From Fedora Project Wiki
(Moved to FeatureReadyForFesco, ticket #859)
(Moved to featureacceptedF18, feature was approved at 6/4/12 fesco meeting)
Line 120: Line 120:
* See [[Talk:Features/ActiveDirectory]]
* See [[Talk:Features/ActiveDirectory]]


[[Category:FeatureReadyForFesco]]
[[Category:FeatureAcceptedF18]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to  -->
<!-- remove Category:FeaturePageIncomplete and change it to  -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Revision as of 15:55, 14 June 2012

Active Directory

Summary

Fedora should be able to be used on an Active Directory domain (or other kerberos realms, such as IPA) out of the box. It should be easy to configure domain logins on a Fedora machine, and then it should be intuitive and uneventful to login with those credentials.

This feature will also increase reliability and ease usage for any Kerberos realm, not just Active Directory. We do however target Active Directory as the main use case: it's by far the most widely deployed Kerberos realm and directory.

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-05-25
  • Percentage of completion: 30%

Detailed Description

Fedora should work out of the box in an Active Directory environment. Currently Fedora contains packages for many tools to accomplish this, but it takes a lot of pain to get all aspects working correctly. It's also easy to make mistakes that undermine the security of your system.

First of all this feature fixes bugs and tough spots present in kerberos libraries, sssd, authconfig, openldap, samba, winbind and other packages. We also remove configuration headaches. Some examples outlined here, more details available on request:

  • Allow configurationless kerberos. Remove /etc/krb5.conf file requirement, and unbreak defaults.
  • Remove NTP time syncing requirement for kerberos clients.
  • Correctly show kerberos password change policy messages.
  • Respect kerberos password policy for kerberos accounts instead of local policy.
  • Make SSSD work with Active Directory domains without modifications to those domains.
  • Fix authconfig so it doesn't break config files.
  • Fix SELinux policies so which prevent this stuff from working out of the box.
  • ... and much more

Secondly the GUI will be updated to support kerberos logins better:

  • GDM will give hints as to how to log in with domain credentials (once configured).
  • Automatically renew tickets when possible and/or reprompt for credentials when they expire.

Thirdly, and equally important, we streamline the enrollment process for joining a machine to an Active Directory domain. It is necessary to enroll a machine in order to perform domain logins securely. In the process we also ease configuration of IPA kerberos domains. In these streamlined setups we auto-discover all necessary configuration parameters; only a domain name is needed.

Gnome Control Center will be updated to allow configuring logins for Active Directory users from the GUI. Firstboot and/or Initial Setup will be modified to allow setup of Active Directory logins. New command line tools will also be available to drive this streamlined enrollment process.

The above streamlined setup is driven by a D-Bus system service called realmd started on demand. This service allows multiple providers (such as winbind or sssd). It is also an upstream project and not just Red Hat specific.

Benefit to Fedora

  • Fedora will be simple to use on an Active Directory domain or IPA realm. This will increase its appeal among enterprise admins and users.
  • By using SSSD we will have reliable offline usage (eg: laptop) for users logging in with a kerberos login.
  • Most of these changes and fixes will increase reliability and ease usage for all kerberos realms, not just Active Directory. We simply target Active Directory as the main use case as it's by far the most widely deployed kerberos server.
  • Most current kerberos users have configured pam_krb5, which is trivially hackable by anyone with access to the network. By using SSSD and enrolling the machine correctly, we will increase security for these users.

Scope

This is a large change which touches many packages. There are many people on board with this effort and are already working hard to make this stuff happen, most in upstream projects.

  • Many many bug fixes (of which many have already been fixed upstream as a result of this effort).
  • SSSD will gain support for Active Directory (already in progress).
  • Firstboot modifications to integrate realmd and streamlined setup.
  • GNOME modifications to integrate use of kerberos and its configuration.
  • Complete work on realmd for streamlined setup (much already done).

How To Test

To perform testing one will need to have an Active Directory domain or IPA realm accessible to you. You'll need a user account on that domain. To enroll your machine you'll probably need administrative credentials for the domain (or assistance from an administrator of the domain).

The goal is for this stuff to work out of the box. Necessary packages should either already be installed, or should be installed for you while enrolling the machine.

You should be able to setup domain logins from Firstboot or Initial Setup. You should be able to setup domain logins from the User Account panel in Gnome Control Center. Once configured you should be able to login at GDM with your domain credentials.

Your kerberos tickets should be tracked by GNOME and either automatically renewed (when possible) or you should be reprompted for your domain credentials as necessary.

All of the above should function without fiddling with configuration files, or knowing details of the domain (other than its name, and relevant domain credentials).

User Experience

Admins and users will see a simplified experience for configuring kerberos when running Fedora install. Users will see simple options for using domain logins in the control center. Users who have configured kerberos logins will see hints during login for how to use their domain credentials. They will be reprompted as necessary for expiring credentials.

But above all, the goal here is to not have unnecessary "user experience" and to have stuff just work.

Dependencies

There are dependencies in at least the following:

  • krb5-libs
  • sssd
  • samba
  • samba-winbind
  • gdm
  • gnome-control-center
  • gnome-session
  • firstboot
  • authconfig

Because this feature is about integration it touches a large amount of packages. We've been proactive in making sure to work with upstream projects.

New modules that need to be packaged:

Contingency Plan

  • The myriad of kerberos related bug fixes stand on their own. And are being merged as completed.
  • The GNOME changes will disable themselves at run time should the underlying supporting infrastructure not be ready.
  • If SSSD Active Directory changes are not ready in time, realmd can configure Winbind instead.

Documentation

  • Design of the GNOME feature is ongoing and can be seen here, here, and here.
  • The GNOME side of this feature is tracked here
  • More documentation is forthcoming.

Release Notes

Comments and Discussion