- Joined
- Mar 6, 2014
- Messages
- 9,554
I'm putting some final touches on some major changes for how we're doing AD integration in 11.3. Some key highlights:
- Service account details will no longer be stored on FreeNAS after successfully joining an AD domain. Once the FreeNAS server joins the domain, a kerberos keytab for the AD machine account of the freenas server (netbios name with a $ after it) will be automatically generated (its presence will be visible in the UI). This kerberos keytab will be used to get kerberos tickets and for any UI-related things that need to interact with AD. By default, the a new kerberos keytab will be generated every 14 days with a randomized password. The keytab will be stored in an encrypted form in the freenas-v1.db file. Situations where you will need to use a service account to re-join AD:
(1) you do not have a recent config backup with an exported secret seed or (2) the server is rebooted after a successful machine account password change and before the sqlite database has a chance to update.
- Active directory user / group caching for the UI will be done by parsing samba's internal caches. The practical impact of this will be that when the "disable AD cache" checkbox is checked, AD users/groups may still be visible in UI dropdowns, but they will only be ones that have accessed the server in the past week (i.e. in the winbind cache).
- The only instances where the middleware will communicate with the AD domain will be for detection of the AD site during domain join and the pre-Windows 2000 domain name for the AD domain. The former gets stored persistently as the AD site in the AD config, and the latter gets stored persistently as the SMB workgroup under Services->SMB.
- We will have the following automated health checks (this may be expanded): every 10 minutes, check if our secure channel connection to the domain controller is still alive, every 24 hours, check that the clock skew from the DC with the PDC emulator FSMO role is less than 3 minutes. Health check failure will generate a UI alert and email alert.
- If the FreeNAS server is a member of an AD site with a large number of KDCs, then by default on domain join we will find three of these (site-specific KDCs) that are responding and add them to our kerberos configuration. This will be a one-time change, and can be edited after-the-fact.
- The DC with the PDC emulator FSMO role will be added as a time source in our NTP server list with the 'preferred' checkbox checked if the list only contains the default freebsd NTP pool.
These and other changes have resulted in a dropping the time it takes to join an AD domain to around 5 seconds in my testing environment. It should also make us much more scalable and able to handle DC failover.
- Service account details will no longer be stored on FreeNAS after successfully joining an AD domain. Once the FreeNAS server joins the domain, a kerberos keytab for the AD machine account of the freenas server (netbios name with a $ after it) will be automatically generated (its presence will be visible in the UI). This kerberos keytab will be used to get kerberos tickets and for any UI-related things that need to interact with AD. By default, the a new kerberos keytab will be generated every 14 days with a randomized password. The keytab will be stored in an encrypted form in the freenas-v1.db file. Situations where you will need to use a service account to re-join AD:
(1) you do not have a recent config backup with an exported secret seed or (2) the server is rebooted after a successful machine account password change and before the sqlite database has a chance to update.
- Active directory user / group caching for the UI will be done by parsing samba's internal caches. The practical impact of this will be that when the "disable AD cache" checkbox is checked, AD users/groups may still be visible in UI dropdowns, but they will only be ones that have accessed the server in the past week (i.e. in the winbind cache).
- The only instances where the middleware will communicate with the AD domain will be for detection of the AD site during domain join and the pre-Windows 2000 domain name for the AD domain. The former gets stored persistently as the AD site in the AD config, and the latter gets stored persistently as the SMB workgroup under Services->SMB.
- We will have the following automated health checks (this may be expanded): every 10 minutes, check if our secure channel connection to the domain controller is still alive, every 24 hours, check that the clock skew from the DC with the PDC emulator FSMO role is less than 3 minutes. Health check failure will generate a UI alert and email alert.
- If the FreeNAS server is a member of an AD site with a large number of KDCs, then by default on domain join we will find three of these (site-specific KDCs) that are responding and add them to our kerberos configuration. This will be a one-time change, and can be edited after-the-fact.
- The DC with the PDC emulator FSMO role will be added as a time source in our NTP server list with the 'preferred' checkbox checked if the list only contains the default freebsd NTP pool.
These and other changes have resulted in a dropping the time it takes to join an AD domain to around 5 seconds in my testing environment. It should also make us much more scalable and able to handle DC failover.
