Project

General

Profile

Bug #6951

ix-activedirectory is deleting computer object on service stop

Added by Duncan Fraser almost 6 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Important
Assignee:
John Hixson
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

ix-activedirectory is deleting computer object on service stop. When turning off directory services for troubleshooting/reconfiguration via the WebGUI, or stopping ix-activedirectory via shell, the computer object for FreeNAS is being deleted.

This is contrary to typical AD behavior, and complicates the use of FreeNAS in large AD environments. Standard behavior should be the disable the computer object, not delete. Otherwise, every time the service is bounced, all security permissions and OU placement is lost. This circumvents our security procedures, as we give FreeNAS a service account that has permissions explicitly granted for the FreeNAS computer objects only. Once the object is deleted, FreeNAS is not able to rebind.

Seen in 9.2.1.9 and 9.3 BETA.

Output from ix-activedirectory:
[root@***-***-store01] /mnt/vol1# service ix-activedirectory stop
Deleted account for '***-***-STORE01' in realm '**.**.*****.***'
[root@***-***-store01] /mnt/vol1# service ix-activedirectory start
Failed to join domain: failed to set machine spn: Constraint violation

Associated revisions

Revision 14f60a64 (diff)
Added by John Hixson about 5 years ago

Methods for enabling and disabling of machine accounts in AD Ticket: #6951

Revision c9a095d1 (diff)
Added by John Hixson about 5 years ago

Don't blow away computer object when disabling AD Ticket: #6951 Merge-FN93: yes Merge-TN93: yes

Revision d416f572 (diff)
Added by John Hixson about 5 years ago

Methods for enabling and disabling of machine accounts in AD Ticket: #6951

Revision ba99601d (diff)
Added by John Hixson about 5 years ago

Don't blow away computer object when disabling AD Ticket: #6951 Merge-FN93: yes Merge-TN93: yes (cherry picked from commit c9a095d17ebdf80e516775e11061745b4ef36049)

Revision 9828cb53 (diff)
Added by John Hixson about 5 years ago

Methods for enabling and disabling of machine accounts in AD Ticket: #6951 (cherry picked from commit 14f60a64d9a20e3123dd8833cb1e380c31299fd6)

Revision 61162e29 (diff)
Added by John Hixson about 5 years ago

Don't blow away computer object when disabling AD Ticket: #6951 Merge-FN93: yes Merge-TN93: yes (cherry picked from commit c9a095d17ebdf80e516775e11061745b4ef36049)

History

#1 Updated by Jordan Hubbard almost 6 years ago

  • Category set to 36
  • Status changed from Unscreened to Screened
  • Assignee set to John Hixson
  • Target version set to 49

BRB: This is going to be complicated to fix since that is not how our AD system is currently designed. Setting milestone accordingly, since we don't know when/if this will be fixed.

#2 Updated by Duncan Fraser almost 6 years ago

Thinking of possible work-arounds, I set the computer object to Prevent Accidental Deletion in AD. Now, ix-activdirectory explicitly states "Disabling account for 'test-freenas01' in realm '**.**.*****.***' on service stop and restart.

Looks like ix-activedirectory has some awareness of disabled accounts.

#3 Updated by John Hixson about 5 years ago

  • Target version changed from 49 to Unspecified

I think now is a good time to work on this.

#4 Updated by John Hixson about 5 years ago

I pulled this ticket into 9.3 as a SU candidate because I've now seen a few cases where this matters. I am hoping to start working on this next week.

#5 Updated by John Hixson about 5 years ago

Hopefully this week ;-) We will see

#6 Updated by John Hixson about 5 years ago

  • Priority changed from Nice to have to Important

#7 Updated by John Hixson about 5 years ago

This is next on my list. I have to finish up what I'm working on then I'll be tackling this. Coming soon!

#8 Updated by John Hixson about 5 years ago

If I don't start this by the end of this week, I will definitely be starting beginning of next week.

#9 Updated by John Hixson about 5 years ago

Looks like next week for this

#10 Updated by John Hixson about 5 years ago

  • Status changed from Screened to Investigation

Looking into this now ;-)

#11 Updated by John Hixson about 5 years ago

I've written some methods for enabling and disabling the machine account. More to come.

#12 Updated by John Hixson about 5 years ago

  • % Done changed from 0 to 10

I've been working on not leaving the domain, and not joining it if it's already joined. It's taking more consideration than I originally thought ;-) So, hopefully I'll have this done this week. Honestly I think the entire AD architecture probably needs a little bit of an overhaul.

#13 Updated by John Hixson about 5 years ago

I've got this at a point where it is working. It's not exactly elegant but it does what you want ;-) Just waiting to merge this to the correct places then will mark it ready for release.

#14 Updated by John Hixson about 5 years ago

  • Status changed from Investigation to Ready For Release

merged and ready to go

#15 Updated by Jordan Hubbard about 5 years ago

  • Status changed from Ready For Release to Resolved

#16 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

Also available in: Atom PDF