13:27:51 <nardasev> #startmeeting <Progress on Enterprise Fedora Desktop> 13:27:51 <zodbot> Meeting started Wed Aug 3 13:27:51 2016 UTC. The chair is nardasev. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:27:51 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 13:27:51 <zodbot> The meeting name has been set to '<progress_on_enterprise_fedora_desktop>' 13:28:08 <nardasev> #meetingname flock2016 13:28:08 <zodbot> The meeting name has been set to 'flock2016' 13:29:54 <nardasev> we have 50 slides, so we are going to fly 13:30:00 <nardasev> first part will be technical 13:30:08 <nardasev> there is life behind GDM 13:31:17 <nardasev> roughly 1 year ago we gave a talk to show a relatively small effort to produce something that makes Fedora (and other Linux distros) reasonably usable in corporate environments 13:31:42 <nardasev> our life is effectively a life of split identity. You need to have access to all those identities at the same time. 13:32:06 <nardasev> Enterprise desktop is a client enrolled to a centralized identity mgmt system 13:32:16 <nardasev> it's a tool to perform a business task 13:32:26 <nardasev> it's a subject to centrally defined access controls 13:32:34 <nardasev> Identity management system 13:33:04 <nardasev> there are now several free software mgmt systems with the focus on managing operating systems' environments 13:33:28 <nardasev> FreeIPA, Samba AD, many other LDAP + Kerberos based projects 13:33:58 <nardasev> we're working with Samba upstream at fixing remaining MIT kerberos compatibility issues and provide Samba AD latest in fedora 26 13:34:02 <nardasev> then the fun can beign 13:34:12 <nardasev> and people can start using it and sending complaints 13:34:18 <nardasev> Enterprise desktop agents: 13:34:45 <nardasev> identity servers: POSIX attributes for users and groups via NSSWITCH 13:34:57 <nardasev> authentication services: login using PAM services 13:35:01 <nardasev> web authentication 13:35:27 <nardasev> Fedora and FreeIPA: FreeIPA client uses SSSD as an agent 13:35:49 <nardasev> nss_nss is referenced in /etc/nsswitch.conf on Fedora by default 13:36:02 <nardasev> pam_sss use is configured to most PAM configurations 13:36:22 <nardasev> ^that is BS 13:36:24 <nardasev> sorry 13:36:44 <nardasev> SUDO is configured to look up SUDO rules in FreeIPA 13:37:01 <nardasev> there is no Samba AD in Fedora yet, there is one in Copr 13:37:08 <nardasev> you can be a client to Samba AD 13:37:18 <nardasev> you can have 2 different combinations 13:37:27 <nardasev> pure Samba or a hybrid 13:37:46 <nardasev> that was all behind the scenes; what would the user see? 13:37:55 <nardasev> we need some metric to see if we're successful 13:38:07 <nardasev> talking about single sing on on desktops 13:38:19 <nardasev> let's use passwords as metrics 13:38:37 <nardasev> if you reboot a machine, and you put a prompt to the machine to decrypt your harddrive 13:38:51 <nardasev> you sign in a local account and sign in to VPN 13:39:16 <nardasev> then you get Kerberos authentications 13:39:33 <nardasev> how far are we from 13:39:49 <nardasev> let's try to log in (video) 13:41:11 <nardasev> FreeIPA server server runs Kerberos proxy, which effectively tunnels requests for kerberos 13:41:35 <nardasev> SSSD handles login and Kerberos keys 13:41:53 <nardasev> it was developed by microsoft to solve their own problems 13:42:55 <nardasev> VPN and Kerberos 13:43:01 <nardasev> open VPN doesn't support kerberos 13:43:51 <nardasev> open vpn doesn't support gssapi negotiation 13:44:06 <nardasev> that is on todo list since 2005, but ignored by upstream 13:44:36 <nardasev> if you have a VPN, good, but you want to have assurance that people are not misuse the tickets 13:44:57 <nardasev> FreeOTP is a solution 13:46:41 <nardasev> how does it work? continues the video 13:49:18 <nardasev> you get a random password 13:50:48 <nardasev> credentials were entered only once 13:52:15 <nardasev> if kerberos credential are available, what can we do with them? 13:52:31 <nardasev> authenticate with GSSAPI against almost anything 13:52:46 <nardasev> obtain SAMP assertion for other web services (and more) 13:53:04 <nardasev> Authenticate with GSSAPI 13:53:24 <nardasev> GSSAPI support is no more, depends on libsoup support 13:53:38 <nardasev> libsoup has been draging since 2009 (bug) 13:53:42 <nardasev> *dragging 13:54:10 <nardasev> WebkitGtk is useless for SAMP/OAuth2 interactions involving Kerberos 13:54:31 <nardasev> one cannot use Google apps with GSSAPI in Gnome Online accounts 13:54:55 <nardasev> recently, there was some movement on this 13:55:09 <nardasev> (video again) 13:57:19 <nardasev> Tomas Popela, David Woodhouse, and Guido Guenther worked to fix libsoup and WebkitGtk 13:57:30 <nardasev> we looged into my FreeIPA server's UI 13:57:49 <nardasev> the code is in GNOME 3.20 (March 2016) and is in Fedora 24 13:58:18 <nardasev> why is all this important? WebkitGtk and libsoup are used by many application 13:58:46 <nardasev> it will let us mount Kerberos-authentication Nextcloud storages in Nautilus 13:59:26 <nardasev> there is some protocol mis communication 14:00:16 <nardasev> we are effectively forced an moving ourselves though social network integrations by passwords 14:01:08 <nardasev> running a browser before logon? 14:01:24 <nardasev> yes, effectively, a sandbox with a locked-down web engine 14:01:42 <nardasev> but network profile (access point) needs to be selected first 14:01:58 <nardasev> this means Network Manager has to run before logon 14:02:23 <nardasev> this means Network manager needs to access user-specific data before logon 14:02:38 <nardasev> a complete re-arrangement of logon UX 14:02:44 <nardasev> down the rabbit hole... 14:03:00 <nardasev> anything for users, not admins? 14:03:11 <nardasev> single sign-on to Google apps 14:04:37 <nardasev> logging into Google using your own identity provider 14:05:11 <nardasev> what happens if you don't have kerberos credentials? 14:05:46 <nardasev> single sign-on is the primary feature 14:05:53 <nardasev> Visualize 14:06:18 <nardasev> GNOME online accounts could show Kerberos ticket properties 14:06:38 <nardasev> you can force renew a lot of tickets 14:09:43 <nardasev> the renewal part is quite complicated 14:09:51 <nardasev> better kerberos in browsers 14:10:04 <nardasev> people at red hat work on firefox 14:10:13 <nardasev> firefox kerberos setup is not nice 14:10:24 <nardasev> needs about:config manipulation 14:11:04 <nardasev> DNS domains associated with Kerberos realm could be discovered via DNS SRV records, prompted for confirmation once 14:11:24 <nardasev> FreeIPA used to provide an extension to automate Firefox setup 14:11:52 <nardasev> extension was generated locally for each FreeIPA deployment to provide configuration details 14:12:28 <nardasev> not anymore: Fedora removed ability to provide non-publicly available extensions since version 43 14:12:46 <nardasev> there are about dozen bugs related to GSSAPI support in Firefox 14:12:59 <nardasev> Chromium/Chrome 14:13:40 <nardasev> have bugs for processing of WWW-Autenticate: Negotiate when Kerberos credentials are not available 14:14:12 <nardasev> on Linux only allows to configure Kerberos use through command line or statically system-wide, poor user experience 14:15:01 <nardasev> a fixed libsoup/WebkitGtk allows to always use GSSAPI if server advertises WWW-Authenticate: Negotiate over HTTPS 14:15:12 <nardasev> no need to configure anything in Epiphany 14:15:44 <nardasev> could be further confined with a user confirmation similar to how passwords are managed at the first logon 14:17:46 <nardasev> GSSAPI flow is synchronous, needs better UI interaction to avoid hogging down other tabs 14:17:58 <nardasev> still major issue for many browsers 14:18:16 <nardasev> bug #890908 is finally fixed in Firefox 14:18:46 <nardasev> will be in Firefox 49, it is in Fedora firefox -48.0-2.fc24 14:18:55 <nardasev> any practical use of it? 14:19:00 <nardasev> video 14:19:13 <nardasev> single sign-on at home 14:21:14 <nardasev> we have support in gnome 3.20 14:21:29 <nardasev> SAMP flow was supposed to happen in browser 14:22:26 <nardasev> *SAML 14:22:36 <nardasev> very very enterprisey 14:25:48 <nardasev> what about disk encryption? 14:26:00 <nardasev> how to get rid of entering password at boot time? 14:26:40 <nardasev> video 14:28:18 <nardasev> a data center at home 14:29:05 <nardasev> benefits? control your own infrastructure 14:29:25 <nardasev> improve user experience by reducing number of password/logon interactions 14:29:27 <nardasev> profit? 14:30:02 <nardasev> #endmeeting