Re: Enterprise Active Directory support question

From: Stef Walter <stefw gnome org>
To: "stefan skoglund(agj)" <stefan skoglund agj net>
Cc: "gnome-integration-list gnome org" <gnome-integration-list gnome org>, David Woodhouse <dwmw2 infradead org>, desktop-devel-list <desktop-devel-list gnome org>
Subject: Re: Enterprise Active Directory support question
Date: Fri, 22 Feb 2013 14:12:27 +0100

On 22.02.2013 13:13, stefan skoglund(agj) wrote:

mån 2013-02-11 klockan 09:52 +0000 skrev David Woodhouse:

On Mon, 2013-02-11 at 08:29 +0100, Stef Walter wrote:

In GNOME 3.6 Enterprise logins was introduced. This feature is very
attractive for enterprise deployments because it makes possible to
add GNOME workstations into Windows networks with Active Directory.
My understanding of this feature is that it only enables users to

log

on their GNOME workstations, so it doesn't enable them to use the
shared folders or network printers of their domains without login
again for every shared resource.


Well it should do those things. I know that the shared folders does
work. For example, we tested it in Fedora:


And automatic login with NTLM, and keeping a Kerberos TGT valid, are
both mostly solved problems too. Although we do need to dust that work
off and merge it.


With MIT Kerberos it is possible in /etc/krb5.conf to force checking of
the KDC but normally it means that the client process needs read access
to /etc/krb5.keytab which is only readable by root.


When you say 'MIT Kerberos' do you mean when using pam_krb5?

Which means that gnome-shell/gnome-screensaver can't check the
responding KDC when unlocking the session = a possibility of
KDC-spoofing.


Yes, that's why we use sssd to perform the authentication.

Any designs for this problem which doesn't requires 'sssd' ?


Sure. You can choose to use winbind to do authentication, even with the
GNOME Control Center integration. Configure it in /etc/realmd.conf

See: http://www.freedesktop.org/software/realmd/docs/guide-configuring.html

One possibility is to install in a world-readable some other ticket with
only usage to permit screensaver to check KDC validity.

pam_krb5 at login time uses (i think) the host/'fqdn of client` ticket
to check KDC identify.


It's certainly possible to come up with ways to work around this for a
particular deployment.

But the real solution we're integrating and going after here is to use
sssd to do the authentication the "right way" in a centralized process
along with all the other capabilities that it provides.

Cheers,

Stef

References:
- Enterprise Active Directory support question
  - From: =?iso-8859-1?Q?Juanjo_Mar=EDn?=
- Re: Enterprise Active Directory support question
  - From: Stef Walter
- Re: Enterprise Active Directory support question
  - From: David Woodhouse
- Re: Enterprise Active Directory support question
  - From: stefan skoglund(agj)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]