- 1 Active Directory
Fedora should be able to be used on an Active Directory domain (or other kerberos realms, such as IPA) out of the box. It should be easy to configure domain logins on a Fedora machine, and then it should be intuitive and uneventful to login with those credentials.
This feature will also increase reliability and ease usage for any Kerberos realm, not just Active Directory. We do however target Active Directory as the main use case: it's by far the most widely deployed Kerberos realm and directory.
- Name: Stef Walter
- Email: email@example.com
- Targeted release: Fedora 18
- Last updated: 2012-09-07
- Percentage of completion: 90%
realmd packages are available in rawhide, and the control-center support for using it is included in GNOME 3.5.5. The command line realm command is complete, and sssd integration is working. Documentation and manuals are being written.
A few more tweaks are landing in the GUI for this as well, in GDM and the control center.
Incomplete features include the ability to do automatic hands-free deployment of domain enrollment with realmd. This is part of the adcli module. The integration into initial-setup is still being integrated, but will be very similar to the control center code.
Fedora should work out of the box in an Active Directory environment. Currently Fedora contains packages for many tools to accomplish this, but it takes a lot of pain to get all aspects working correctly. It's also easy to make mistakes that undermine the security of your system.
First of all this feature fixes bugs and tough spots present in kerberos libraries, sssd, authconfig, openldap, samba, winbind and other packages. We also remove configuration headaches. Some examples outlined here, more details available on request:
- Allow configurationless kerberos. Remove /etc/krb5.conf file requirement, and unbreak defaults.
- Remove NTP time syncing requirement for kerberos clients.
- Correctly show kerberos password change policy messages.
- Respect kerberos password policy for kerberos accounts instead of local policy.
- Make SSSD work with Active Directory domains without modifications to those domains.
- Fix authconfig so it doesn't break config files.
- Fix SELinux policies so which prevent this stuff from working out of the box.
- ... and much more
Secondly the GUI will be updated to support kerberos logins better:
- GDM will give hints as to how to log in with domain credentials (once configured).
- Automatically renew tickets when possible and/or reprompt for credentials when they expire.
Thirdly, and equally important, we streamline the enrollment process for joining a machine to an Active Directory domain. It is necessary to enroll a machine in order to perform domain logins securely. In the process we also ease configuration of IPA kerberos domains. In these streamlined setups we auto-discover all necessary configuration parameters; only a domain name is needed.
Gnome Control Center will be updated to allow configuring logins for Active Directory users from the GUI. Firstboot and/or Initial Setup will be modified to allow setup of Active Directory logins. New command line tools will also be available to drive this streamlined enrollment process.
The above streamlined setup is driven by a D-Bus system service called realmd started on demand. This service allows multiple providers (such as winbind or sssd). It is also an upstream project and not just Red Hat specific.
Benefit to Fedora
- Fedora will be simple to use on an Active Directory domain or IPA realm. This will increase its appeal among enterprise admins and users.
- By using SSSD we will have reliable offline usage (eg: laptop) for users logging in with a kerberos login.
- Most of these changes and fixes will increase reliability and ease usage for all kerberos realms, not just Active Directory. We simply target Active Directory as the main use case as it's by far the most widely deployed kerberos server.
- Most current kerberos users have configured pam_krb5, which is trivially hackable by anyone with access to the network. By using SSSD and enrolling the machine correctly, we will increase security for these users.
This is a large change which touches many packages. There are many people on board with this effort and are already working hard to make this stuff happen, most in upstream projects.
- Many many bug fixes (of which many have already been fixed upstream as a result of this effort).
- SSSD will gain support for Active Directory (already in progress).
- Firstboot modifications to integrate realmd and streamlined setup.
- GNOME control-center modifications to integrate use of kerberos and its configuration. (done)
- GDM modifications to integrate use of kerberos accounts.
- Complete work on realmd for streamlined setup (much already done).
- Package realmd (done)
How To Test
To perform testing one will need to have an Active Directory domain or IPA realm accessible to you. You'll need a user account on that domain. To enroll your machine you'll probably need administrative credentials for the domain (or assistance from an administrator of the domain).
It's easy to create an Active Directory domain for your own use in a virtual machine: http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html
The goal is for this stuff to work out of the box. Necessary packages should either already be installed, or should be installed for you while enrolling the machine.
Here's what's testable so far:
- Go to the user panel, click on the [+] button underneath the list of users.
- You should see a tab/button called 'Enterprise Logins'.
- Type your Active Directory domain name, and user credentials in the boxes provided.
- If your user does not have access to enroll a machine in the domain, administrative credentials should be prompted for.
- The user should appear in the list of users in the user panel, and should be able to log in.
- Use the following commands to discover, enroll and unenroll a machine from the domain. These should be usable as a non-admin account, and should prompt for polkit access as necessary:
$ realm discover -v my.domain.example.com $ realm join -v my.domain.example.com $ realm leave -v my.domain.example.com
- The following command lists the discovered/enrolled realms. It also lists the login format for users in a domain/realm.
$ realm list
- Use the following command to see if a domain user is visible:
$ getent passwd 'DOMAIN\User'
At this point the IPA support is still a work in progress, but should be ready shortly.
Admins and users will see a simplified experience for configuring kerberos when running Fedora install. Users will see simple options for using domain logins in the control center. Users who have configured kerberos logins will see hints during login for how to use their domain credentials. They will be re-prompted as necessary for expiring credentials.
Stef recently posted a number of screenshots of the new account setup dialogs.
But above all, the goal here is to not have unnecessary "user experience" and to have stuff just work.
There are dependencies in at least the following:
Because this feature is about integration it touches a large amount of packages. We've been proactive in making sure to work with upstream projects.
New modules that need to be packaged:
- The myriad of kerberos related bug fixes stand on their own. And are being merged as completed.
- The GNOME changes will disable themselves at run time should the underlying supporting infrastructure not be ready.
- If SSSD Active Directory changes are not ready in time, realmd can configure Winbind instead.
- Design of the GNOME feature is ongoing and can be seen here, here, and here.
- The GNOME side of this feature is tracked here
- More documentation is forthcoming.
- Documentation for GNOME 3.6 will include notes about this feature when its merged.
- Other release notes will be forthcoming.