13:27:51 #startmeeting 13:27:51 Meeting started Wed Aug 3 13:27:51 2016 UTC. The chair is nardasev. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:27:51 Useful Commands: #action #agreed #halp #info #idea #link #topic. 13:27:51 The meeting name has been set to '' 13:28:08 #meetingname flock2016 13:28:08 The meeting name has been set to 'flock2016' 13:29:54 we have 50 slides, so we are going to fly 13:30:00 first part will be technical 13:30:08 there is life behind GDM 13:31:17 roughly 1 year ago we gave a talk to show a relatively small effort to produce something that makes Fedora (and other Linux distros) reasonably usable in corporate environments 13:31:42 our life is effectively a life of split identity. You need to have access to all those identities at the same time. 13:32:06 Enterprise desktop is a client enrolled to a centralized identity mgmt system 13:32:16 it's a tool to perform a business task 13:32:26 it's a subject to centrally defined access controls 13:32:34 Identity management system 13:33:04 there are now several free software mgmt systems with the focus on managing operating systems' environments 13:33:28 FreeIPA, Samba AD, many other LDAP + Kerberos based projects 13:33:58 we're working with Samba upstream at fixing remaining MIT kerberos compatibility issues and provide Samba AD latest in fedora 26 13:34:02 then the fun can beign 13:34:12 and people can start using it and sending complaints 13:34:18 Enterprise desktop agents: 13:34:45 identity servers: POSIX attributes for users and groups via NSSWITCH 13:34:57 authentication services: login using PAM services 13:35:01 web authentication 13:35:27 Fedora and FreeIPA: FreeIPA client uses SSSD as an agent 13:35:49 nss_nss is referenced in /etc/nsswitch.conf on Fedora by default 13:36:02 pam_sss use is configured to most PAM configurations 13:36:22 ^that is BS 13:36:24 sorry 13:36:44 SUDO is configured to look up SUDO rules in FreeIPA 13:37:01 there is no Samba AD in Fedora yet, there is one in Copr 13:37:08 you can be a client to Samba AD 13:37:18 you can have 2 different combinations 13:37:27 pure Samba or a hybrid 13:37:46 that was all behind the scenes; what would the user see? 13:37:55 we need some metric to see if we're successful 13:38:07 talking about single sing on on desktops 13:38:19 let's use passwords as metrics 13:38:37 if you reboot a machine, and you put a prompt to the machine to decrypt your harddrive 13:38:51 you sign in a local account and sign in to VPN 13:39:16 then you get Kerberos authentications 13:39:33 how far are we from 13:39:49 let's try to log in (video) 13:41:11 FreeIPA server server runs Kerberos proxy, which effectively tunnels requests for kerberos 13:41:35 SSSD handles login and Kerberos keys 13:41:53 it was developed by microsoft to solve their own problems 13:42:55 VPN and Kerberos 13:43:01 open VPN doesn't support kerberos 13:43:51 open vpn doesn't support gssapi negotiation 13:44:06 that is on todo list since 2005, but ignored by upstream 13:44:36 if you have a VPN, good, but you want to have assurance that people are not misuse the tickets 13:44:57 FreeOTP is a solution 13:46:41 how does it work? continues the video 13:49:18 you get a random password 13:50:48 credentials were entered only once 13:52:15 if kerberos credential are available, what can we do with them? 13:52:31 authenticate with GSSAPI against almost anything 13:52:46 obtain SAMP assertion for other web services (and more) 13:53:04 Authenticate with GSSAPI 13:53:24 GSSAPI support is no more, depends on libsoup support 13:53:38 libsoup has been draging since 2009 (bug) 13:53:42 *dragging 13:54:10 WebkitGtk is useless for SAMP/OAuth2 interactions involving Kerberos 13:54:31 one cannot use Google apps with GSSAPI in Gnome Online accounts 13:54:55 recently, there was some movement on this 13:55:09 (video again) 13:57:19 Tomas Popela, David Woodhouse, and Guido Guenther worked to fix libsoup and WebkitGtk 13:57:30 we looged into my FreeIPA server's UI 13:57:49 the code is in GNOME 3.20 (March 2016) and is in Fedora 24 13:58:18 why is all this important? WebkitGtk and libsoup are used by many application 13:58:46 it will let us mount Kerberos-authentication Nextcloud storages in Nautilus 13:59:26 there is some protocol mis communication 14:00:16 we are effectively forced an moving ourselves though social network integrations by passwords 14:01:08 running a browser before logon? 14:01:24 yes, effectively, a sandbox with a locked-down web engine 14:01:42 but network profile (access point) needs to be selected first 14:01:58 this means Network Manager has to run before logon 14:02:23 this means Network manager needs to access user-specific data before logon 14:02:38 a complete re-arrangement of logon UX 14:02:44 down the rabbit hole... 14:03:00 anything for users, not admins? 14:03:11 single sign-on to Google apps 14:04:37 logging into Google using your own identity provider 14:05:11 what happens if you don't have kerberos credentials? 14:05:46 single sign-on is the primary feature 14:05:53 Visualize 14:06:18 GNOME online accounts could show Kerberos ticket properties 14:06:38 you can force renew a lot of tickets 14:09:43 the renewal part is quite complicated 14:09:51 better kerberos in browsers 14:10:04 people at red hat work on firefox 14:10:13 firefox kerberos setup is not nice 14:10:24 needs about:config manipulation 14:11:04 DNS domains associated with Kerberos realm could be discovered via DNS SRV records, prompted for confirmation once 14:11:24 FreeIPA used to provide an extension to automate Firefox setup 14:11:52 extension was generated locally for each FreeIPA deployment to provide configuration details 14:12:28 not anymore: Fedora removed ability to provide non-publicly available extensions since version 43 14:12:46 there are about dozen bugs related to GSSAPI support in Firefox 14:12:59 Chromium/Chrome 14:13:40 have bugs for processing of WWW-Autenticate: Negotiate when Kerberos credentials are not available 14:14:12 on Linux only allows to configure Kerberos use through command line or statically system-wide, poor user experience 14:15:01 a fixed libsoup/WebkitGtk allows to always use GSSAPI if server advertises WWW-Authenticate: Negotiate over HTTPS 14:15:12 no need to configure anything in Epiphany 14:15:44 could be further confined with a user confirmation similar to how passwords are managed at the first logon 14:17:46 GSSAPI flow is synchronous, needs better UI interaction to avoid hogging down other tabs 14:17:58 still major issue for many browsers 14:18:16 bug #890908 is finally fixed in Firefox 14:18:46 will be in Firefox 49, it is in Fedora firefox -48.0-2.fc24 14:18:55 any practical use of it? 14:19:00 video 14:19:13 single sign-on at home 14:21:14 we have support in gnome 3.20 14:21:29 SAMP flow was supposed to happen in browser 14:22:26 *SAML 14:22:36 very very enterprisey 14:25:48 what about disk encryption? 14:26:00 how to get rid of entering password at boot time? 14:26:40 video 14:28:18 a data center at home 14:29:05 benefits? control your own infrastructure 14:29:25 improve user experience by reducing number of password/logon interactions 14:29:27 profit? 14:30:02 #endmeeting