Linux/Windows VMs integration with Active Directory


(Alex W) #1

Hello,

We already have Sunstone authenticating against AD no problem, now I’m working on the next step: having our VMs (Linux/Windows) login session being authenticated against AD.

For Windows VMs, I’m assuming that the AD bind process can be handled by the contextualization PowerShell scripts and for that I’d need to hard-code an AD account/password with admin-like powers in the scripts.
Is that right? There would be a better option? Like keeping the account/password pair as context variables and passing them to the PowerShell script? (Our users will not have access to the VM templates.)

How about Ubuntu/CentOS VMs?
The Linux/AD integration solutions that I’ve found so far, rely on binding the VM to AD by means of Kerberos, which requires a admin-like AD account to interactively handle the binding process and, in the end, an actual computer account gets created on AD. This, I think, defies the purpose of “self-service” provisioning and could cause garbage machine accounts on AD…
I’m trying to find a possible solution, maybe using the LDAP client, where the Linux machine would just forward authentication requests to AD without actually having to create a computer account.

Would anybody be able to share his/her experience regarding my Linux/AD “issue”? Or, reference me to a document that would help me figure out how to implement a solution?

By the way: we have OpenNebula 5.4.6 (with plans to update to 5.4.12 soon).

Thanks a lot for any insight,

Alex


(Alex W) #2

So, nobody in this community had ever to work on or implement a similar solution??

It’s hard to think that we are the only one trying to have something like this working…

Regards,

Alex


(Ulrich P.) #3

Hi AlexW,

we are using Ansible and a dynamic inventory running against OpenNebula Frontend (but any other CM tool should be able to do the same) to pick up the VMs and join it to our domain. All Password Management is being done within Ansible (Vault). To be honest it takes a little effort to learn it, but if you have the chance and time I would highly recommend to look into it…
Ansible works for Windows, Ubuntu and CentOS.

Best Regards
Uli


(Alex W) #4

Hello Ulrich,

Thank you for the tip…!
I’ll start reading about that (Ansible) and see how it could help us.

The way you’re using it, is it capable of detecting when a VM is instantiated/deleted by one of the self-serving portal users and then bind/unbind the VM to/from Active Directory?

Regards,

Alex


(Vadim Tsaplin) #5

Hello.
We use Unix Attributes in Active Directory, and pam-ldap, libnss-ldap package on Linux VM’s. This procedure doesn’t require to add machine to Active Directory. We provide it by Ansible.


(Alex W) #6

Hello Vadim,

Could you share what documentation did you follow to achieve the pam-ldap/libnss-ldap solution? (And which flavor of Linux you have it working? - We have CentOS/Ubuntu.)

Like I said on my first message, I would prefer not having to join the VMs to ADD, for the sake of make the whole process cleaner/simpler.

Thanks a lot,

Alex