Features/ActiveDirectory

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Initial page)
 
(Spelling fixes and tweaks)
Line 1: Line 1:
{{admon/important | Set a Page Watch| Make sure you click ''watch'' on your new page so that you are notified of changes to it by others, including the Feature Wrangler}}
 
 
 
= Active Directory =
 
= Active Directory =
  
 
== Summary ==
 
== Summary ==
  
Fedora should be able to be used on an Active Directory domain (or IPA realm) out of the box. Simple joining of these domains, and authenticating to them.
+
Fedora should be able to be used on an Active Directory domain (or other kerberos realms, such as IPA) out of the box. It should be easy to configure domain logins on a Fedora machine, and then it should be intuitive and uneventful to login with those credentials.
  
This feature will also increase reliability and ease usage for any Kerberos realm, not just Active Directory. We do however target Active Directory as the main use case as it's by far the most widely deployed Kerberos realm and directory.
+
This feature will also increase reliability and ease usage for any Kerberos realm, not just Active Directory. We do however target Active Directory as the main use case: it's by far the most widely deployed Kerberos realm and directory.
  
 
== Owner ==
 
== Owner ==
Line 18: Line 16:
 
* Targeted release: [[Releases/18 | Fedora 18 ]]  
 
* Targeted release: [[Releases/18 | Fedora 18 ]]  
 
* Last updated: 2012-05-25
 
* Last updated: 2012-05-25
* Percentage of completion: 20%
+
* Percentage of completion: 30%
  
 
== Detailed Description ==
 
== Detailed Description ==
  
Fedora should work out of the box in an Active Directory environment. Currently many tools are there to accomplish this, but it takes a genius to get all aspects working correctly and securely.
+
Fedora should work out of the box in an Active Directory environment. Currently Fedora contains packages for many tools to accomplish this, but it takes a lot of pain to get all aspects working correctly. It's also easy to make security mistakes.
  
First of all this feature fixes bugs and tough spots present in kerberos libraries, sssd, authconfig, openldap, samba, winbind, GUI, as necessary. We also remove configuration headaches. Some examples here, more details available on request:
+
First of all this feature fixes bugs and tough spots present in kerberos libraries, sssd, authconfig, openldap, samba, winbind and other packages. We also remove configuration headaches. Some examples outlined here, more details available on request:
  
 
* Allow configurationless kerberos. Remove /etc/krb5.conf file requirement, and unbreak defaults.
 
* Allow configurationless kerberos. Remove /etc/krb5.conf file requirement, and unbreak defaults.
* Remove NTP requirement for kerberos clients.
+
* Remove NTP time syncing requirement for kerberos clients.
 
* Correctly show kerberos password change policy messages.
 
* Correctly show kerberos password change policy messages.
 
* Respect kerberos password policy for kerberos accounts instead of local policy.
 
* Respect kerberos password policy for kerberos accounts instead of local policy.
* Make SSSD work without modifications to the Active Directory domain.
+
* Make SSSD work with Active Directory domains without modifications to those domains.
 
* Fix authconfig so it doesn't break config files.
 
* Fix authconfig so it doesn't break config files.
 
* Fix SELinux policies so which prevent this stuff from working out of the box.
 
* Fix SELinux policies so which prevent this stuff from working out of the box.
 +
* ... and much more
  
 
Secondly the GUI will be updated to support kerberos logins better:
 
Secondly the GUI will be updated to support kerberos logins better:
Line 39: Line 38:
 
* Automatically renew tickets when possible and/or reprompt for credentials when they expire.
 
* Automatically renew tickets when possible and/or reprompt for credentials when they expire.
  
Thirdly, and equally important, we streamline the enrollment process for joining a machine to an Active Directory domain. In the process we also easy configuration of IPA kerberos domains. In these streamlined setups we auto-discover all necessary configuration parameters, only a domain name is needed.
+
Thirdly, and equally important, we streamline the enrollment process for joining a machine to an Active Directory domain. It is necessary to enroll a machine in order to perform domain logins securely. In the process we also ease configuration of IPA kerberos domains. In these streamlined setups we auto-discover all necessary configuration parameters; only a domain name is needed.
  
 
Gnome Control Center will be updated to allow configuring logins for Active Directory users from the GUI. Firstboot and/or Initial Setup will be modified to allow setup of Active Directory logins. New command line tools will also be available to drive this streamlined enrollment process.
 
Gnome Control Center will be updated to allow configuring logins for Active Directory users from the GUI. Firstboot and/or Initial Setup will be modified to allow setup of Active Directory logins. New command line tools will also be available to drive this streamlined enrollment process.
Line 47: Line 46:
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
  
* Fedora will be simple to use on an Active Directory domain or IPA realm. This will increase its appeal among enterprise users.
+
* Fedora will be simple to use on an Active Directory domain or IPA realm. This will increase its appeal among enterprise admins and users.  
 
* By using SSSD we will have reliable offline usage (eg: laptop) for users logging in with a kerberos login.
 
* By using SSSD we will have reliable offline usage (eg: laptop) for users logging in with a kerberos login.
 
* Most of these changes and fixes will increase reliability and ease usage for all kerberos realms, not just Active Directory. We simply target Active Directory as the main use case as it's by far the most widely deployed kerberos server.
 
* Most of these changes and fixes will increase reliability and ease usage for all kerberos realms, not just Active Directory. We simply target Active Directory as the main use case as it's by far the most widely deployed kerberos server.
* Most users who have configured pam_krb5 + nss_ldap are doing so in a secure way, which is trivially hackable by anyone with access to the network. My making it simple enroll the machine correctly, and using sssd, we will increase security for kerberos users.
+
* Most users who have configured pam_krb5. which is trivially hackable by anyone with access to the network. By using SSSD and enrolling the machine correctly, we will increase security for kerberos users.
  
 
== Scope ==
 
== Scope ==
  
This is a large change which touches many packages. There are many people on board with this effort and are already working hard to make it happen, most in upstream projects.
+
This is a large change which touches many packages. There are many people on board with this effort and are already working hard to make this stuff happen, most in upstream projects.
  
 
* Many many bug fixes (of which many have already been fixed upstream as a result of this effort).
 
* Many many bug fixes (of which many have already been fixed upstream as a result of this effort).
Line 68: Line 67:
 
The goal is for this stuff to work out of the box. Necessary packages should either already be installed, or should be installed for you while enrolling the machine.
 
The goal is for this stuff to work out of the box. Necessary packages should either already be installed, or should be installed for you while enrolling the machine.
  
You should be able to setup domain logins from Firstboot or Initial Setup. You should be able to setup domain logins from the Users panel in Gnome Control Center. Once configured you should be able to login at GDM with you domain credentials.
+
You should be able to setup domain logins from Firstboot or Initial Setup. You should be able to setup domain logins from the User Account panel in Gnome Control Center. Once configured you should be able to login at GDM with your domain credentials.
  
 
Your kerberos tickets should be tracked by GNOME and either automatically renewed (when possible) or you should be reprompted for your domain credentials as necessary.
 
Your kerberos tickets should be tracked by GNOME and either automatically renewed (when possible) or you should be reprompted for your domain credentials as necessary.
Line 84: Line 83:
 
There are dependencies in at least the following:
 
There are dependencies in at least the following:
  
* krb5
+
* krb5-libs
 
* sssd
 
* sssd
 
* samba
 
* samba
 +
* samba-winbind
 
* gdm
 
* gdm
 
* gnome-control-center
 
* gnome-control-center
 +
* gnome-session
 
* firstboot
 
* firstboot
 +
* authconfig
  
Because this feature is about integration it touches a large amount of packages. We've been proactive in making sure to work with upstream developers, and are already making solid progress.
+
Because this feature is about integration it touches a large amount of packages. We've been proactive in making sure to work with upstream projects.
  
 
== Contingency Plan ==
 
== Contingency Plan ==
  
* The myriad of kerberos related bug fixes stand on their own. And are being merged as complete.
+
* The myriad of kerberos related bug fixes stand on their own. And are being merged as completed.
* The GNOME changes will disable themselves at run time should the underlying stuff not be present.
+
* The GNOME changes will disable themselves at run time should the underlying supporting infrastructure not be ready.
 
* If SSSD Active Directory changes are not ready in time, realmd can configure Winbind instead.
 
* If SSSD Active Directory changes are not ready in time, realmd can configure Winbind instead.
  

Revision as of 10:04, 25 May 2012

Contents

Active Directory

Summary

Fedora should be able to be used on an Active Directory domain (or other kerberos realms, such as IPA) out of the box. It should be easy to configure domain logins on a Fedora machine, and then it should be intuitive and uneventful to login with those credentials.

This feature will also increase reliability and ease usage for any Kerberos realm, not just Active Directory. We do however target Active Directory as the main use case: it's by far the most widely deployed Kerberos realm and directory.

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-05-25
  • Percentage of completion: 30%

Detailed Description

Fedora should work out of the box in an Active Directory environment. Currently Fedora contains packages for many tools to accomplish this, but it takes a lot of pain to get all aspects working correctly. It's also easy to make security mistakes.

First of all this feature fixes bugs and tough spots present in kerberos libraries, sssd, authconfig, openldap, samba, winbind and other packages. We also remove configuration headaches. Some examples outlined here, more details available on request:

  • Allow configurationless kerberos. Remove /etc/krb5.conf file requirement, and unbreak defaults.
  • Remove NTP time syncing requirement for kerberos clients.
  • Correctly show kerberos password change policy messages.
  • Respect kerberos password policy for kerberos accounts instead of local policy.
  • Make SSSD work with Active Directory domains without modifications to those domains.
  • Fix authconfig so it doesn't break config files.
  • Fix SELinux policies so which prevent this stuff from working out of the box.
  • ... and much more

Secondly the GUI will be updated to support kerberos logins better:

  • GDM will give hints as to how to log in with domain credentials (once configured).
  • Automatically renew tickets when possible and/or reprompt for credentials when they expire.

Thirdly, and equally important, we streamline the enrollment process for joining a machine to an Active Directory domain. It is necessary to enroll a machine in order to perform domain logins securely. In the process we also ease configuration of IPA kerberos domains. In these streamlined setups we auto-discover all necessary configuration parameters; only a domain name is needed.

Gnome Control Center will be updated to allow configuring logins for Active Directory users from the GUI. Firstboot and/or Initial Setup will be modified to allow setup of Active Directory logins. New command line tools will also be available to drive this streamlined enrollment process.

The above streamlined setup is driven by a dbus system service called realmd started on demand. This service allows multiple providers (such as winbind or sssd). It is also an upstream project and not just Red Hat specific.

Benefit to Fedora

  • Fedora will be simple to use on an Active Directory domain or IPA realm. This will increase its appeal among enterprise admins and users.
  • By using SSSD we will have reliable offline usage (eg: laptop) for users logging in with a kerberos login.
  • Most of these changes and fixes will increase reliability and ease usage for all kerberos realms, not just Active Directory. We simply target Active Directory as the main use case as it's by far the most widely deployed kerberos server.
  • Most users who have configured pam_krb5. which is trivially hackable by anyone with access to the network. By using SSSD and enrolling the machine correctly, we will increase security for kerberos users.

Scope

This is a large change which touches many packages. There are many people on board with this effort and are already working hard to make this stuff happen, most in upstream projects.

  • Many many bug fixes (of which many have already been fixed upstream as a result of this effort).
  • SSSD will gain support for Active Directory (already in progress).
  • Firstboot modifications to integrate realmd and streamlined setup.
  • GNOME modifications to integrate use of kerberos and its configuration.
  • Complete work on realmd for streamlined setup (much already done).

How To Test

To perform testing one will need to have an Active Directory domain or IPA realm accessible to you. You'll need a user account on that domain. To enroll your machine you'll probably need administrative credentials for the domain (or assistance from an administrator of the domain).

The goal is for this stuff to work out of the box. Necessary packages should either already be installed, or should be installed for you while enrolling the machine.

You should be able to setup domain logins from Firstboot or Initial Setup. You should be able to setup domain logins from the User Account panel in Gnome Control Center. Once configured you should be able to login at GDM with your domain credentials.

Your kerberos tickets should be tracked by GNOME and either automatically renewed (when possible) or you should be reprompted for your domain credentials as necessary.

All of the above should function without fiddling with configuration files, or knowing details of the domain (other than its name, and relevant domain credentials).

User Experience

Admins and users will see a simplified experience for configuring kerberos when running Fedora install. Users will see simple options for using domain logins in the control center. Users who have configured kerberos logins will see hints during login for how to use their domain credentials. They will be reprompted as necessary for expiring credentials.

But above all, the goal here is to not have unnecessary "user experience" and to have stuff just work.

Dependencies

There are dependencies in at least the following:

  • krb5-libs
  • sssd
  • samba
  • samba-winbind
  • gdm
  • gnome-control-center
  • gnome-session
  • firstboot
  • authconfig

Because this feature is about integration it touches a large amount of packages. We've been proactive in making sure to work with upstream projects.

Contingency Plan

  • The myriad of kerberos related bug fixes stand on their own. And are being merged as completed.
  • The GNOME changes will disable themselves at run time should the underlying supporting infrastructure not be ready.
  • If SSSD Active Directory changes are not ready in time, realmd can configure Winbind instead.

Documentation

  • Design of the GNOME feature is ongoing and can be seen [[1]], [[2]], and [[3]].
  • More documentation is forthcoming.

Release Notes

Comments and Discussion