Problem/Justification
Group Managed Service Accounts are becoming the standard, instead of managed service accounts, in Windows servers.
Impact
In a windows server environment, services can run under a Group Managed Service Account, where passwords aren’t known, and rotated regularly. These are usually defined as DOMAIN\gmsa-account$ and do not require the entry of a password.
When services need to access SMB shares, TrueNas doesn’t have the support for the gmsa, so access is denied.
User Story
When selecting AD or LDAP users for ACL, having the ability to choose a gmsa that a service is running under on a windows machine would give access to those stores. This eliminates the need to change service account passwords on multiple machines (domain controller, TrueNas, etc) and affords a more secure system, especially where ACL is concerned.
Example:
Running a document storage system such as FileBound or DocMgt, the service requests the document images. The images are then served to the user through a web interface, with the service (whether it be a windows service or an IIS app pool) then serves the document images to the end user.
The service can run under a GMSA, however, that GMSA account currently can’t be a “user” in TrueNas.