GNOME Bugzilla – Bug 679253
Support Kerberos identities
Last modified: 2012-08-20 23:29:29 UTC
After some recent design review, we've come to the conclusions that the secondary Kerberos identities are better off in the online-accounts panel than in the user panel. See https://live.gnome.org/ThreePointFive/Features/UserPanel Ray is working on the provider for this. We also need an icon to represent Kerberos identities in the list.
Is there any other known logo apart from the one on http://web.mit.edu/kerberos/ ?
No, that seems to be it, with some slight variations: http://web.mit.edu/macdev/kerberos.html
Maybe we're creating false identities for certain services here. Neither Kerberos nor Exchange have a strong visual identity people recognize them by. While the "wired key" metaphor might work for Kerberos*, I'm thinking we might be better off without an icon for it (and possibly dropping Exchange too). https://github.com/gnome-design-team/gnome-icons/raw/master/sketch/kerberos.png
(In reply to comment #3) > While the "wired key" metaphor might work for Kerberos*, I'm thinking we might > be better off without an icon for it (and possibly dropping Exchange too). dropping _the icon for_ Exchange, I hope...
> dropping _the icon for_ Exchange, I hope... Yes.
exchange icon got dropped: commit 8da4e35f6630546336ee83d6b9d83edb442f1760 Author: Debarshi Ray <debarshir@gnome.org> Date: Fri Aug 17 15:05:57 2012 +0200 icons: Drop the Exchange icon See: https://bugzilla.gnome.org/679253#c3
Created attachment 221727 [details] [review] Allow for transient, "non-permanent" accounts One prerequisite for adding kerberos support to online accounts is for it to allowr accounts to show up that weren't explicitly previously added by the user from control-center. For instance, if a user runs "kinit" they should still be able to see their kerberos tickets in the dialog, and even destroy the credentials and remove the account. Of course these accounts have a lifetime limited to the current session. We don't want a user to unintentionally trigger permanent behavior by just doing a one off kinit.
Created attachment 221728 [details] [review] Add new "Ticketing" interface Kerberos is somewhat different from other providers in that it providers user the ability to gain access to arbitrary resources on the local network, not just a finite set of resources (such as Documents, Mail, Chat, etc). This ability is one of the main reasons Kerberos is used in enterprise deployments (so called Single Sign On). This commit adds a new Ticketing interface to describe that ability.
Created attachment 221729 [details] [review] daemon: Add kerberos renewal service This commit adds an identity service whose purpose is to automatically renew expiring kerberos credentials, and to expose a mechanism over the bus to "kinit". This service lays the groundwork for integrating a kerberos provider into gnome-online-accounts. A subsequent commit will add the provider itself.
Created attachment 221730 [details] [review] goabackend: Add a kerberos provider This commit adds a backend for kerberos. This combined with the previous commit allows users to automatically enroll secondary identites in Kerberos and ActiveDirectory deployments.
If we look here: https://live.gnome.org/Design/SystemSettings/OnlineAccounts it shows kerberos should be under Other (along with other site specific accounts). We don't yet have the other ones mentioned, integrated yet, so for now I'm just putting Kerberos in the list with Google, Facebook, Yahoo, et al. Right now, we have one slider: Use for: Network Resources [on ⦀] In the future we might be able to something like Use for: Network Resources |on ⦀| Files & Printers |⦀ off| Contacts |⦀ off| will need experimentation.
Right now I use GCR for showing the password dialogs. This gives them the "system modal" look I think we probably want for kerberos, but its API doesn't allow for asking plain text questions. I may try tomorrow to drop the gcr and instead add a new shell api (can probably just generalize the polkit one with minor changes).
The realmd interfaces changed, this may need some updates.
Created attachment 221924 [details] [review] Allow for transient, "non-permanent" accounts One prerequisite for adding kerberos support to online accounts is for it to allow accounts to show up that weren't explicitly previously added by the user from control-center. For instance, if a user runs "kinit" they should still be able to see their kerberos tickets in the dialog, and even destroy the credentials and remove the account. Of course these accounts have a lifetime limited to the current session. We don't want a user to unintentionally trigger permanent behavior by just doing a one off kinit. Loosely based on work by Ray Strode
Created attachment 221925 [details] [review] Add new "Ticketing" interface Kerberos is somewhat different from other providers in that it providers user the ability to gain access to arbitrary resources on the local network, not just a finite set of resources (such as Documents, Mail, Chat, etc). This ability is one of the main reasons Kerberos is used in enterprise deployments (so called Single Sign On). This commit adds a new Ticketing interface to describe that ability.
Created attachment 221926 [details] [review] daemon: Add kerberos renewal service This commit adds an identity service whose purpose is to automatically renew expiring kerberos credentials, and to expose a mechanism over the bus to "kinit". This service lays the groundwork for integrating a kerberos provider into gnome-online-accounts. A subsequent commit will add the provider itself. Some changes by Debarshi Ray
Created attachment 221927 [details] [review] goabackend: Add a kerberos provider This commit adds a backend for kerberos. This combined with the previous commit allows users to automatically enroll secondary identites in Kerberos and ActiveDirectory deployments. Some changes by Debarshi Ray
I'm adding one change to GDM to make this feature work better.
Created attachment 221928 [details] [review] worker: set KRB5CCNAME automatically if it's not already Kerberos has some lame defaults that won't change for at least 6 months. For now, override the defaults. This is necessary for the gnome-online-accounts kerberos provider to work optimally.
Review of attachment 221926 [details] [review]: woops, some scratch test code snuck into this.
Created attachment 221929 [details] [review] daemon: Add kerberos renewal service This commit adds an identity service whose purpose is to automatically renew expiring kerberos credentials, and to expose a mechanism over the bus to "kinit". This service lays the groundwork for integrating a kerberos provider into gnome-online-accounts. A subsequent commit will add the provider itself. Some changes by Debarshi Ray
I went through the wip/kerberos branch with Ray on IRC and after a few iterations and testing, it now works for me.
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.