Securely joining Active Directory after deploying?

I’ve spent a few days trying to figure out how to have a node securely join our internal Active Directory servers after a MAAS deployment to a bare-metal server. So far I haven’t found a way that doesn’t involve at least one of:

  • running a separate command to pre-create the machine accounts, then going back to the web UI to deploy, or
  • putting passwords or private keys/keytabs into plain-text files, or
  • having the same one-time machine password for all machines that’s embedded into the Kickstart file for the Packer image

Does anybody have a recipe that avoids all these pitfalls?

On xcat, we have a script that does something like:

  • kinit to get service account credentials (this is when the admin doing the deploying can enter the service account password so that it doesn’t have to be stored)
  • for each machine in the specified range:
    – generate a random one-time password
    – adcli preset-computer to set the one-time password
    – put the one-time password into the kickstart file for that machine
    – run the install

I’m sure that there must be a way to handle this securely, but I’ve been having surprisingly little luck with all my Googling.