GNOME Bugzilla – Bug 686410
Don't enroll the machine in gnome-online-accounts
Last modified: 2012-10-22 03:52:36 UTC
Why are we enrolling the machine in an AD domain in gnome-online-accounts? This doesn't make sense? You would only do this if you are setting up local logins for the accounts, and this is what the user panel does. There is no reason to enroll the machine if you are using kerberos for anything other than login. If you want to use realmd for discovering kerberos realms that's fine. Just make sure to call ofr.Service.Release() from goa-daemon, so that realmd isn't running all the time.
Created attachment 226775 [details] [review] identity: Don't enroll machine It's not necessary or desirable to enroll the machine for using domain accounts locally when setting up a kerberos identity.
That's an untested, initial rough patch. I'll file another bug about the use of realmd.
Thought I was supposed to for weird Active-Directory-y-y reasons
Join a machine to a directory/realm (like AD) is for two reasons: * You want to use directory authentication to log into the local machine. * You want to provide services to other directory users from the machine. Neither of these are true for the use cases of gnome-online-accounts. In addition, we'll probably move to a you-can-only-be-joined-to-one-kerberos-realm at a time model in the future (similar to Windows). So joining machines to domains all over the place isn't good.
Alright, as long we can still get CIFS tickets etc.
Yup. Here's a test case for that, without enrolling: https://fedoraproject.org/wiki/QA:Testcase_Active_Directory_gvfs I haven't tested the patch. Is this something you want to get into 3.6.x? If so I'll try to get on it.
Nah, i'm going to have the patient open to deal with bug 686382 soon anyway, so I'll try out your patch then.
Looks good. Attachment 226775 [details] pushed as c11a079 - identity: Don't enroll machine