(→Current status: Updated the current status) |
(Updated for current status) |
||
(One intermediate revision by the same user not shown) | |||
Line 15: | Line 15: | ||
* Targeted release: [[Releases/18 | Fedora 18 ]] | * Targeted release: [[Releases/18 | Fedora 18 ]] | ||
* Last updated: 2012- | * Last updated: 2012-10-09 | ||
* Percentage of completion: | * Percentage of completion: 100% | ||
realmd packages are available in rawhide, and the control-center support for using it is included in GNOME 3. | realmd packages are available in rawhide, and the control-center support for using it is included in GNOME 3.6. The command line realm command is complete, and sssd integration is working. Documentation and manuals have been written. | ||
There's testing and bug fixing going on. | |||
Automatic hands-free enrollment is in an initial alpha phase, and not completely stable for this release. Kickstart integration is in a future release. Initial-setup and firstboot (or anaconda gui integration) is going to be in a future release. | |||
== Detailed Description == | == Detailed Description == | ||
Line 31: | Line 31: | ||
* Allow configurationless kerberos. Remove /etc/krb5.conf file requirement, and unbreak defaults. | * Allow configurationless kerberos. Remove /etc/krb5.conf file requirement, and unbreak defaults. | ||
* Remove NTP time syncing requirement for kerberos clients. | * Remove NTP time syncing requirement for kerberos clients. (future release) | ||
* Correctly show kerberos password change policy messages. | * Correctly show kerberos password change policy messages. (future release) | ||
* Respect kerberos password policy for kerberos accounts instead of local policy. | * Respect kerberos password policy for kerberos accounts instead of local policy. | ||
* Make SSSD work with Active Directory domains without modifications to those domains. | * Make SSSD work with Active Directory domains without modifications to those domains. | ||
Line 46: | Line 46: | ||
Thirdly, and equally important, we streamline the enrollment process for joining a machine to an Active Directory domain. It is necessary to enroll a machine in order to perform domain logins securely. In the process we also ease configuration of IPA kerberos domains. In these streamlined setups we auto-discover all necessary configuration parameters; only a domain name is needed. | Thirdly, and equally important, we streamline the enrollment process for joining a machine to an Active Directory domain. It is necessary to enroll a machine in order to perform domain logins securely. In the process we also ease configuration of IPA kerberos domains. In these streamlined setups we auto-discover all necessary configuration parameters; only a domain name is needed. | ||
Gnome Control Center will be updated to allow configuring logins for Active Directory users from the GUI. Firstboot and/or Initial Setup will be modified to allow setup of Active Directory logins. | Gnome Control Center will be updated to allow configuring logins for Active Directory users from the GUI. New command line tools will also be available to drive this streamlined enrollment process. | ||
Firstboot and/or Initial Setup will be modified to allow setup of Active Directory logins. (future release). | |||
The above streamlined setup is driven by a D-Bus system service called realmd started on demand. This service allows multiple providers (such as winbind or sssd). It is also an upstream project and not just Red Hat specific. | The above streamlined setup is driven by a D-Bus system service called realmd started on demand. This service allows multiple providers (such as winbind or sssd). It is also an upstream project and not just Red Hat specific. | ||
Line 63: | Line 65: | ||
* Many many bug fixes (of which many have already been fixed upstream as a result of this effort). | * Many many bug fixes (of which many have already been fixed upstream as a result of this effort). | ||
* SSSD will gain support for Active Directory (already in progress). | * SSSD will gain support for Active Directory (already in progress). | ||
* GNOME control-center modifications to integrate use of kerberos and its configuration. (done) | * GNOME control-center modifications to integrate use of kerberos and its configuration. (done) | ||
* GDM modifications to integrate use of kerberos accounts. | * GDM modifications to integrate use of kerberos accounts. | ||
Line 73: | Line 74: | ||
To perform testing one will need to have an Active Directory domain or IPA realm accessible to you. You'll need a user account on that domain. To enroll your machine you'll probably need administrative credentials for the domain (or assistance from an administrator of the domain). | To perform testing one will need to have an Active Directory domain or IPA realm accessible to you. You'll need a user account on that domain. To enroll your machine you'll probably need administrative credentials for the domain (or assistance from an administrator of the domain). | ||
A document is available which details the testing: [[Features/ActiveDirectory/TestingRealmd]] | |||
== User Experience == | == User Experience == | ||
Admins and users will see a simplified experience for configuring | Admins and users will see a simplified experience for configuring Kerberos when running Fedora install. Users will see simple options for using domain logins in the control center. Users who have configured Kerberos logins will see hints during login for how to use their domain credentials. They will be re-prompted as necessary for expiring credentials. | ||
Stef recently posted a number of [http://stef.thewalter.net/2012/06/kerberos-and-active-directory-logins.html screenshots] of the new account setup dialogs. | Stef recently posted a number of [http://stef.thewalter.net/2012/06/kerberos-and-active-directory-logins.html screenshots] of the new account setup dialogs. | ||
Line 125: | Line 95: | ||
* gnome-control-center | * gnome-control-center | ||
* gnome-session | * gnome-session | ||
Because this feature is about integration it touches a large amount of packages. We've been proactive in making sure to work with upstream projects. | Because this feature is about integration it touches a large amount of packages. We've been proactive in making sure to work with upstream projects. | ||
New modules that | New modules that have been packaged: | ||
* | * realmd | ||
* adcli | |||
== Contingency Plan == | == Contingency Plan == | ||
* The myriad of kerberos related bug fixes stand on their own. And are being merged as completed. | * The myriad of kerberos related bug fixes stand on their own. And are being merged as completed. Some of these will be in Fedora 19. | ||
* The GNOME changes | * The GNOME changes hav ebeen merged. | ||
* | * Certain corner cases in SSSD have been punted to Fedora 19. | ||
== Documentation == | == Documentation == | ||
* realmd documentation: http://www.freedesktop.org/software/realmd/docs/index.html | |||
* Design of the GNOME feature is ongoing and can be seen [http://live.gnome.org/Design/Proposals/UserIdentities here], [http://live.gnome.org/StefWalter/Scratch/JoiningDirectory here], and [http://live.gnome.org/StefWalter/Scratch/DirectoryLogin here]. | * Design of the GNOME feature is ongoing and can be seen [http://live.gnome.org/Design/Proposals/UserIdentities here], [http://live.gnome.org/StefWalter/Scratch/JoiningDirectory here], and [http://live.gnome.org/StefWalter/Scratch/DirectoryLogin here]. | ||
* The GNOME side of this feature is tracked [http://live.gnome.org/ThreePointFive/Features/UserPanel here] | * The GNOME side of this feature is tracked [http://live.gnome.org/ThreePointFive/Features/UserPanel here] | ||
== Release Notes == | == Release Notes == |
Latest revision as of 18:02, 10 October 2012
Active Directory
Summary
Fedora should be able to be used on an Active Directory domain (or other kerberos realms, such as IPA) out of the box. It should be easy to configure domain logins on a Fedora machine, and then it should be intuitive and uneventful to login with those credentials.
This feature will also increase reliability and ease usage for any Kerberos realm, not just Active Directory. We do however target Active Directory as the main use case: it's by far the most widely deployed Kerberos realm and directory.
Owner
- Name: Stef Walter
- Email: stefw@redhat.com
Current status
- Targeted release: Fedora 18
- Last updated: 2012-10-09
- Percentage of completion: 100%
realmd packages are available in rawhide, and the control-center support for using it is included in GNOME 3.6. The command line realm command is complete, and sssd integration is working. Documentation and manuals have been written.
There's testing and bug fixing going on.
Automatic hands-free enrollment is in an initial alpha phase, and not completely stable for this release. Kickstart integration is in a future release. Initial-setup and firstboot (or anaconda gui integration) is going to be in a future release.
Detailed Description
Fedora should work out of the box in an Active Directory environment. Currently Fedora contains packages for many tools to accomplish this, but it takes a lot of pain to get all aspects working correctly. It's also easy to make mistakes that undermine the security of your system.
First of all this feature fixes bugs and tough spots present in kerberos libraries, sssd, authconfig, openldap, samba, winbind and other packages. We also remove configuration headaches. Some examples outlined here, more details available on request:
- Allow configurationless kerberos. Remove /etc/krb5.conf file requirement, and unbreak defaults.
- Remove NTP time syncing requirement for kerberos clients. (future release)
- Correctly show kerberos password change policy messages. (future release)
- Respect kerberos password policy for kerberos accounts instead of local policy.
- Make SSSD work with Active Directory domains without modifications to those domains.
- Fix authconfig so it doesn't break config files.
- Fix SELinux policies so which prevent this stuff from working out of the box.
- ... and much more
Secondly the GUI will be updated to support kerberos logins better:
- GDM will give hints as to how to log in with domain credentials (once configured).
- Automatically renew tickets when possible and/or reprompt for credentials when they expire.
Thirdly, and equally important, we streamline the enrollment process for joining a machine to an Active Directory domain. It is necessary to enroll a machine in order to perform domain logins securely. In the process we also ease configuration of IPA kerberos domains. In these streamlined setups we auto-discover all necessary configuration parameters; only a domain name is needed.
Gnome Control Center will be updated to allow configuring logins for Active Directory users from the GUI. New command line tools will also be available to drive this streamlined enrollment process.
Firstboot and/or Initial Setup will be modified to allow setup of Active Directory logins. (future release).
The above streamlined setup is driven by a D-Bus system service called realmd started on demand. This service allows multiple providers (such as winbind or sssd). It is also an upstream project and not just Red Hat specific.
Benefit to Fedora
- Fedora will be simple to use on an Active Directory domain or IPA realm. This will increase its appeal among enterprise admins and users.
- By using SSSD we will have reliable offline usage (eg: laptop) for users logging in with a kerberos login.
- Most of these changes and fixes will increase reliability and ease usage for all kerberos realms, not just Active Directory. We simply target Active Directory as the main use case as it's by far the most widely deployed kerberos server.
- Most current kerberos users have configured pam_krb5, which is trivially hackable by anyone with access to the network. By using SSSD and enrolling the machine correctly, we will increase security for these users.
Scope
This is a large change which touches many packages. There are many people on board with this effort and are already working hard to make this stuff happen, most in upstream projects.
- Many many bug fixes (of which many have already been fixed upstream as a result of this effort).
- SSSD will gain support for Active Directory (already in progress).
- GNOME control-center modifications to integrate use of kerberos and its configuration. (done)
- GDM modifications to integrate use of kerberos accounts.
- Complete work on realmd for streamlined setup (much already done).
- Package realmd (done)
How To Test
To perform testing one will need to have an Active Directory domain or IPA realm accessible to you. You'll need a user account on that domain. To enroll your machine you'll probably need administrative credentials for the domain (or assistance from an administrator of the domain).
A document is available which details the testing: Features/ActiveDirectory/TestingRealmd
User Experience
Admins and users will see a simplified experience for configuring Kerberos when running Fedora install. Users will see simple options for using domain logins in the control center. Users who have configured Kerberos logins will see hints during login for how to use their domain credentials. They will be re-prompted as necessary for expiring credentials.
Stef recently posted a number of screenshots of the new account setup dialogs.
But above all, the goal here is to not have unnecessary "user experience" and to have stuff just work.
Dependencies
There are dependencies in at least the following:
- krb5-libs
- sssd
- samba
- samba-winbind
- gdm
- gnome-control-center
- gnome-session
Because this feature is about integration it touches a large amount of packages. We've been proactive in making sure to work with upstream projects.
New modules that have been packaged:
* realmd * adcli
Contingency Plan
- The myriad of kerberos related bug fixes stand on their own. And are being merged as completed. Some of these will be in Fedora 19.
- The GNOME changes hav ebeen merged.
- Certain corner cases in SSSD have been punted to Fedora 19.
Documentation
- realmd documentation: http://www.freedesktop.org/software/realmd/docs/index.html
- Design of the GNOME feature is ongoing and can be seen here, here, and here.
- The GNOME side of this feature is tracked here
Release Notes
- Documentation for GNOME 3.6 will include notes about this feature when its merged.
- Other release notes will be forthcoming.