Machine authentication and dynamic dns for AD

[Michael Butash <michael butash net>]

Greetings,

I was curious if the RH or other contributors have investigated adding 
os-level machine auth support into NM, or proper dynamic dns client 
support to register with AD.  I know it's a bit chicken and egg, 
considering nm has no identity at boot, but needs to be a handoff from 
system to user, and possibly depending on coa state, might transition 
hosts while a user is logged in back to machine auth (posture/ids state 
says coa/quarantine them).

Dealing with a large enterprise wireless deployment recently with 
largely win and mac clients, they are sorely missing in networking 
function in Linux pertaining to "typical" deployment scenarios.  I was 
surprised as lacking as I find mac osx to be, they had to adapt to 
"enterprise standard" and include ddns and machine auth features as 
well, though machine auth support seems flawed at best, unreliable at 
worst.  We ended up using Jamf as a mdm component to work around it, but 
sadly linux has to equivalent there either.

I represent a growing contingent of linux desktop/laptop users in my 
org, so I'm digging a bit and finding little pertaining to either being 
supported, implemented, or hacked in.  I've never been to concerned as 
I've either not had enterprise-wide wireless or been consulting not to 
need it mostly, but in this fte gig I'm finding it a hindrance to adoption.

Another real annoyance I found was storing of my domain pass in the 
keyfiles for nm plain-text.  Insert sad face, gnome keyring/kerberos not 
suitable for this for peap/mschap functions?  I'm migrating to certs, 
but this comes with its own issues with M$ infrastructure. SCEP 
function, sadly again like mac, would be a nice consideration at some 
point for attaining certs.

These are pretty large barriers for linux in the enterprise these days.

Thanks in advance!

-mb