I’ve spent a few days trying to figure out how to have a node securely join our internal Active Directory servers after a MAAS deployment to a bare-metal server. So far I haven’t found a way that doesn’t involve at least one of:
- running a separate command to pre-create the machine accounts, then going back to the web UI to deploy, or
- putting passwords or private keys/keytabs into plain-text files, or
- having the same one-time machine password for all machines that’s embedded into the Kickstart file for the Packer image
Does anybody have a recipe that avoids all these pitfalls?
On xcat, we have a script that does something like:
- kinit to get service account credentials (this is when the admin doing the deploying can enter the service account password so that it doesn’t have to be stored)
- for each machine in the specified range:
– generate a random one-time password
– adcli preset-computer to set the one-time password
– put the one-time password into the kickstart file for that machine
– run the install
I’m sure that there must be a way to handle this securely, but I’ve been having surprisingly little luck with all my Googling.