changed from Yes to No

Also available in: Atom PDF