1:34 p.m.
Hi,
This is probably a stupid question, but here we go...
I would like to use FreeIPA to manage Linux VDI machines, but VMware is
Active Directory-centric, and it's Horizon Connection Server creates
machine objects on AD that the VM's join to when created - and these
objects are deleted automatically when the corresponding VM ceases to
exist.
I wonder if would be possible to simply join the machine to FreeIPA but
to an object that exists on AD, so that AD could delete it when the VM
ceases to exist.
Anything that would achieve the same ends would be very interesting. Any
thoughts on that?
Best,
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
3:15 a.m.
I would like to use FreeIPA to manage Linux VDI machines, but VMware
is
Active Directory-centric, and it's Horizon Connection Server creates
machine objects on AD that the VM's join to when created - and these
objects are deleted automatically when the corresponding VM ceases to
exist.
I wonder if would be possible to simply join the machine to FreeIPA but
to an object that exists on AD, so that AD could delete it when the VM
ceases to exist.
Perhaps you want what Red Hat calls 'direct integration' of sssd (on your VM) to
AD?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
In which case you don't use FreeIPA at all.
(Out of interest, how does VMWare send credentials into the VM so it can join the
domain?)
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
12:21 p.m.
New subject: Is it possible to create hosts in AD via FreeIPA?
On 2022-04-08 10:15, Sam Morris via FreeIPA-users wrote:
> I would like to use FreeIPA to manage Linux VDI machines, but
VMware
> is
> Active Directory-centric, and it's Horizon Connection Server creates
> machine objects on AD that the VM's join to when created - and these
> objects are deleted automatically when the corresponding VM ceases to
> exist.
>
> I wonder if would be possible to simply join the machine to FreeIPA
> but
> to an object that exists on AD, so that AD could delete it when the VM
> ceases to exist.
Perhaps you want what Red Hat calls 'direct integration' of sssd (on
your VM) to AD?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
In which case you don't use FreeIPA at all.
(Out of interest, how does VMWare send credentials into the VM so it
can join the domain?)
Thanks Sam. I will give a look into that.
As to your question, VMware has some strategies for domain joining, most
of them described here:
https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUI...
In fact, I've realized that domain joining from the linux side is not
really important, as long as the kerberos works and is configured right.
For example, one can use ldap for authentication, without binding the
machine, and it works seamless even when the machine is not domain
joined.
Or you can simply have a script with a credential, and get the script to
be run when the instant clones are created on the fly (called
RunOnceScript on vmware-view.conf configuration file).
Domain joining might be necessary anyway for mounting things, for
example.
Best,
Francis
12:22 p.m.
New subject: Is it possible to create hosts in AD via FreeIPA?
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
On 2022-04-08 10:15, Sam Morris via FreeIPA-users wrote:
> I would like to use FreeIPA to manage Linux VDI machines, but
VMware
> is
> Active Directory-centric, and it's Horizon Connection Server creates
> machine objects on AD that the VM's join to when created - and these
> objects are deleted automatically when the corresponding VM ceases to
> exist.
>
> I wonder if would be possible to simply join the machine to FreeIPA
> but
> to an object that exists on AD, so that AD could delete it when the VM
> ceases to exist.
Perhaps you want what Red Hat calls 'direct integration' of sssd (on
your VM) to AD?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
In which case you don't use FreeIPA at all.
(Out of interest, how does VMWare send credentials into the VM so it
can join the domain?)
Thanks Sam. I will give a look into that.
As to your question, VMware has some strategies for domain joining, most
of them described here:
https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUI...
In fact, I've realized that domain joining from the linux side is not
really important, as long as the kerberos works and is configured right.
For example, one can use ldap for authentication, without binding the
machine, and it works seamless even when the machine is not domain
joined.
Or you can simply have a script with a credential, and get the script to
be run when the instant clones are created on the fly (called
RunOnceScript on vmware-view.conf configuration file).
Domain joining might be necessary anyway for mounting things, for
example.
Best,
Francis
766
days inactive
767
days old
freeipa-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Francis Augusto Medeiros-Logeay -
Francis Augusto Medeiros-Logeay -
Sam Morris