ix-activedirectory is deleting computer object on service stop
ix-activedirectory is deleting computer object on service stop. When turning off directory services for troubleshooting/reconfiguration via the WebGUI, or stopping ix-activedirectory via shell, the computer object for FreeNAS is being deleted.
This is contrary to typical AD behavior, and complicates the use of FreeNAS in large AD environments. Standard behavior should be the disable the computer object, not delete. Otherwise, every time the service is bounced, all security permissions and OU placement is lost. This circumvents our security procedures, as we give FreeNAS a service account that has permissions explicitly granted for the FreeNAS computer objects only. Once the object is deleted, FreeNAS is not able to rebind.
Seen in 22.214.171.124 and 9.3 BETA.
Output from ix-activedirectory:
[root@***-***-store01] /mnt/vol1# service ix-activedirectory stop
Deleted account for '***-***-STORE01' in realm '**.**.*****.***'
[root@***-***-store01] /mnt/vol1# service ix-activedirectory start
Failed to join domain: failed to set machine spn: Constraint violation
#1 Updated by Jordan Hubbard almost 6 years ago
- Category set to 36
- Status changed from Unscreened to Screened
- Assignee set to John Hixson
- Target version set to 49
BRB: This is going to be complicated to fix since that is not how our AD system is currently designed. Setting milestone accordingly, since we don't know when/if this will be fixed.
#2 Updated by Duncan Fraser almost 6 years ago
Thinking of possible work-arounds, I set the computer object to Prevent Accidental Deletion in AD. Now, ix-activdirectory explicitly states "Disabling account for 'test-freenas01' in realm '**.**.*****.***' on service stop and restart.
Looks like ix-activedirectory has some awareness of disabled accounts.
#12 Updated by John Hixson about 5 years ago
- % Done changed from 0 to 10
I've been working on not leaving the domain, and not joining it if it's already joined. It's taking more consideration than I originally thought ;-) So, hopefully I'll have this done this week. Honestly I think the entire AD architecture probably needs a little bit of an overhaul.