Remove legacy behavior of storing AD Credentials
As things currently stand, it's trivially easy for root on the FreeNAS server to 'recover' the AD credentials that are used to join the server to an AD domain. This would not be as big of a problem if we used unprivileged AD accounts. Unfortunately, iX support commonly has clients use "Domain Admin" credentials for this purpose. This means that in many deployments, compromising the root account on a TN server can result in compromising the entire AD Domain. Not a good situation.
Basically, two things we're doing (that aren't terrible in themselves) can severely compromise the security of an AD environment.
Per quick exchange of messages with John, it appears that this behavior (storing AD credentials) is legacy, and can be removed with some code changes. This is consistent with what I've seen from domain-joined linux samba servers, which don't require storing AD credentials (apart from machine account information in secrets.tdb, etc.).
In addition to the code changes, we need to perhaps update our practices regarding how to join a FreeNAS / TrueNAS server to a domain. There is a doc in progress to address this secondary issue.