Minimal user permissions to join AD

[f4242]

Hello,

What are the minimal permissions required for the AD user used for joining a FreeNAS box to AD?

I'm currently using my admin user, but I would like to use a dedicated service account. Do I have to give this user full administrative privileges?

 

[dlavigne]

Did you find the answer to this?

 

[f4242]

No.

I already have a user that is allowed to join a new computer to the domain (using control delegation: https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/). It works to make a new Windows workstation to join the domain but I'm unable to join FreeNAS to the domain with that user.

 

[Vito Reiter]

Personally, I feel this would require a higher level of permissions given the fact that FreeNAS can create shares, it's own users, and affect the network a lot. I'd hope that you're not adding new FreeNAS systems every day. We've tried to add one box here and had a lot of issues and I'm not sure if you'll have to create a second freenasadmin account on AD or not. A resolution here would help myself a lot too, I've been scripting my own permissions for quite some time due to the failure of setting this up.

At one point we just ran Server 2008 R2 in a VM on FreeNAS, and made typical windows shares there due to AD being much more usable within Windows opposed to FreeNAS.

 

[f4242]

FreeNAS creates the shares, but this doesn't require permissions on the Active Directory domain. The AD domain doesn't know what share I create with FreeNAS. FreeNAS also doesn't create any users, users are managed with RSAT tools from Microsoft.

FreeNAS only requires an AD account to be able to join the domain. It should not require a full administrator account.

Ideally, FreeNAS would not join the domain at boot every time. It should join it once and keep a copy of required files (some kerberos related files I think) in the internal database or the data partition. With this setup, I think FreeNAS would not need to keep the AD account password because it would never need it anymore in the future. Once a computer joined a domain, it doesn't need an administrator account to make a logon on the domain.

With that setup, FreeNAS could ask a full administrator account and I would not care because it would not be stored and never used again. I would not even need to create a dedicated freenas service account.

 

[Patrik Hansson]

Create a user account (only member of domain user) then create a new computer (in ADUC) named as your freenas server and give the user you created before permission to join that computer to the domain.

And does freenas really join the computer to AD every boot ?

 

[f4242]

Create a user account (only member of domain user) then create a new computer (in ADUC) named as your freenas server and give the user you created before permission to join that computer to the domain.

And does freenas really join the computer to AD every boot ?

I tried that. I think FreeNAS try to delete the existing computer object when joining. So when I try to use a non-admin account, I get an error about insufficient permissions.

And yes it joins it again at each boot. Once FreeNAS was joined to my domain, I moved its computer object in a different OU and after a reboot it was moved back (probably more deleted/created again) in the defaut computer container.

 

[Patrik Hansson]

Ok, but i just did it like that last night when i did a clean install to move from corall to 9.10.2-u3.