Dear OpenNebula developers
As @stdweird has commented in another thread we are working to integrate our cloud platform with kerberos/freeipa auth. We have included a new sunstone auth called remote, is quite similar to x509, and it’s working for kerberos auth. Of course you must configure your web server to use kerberos and like x509 auth, the authentication is done by apache. Here is the PR:
https://github.com/OpenNebula/one/pull/71
it only requires a few changes, please let us know if you think that these changes could be useful to another sites and if it could be included into opennebula branch 
We are using it in our testbed and it works fine, the user (after run kinit) is able to access to the web and then is logged in your sunstone server (the user should be included running oneuser create username 'username@DOMAIN' --x509). REMOTE_USER is used by different auth mechanisms, not only by kerberos, so probably is a good idea to include it as a new option in Suntone. What do you think about this?
Cheers
Alvaro