#fedora-flock-canaletto log

13:27:51 <nardasev> #startmeeting <Progress on Enterprise Fedora Desktop>
13:27:51 <zodbot> Meeting started Wed Aug  3 13:27:51 2016 UTC.  The chair is nardasev. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:27:51 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
13:27:51 <zodbot> The meeting name has been set to '<progress_on_enterprise_fedora_desktop>'
13:28:08 <nardasev> #meetingname flock2016
13:28:08 <zodbot> The meeting name has been set to 'flock2016'
13:29:54 <nardasev> we have 50 slides, so we are going to fly
13:30:00 <nardasev> first part will be technical
13:30:08 <nardasev> there is life behind GDM
13:31:17 <nardasev> roughly 1 year ago we gave a talk to show a relatively small effort to produce something that makes Fedora (and other Linux distros) reasonably usable in corporate environments
13:31:42 <nardasev> our life is effectively a life of split identity. You need to have access to all those identities at the same time.
13:32:06 <nardasev> Enterprise desktop is a client enrolled to a centralized identity mgmt system
13:32:16 <nardasev> it's a tool to perform a business task
13:32:26 <nardasev> it's a subject to centrally defined access controls
13:32:34 <nardasev> Identity management system
13:33:04 <nardasev> there are now several free software mgmt systems with the focus on managing operating systems' environments
13:33:28 <nardasev> FreeIPA, Samba AD, many other LDAP + Kerberos based projects
13:33:58 <nardasev> we're working with Samba upstream at fixing remaining MIT kerberos compatibility issues and provide Samba AD latest in fedora 26
13:34:02 <nardasev> then the fun can beign
13:34:12 <nardasev> and people can start using it and sending complaints
13:34:18 <nardasev> Enterprise desktop agents:
13:34:45 <nardasev> identity servers: POSIX attributes for users and groups via NSSWITCH
13:34:57 <nardasev> authentication services: login using PAM services
13:35:01 <nardasev> web authentication
13:35:27 <nardasev> Fedora and FreeIPA: FreeIPA client uses SSSD as an agent
13:35:49 <nardasev> nss_nss is referenced in /etc/nsswitch.conf on Fedora by default
13:36:02 <nardasev> pam_sss use is configured to most PAM configurations
13:36:22 <nardasev> ^that is BS
13:36:24 <nardasev> sorry
13:36:44 <nardasev> SUDO is configured to look up SUDO rules in FreeIPA
13:37:01 <nardasev> there is no Samba AD in Fedora yet, there is one in Copr
13:37:08 <nardasev> you can be a client to Samba AD
13:37:18 <nardasev> you can have 2 different combinations
13:37:27 <nardasev> pure Samba or a hybrid
13:37:46 <nardasev> that was all behind the scenes; what would the user see?
13:37:55 <nardasev> we need some metric to see if we're successful
13:38:07 <nardasev> talking about single sing on on desktops
13:38:19 <nardasev> let's use passwords as metrics
13:38:37 <nardasev> if you reboot a machine, and you put a prompt to the machine to decrypt your harddrive
13:38:51 <nardasev> you sign in a local account and sign in to VPN
13:39:16 <nardasev> then you get Kerberos authentications
13:39:33 <nardasev> how far are we from
13:39:49 <nardasev> let's try to log in (video)
13:41:11 <nardasev> FreeIPA server server runs Kerberos proxy, which effectively tunnels requests for kerberos
13:41:35 <nardasev> SSSD handles login and Kerberos keys
13:41:53 <nardasev> it was developed by microsoft to solve their own problems
13:42:55 <nardasev> VPN and Kerberos
13:43:01 <nardasev> open VPN doesn't support kerberos
13:43:51 <nardasev> open vpn doesn't support gssapi negotiation
13:44:06 <nardasev> that is on todo list since 2005, but ignored by upstream
13:44:36 <nardasev> if you have a VPN, good, but you want to have assurance that people are not misuse the tickets
13:44:57 <nardasev> FreeOTP is a solution
13:46:41 <nardasev> how does it work? continues the video
13:49:18 <nardasev> you get a random password
13:50:48 <nardasev> credentials were entered only once
13:52:15 <nardasev> if kerberos credential are available, what can we do with them?
13:52:31 <nardasev> authenticate with GSSAPI against almost anything
13:52:46 <nardasev> obtain SAMP assertion for other web services (and more)
13:53:04 <nardasev> Authenticate with GSSAPI
13:53:24 <nardasev> GSSAPI support is no more, depends on libsoup support
13:53:38 <nardasev> libsoup has been draging since 2009 (bug)
13:53:42 <nardasev> *dragging
13:54:10 <nardasev> WebkitGtk is useless for SAMP/OAuth2 interactions involving Kerberos
13:54:31 <nardasev> one cannot use Google apps with GSSAPI in Gnome Online accounts
13:54:55 <nardasev> recently, there was some movement on this
13:55:09 <nardasev> (video again)
13:57:19 <nardasev> Tomas Popela, David Woodhouse, and Guido Guenther worked to fix libsoup and WebkitGtk
13:57:30 <nardasev> we looged into my FreeIPA server's UI
13:57:49 <nardasev> the code is in GNOME 3.20 (March 2016) and is in Fedora 24
13:58:18 <nardasev> why is all this important? WebkitGtk and libsoup are used by many application
13:58:46 <nardasev> it will let us mount Kerberos-authentication Nextcloud storages in Nautilus
13:59:26 <nardasev> there is some protocol mis communication
14:00:16 <nardasev> we are effectively forced an moving ourselves though social network integrations by passwords
14:01:08 <nardasev> running a browser before logon?
14:01:24 <nardasev> yes, effectively, a sandbox with a locked-down web engine
14:01:42 <nardasev> but network profile (access point) needs to be selected first
14:01:58 <nardasev> this means Network Manager has to run before logon
14:02:23 <nardasev> this means Network manager needs to access user-specific data before logon
14:02:38 <nardasev> a complete re-arrangement of logon UX
14:02:44 <nardasev> down the rabbit hole...
14:03:00 <nardasev> anything for users, not admins?
14:03:11 <nardasev> single sign-on to Google apps
14:04:37 <nardasev> logging into Google using your own identity provider
14:05:11 <nardasev> what happens if you don't have kerberos credentials?
14:05:46 <nardasev> single sign-on is the primary feature
14:05:53 <nardasev> Visualize
14:06:18 <nardasev> GNOME online accounts could show Kerberos ticket properties
14:06:38 <nardasev> you can force renew a lot of tickets
14:09:43 <nardasev> the renewal part is quite complicated
14:09:51 <nardasev> better kerberos in browsers
14:10:04 <nardasev> people at red hat work on firefox
14:10:13 <nardasev> firefox kerberos setup is not nice
14:10:24 <nardasev> needs about:config manipulation
14:11:04 <nardasev> DNS domains associated with Kerberos realm could be discovered via DNS SRV records, prompted for confirmation once
14:11:24 <nardasev> FreeIPA used to provide an extension to automate Firefox setup
14:11:52 <nardasev> extension was generated locally for each FreeIPA deployment to provide configuration details
14:12:28 <nardasev> not anymore: Fedora removed ability to provide non-publicly available extensions since version 43
14:12:46 <nardasev> there are about dozen bugs related to GSSAPI support in Firefox
14:12:59 <nardasev> Chromium/Chrome
14:13:40 <nardasev> have bugs for processing of WWW-Autenticate: Negotiate when Kerberos credentials are not available
14:14:12 <nardasev> on Linux only allows to configure Kerberos use through command line or statically system-wide, poor user experience
14:15:01 <nardasev> a fixed libsoup/WebkitGtk allows to always use GSSAPI if server advertises WWW-Authenticate: Negotiate over HTTPS
14:15:12 <nardasev> no need to configure anything in Epiphany
14:15:44 <nardasev> could be further confined with a user confirmation similar to how passwords are managed at the first logon
14:17:46 <nardasev> GSSAPI flow is synchronous, needs better UI interaction to avoid hogging down other tabs
14:17:58 <nardasev> still major issue for many browsers
14:18:16 <nardasev> bug #890908 is finally fixed in Firefox
14:18:46 <nardasev> will be in Firefox 49, it is in Fedora firefox -48.0-2.fc24
14:18:55 <nardasev> any practical use of it?
14:19:00 <nardasev> video
14:19:13 <nardasev> single sign-on at home
14:21:14 <nardasev> we have support in gnome 3.20
14:21:29 <nardasev> SAMP flow was supposed to happen in browser
14:22:26 <nardasev> *SAML
14:22:36 <nardasev> very very enterprisey
14:25:48 <nardasev> what about disk encryption?
14:26:00 <nardasev> how to get rid of entering password at boot time?
14:26:40 <nardasev> video
14:28:18 <nardasev> a data center at home
14:29:05 <nardasev> benefits? control your own infrastructure
14:29:25 <nardasev> improve user experience by reducing number of password/logon interactions
14:29:27 <nardasev> profit?
14:30:02 <nardasev> #endmeeting