We already have Sunstone authenticating against AD no problem, now I’m working on the next step: having our VMs (Linux/Windows) login session being authenticated against AD.
For Windows VMs, I’m assuming that the AD bind process can be handled by the contextualization PowerShell scripts and for that I’d need to hard-code an AD account/password with admin-like powers in the scripts.
Is that right? There would be a better option? Like keeping the account/password pair as context variables and passing them to the PowerShell script? (Our users will not have access to the VM templates.)
How about Ubuntu/CentOS VMs?
The Linux/AD integration solutions that I’ve found so far, rely on binding the VM to AD by means of Kerberos, which requires a admin-like AD account to interactively handle the binding process and, in the end, an actual computer account gets created on AD. This, I think, defies the purpose of “self-service” provisioning and could cause garbage machine accounts on AD…
I’m trying to find a possible solution, maybe using the LDAP client, where the Linux machine would just forward authentication requests to AD without actually having to create a computer account.
Would anybody be able to share his/her experience regarding my Linux/AD “issue”? Or, reference me to a document that would help me figure out how to implement a solution?
By the way: we have OpenNebula 5.4.6 (with plans to update to 5.4.12 soon).
Thanks a lot for any insight,