Kerberos authentication in GNOME Online Accounts

goa-panelI have recently found out that GNOME Online Accounts now support Kerberos authentication. I assume this might be interesting for many people who use GNOME in an corporate environment, so I decided to spend a few words about it here.

The setup is as simple as it can get. You just add a new Kerberos account in GNOME Online Accounts and provide a domain name, your user name and a password. Then you see this:

goa-kerberos

Every time you boot your computer now, you will also receive a Kerberos ticket. Awesome!

Unfortunately, the world is not perfect, and neither is GNOME Online Accounts. So there are a few annoying problems:

  1. Your computer has to boot inside the company network. If you connect to the network afterwards, you will not receive the Kerberos ticket.
  2. You can’t use the ON-OFF slider the force a ticket retrieval, because GNOME Online Accounts crashes. So back to kinit in this case.

Let’s hope these problems will be ironed out in GNOME 3.8, currently it’s just a half-baked solution. But it’s definitely better than having nothing at all.

Flattr this

Advertisements
Kerberos authentication in GNOME Online Accounts

6 thoughts on “Kerberos authentication in GNOME Online Accounts

  1. Tomas says:

    Unfortunately GNOME is just terrible. I switched to Fedora KDE spin and it is a lot better. I think KDE spin should become default Fedora desktop.

  2. Jeff Bastian says:

    SSSD can automatically get your ticket as soon as the corporate network is reachable, e.g., VPN is connected, and it’s desktop-agnostic.

    1. Can you be a bit more specific? A link to an easy-to-set-up tutorial perhaps?

      Where does sssd store my kerberos password (my kerberos password is different than my local account password)?

      1. Jeff Bastian says:

        You won’t have a local account password anymore when you turn on SSSD.
        Instead SSSD will cache your Kerberos credentials and you’ll login with
        your Kerberos password all the time. SSSD will store your password in
        the kernel keyring so it’s pretty secure and then it will get a TGT from
        the Kerberos server as soon as it’s reachable.

        There’s a chapter in the Fedora docs on setting up SSSD:
        http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Setting_Up_SSSD.html

        Here’s my quick how-to:

        1. Configure SSSD by editing /etc/sssd/sssd.conf.
        In my example below I’m using LDAP + Kerberos.
        The key lines in the config are
        cache_credentials = True
        krb5_store_password_if_offline = True

        The cache_credentials line will keep a local cache of your password
        so you can login when disconnected from the corporate network.
        And krb5_store_password_if_offline will store your password in the
        kernel keyring as mentioned above.

        2. Turn on SSSD in /etc/nsswitch.conf, /etc/pam.d/* and such
        [root@localhost ~]# authconfig –enablesssd –enablesssdauth –updateall

        3. Enable SSSD
        [root@localhost ~]# systemctl enable sssd.service
        [root@localhost ~]# systemctl start sssd.service

        4. Remove your entries from /etc/{passwd,shadow,group,gshadow}

        5. Login! Be sure to do this at least once so the local cache can be
        populated with your Kerberos password.

        Example sssd.conf file
        ~~~~~~~~~~~~~~~~~~~~~~
        [sssd]
        config_file_version = 2
        reconnection_retries = 3
        sbus_timeout = 30
        services = nss, pam
        domains = EXAMPLE

        [nss]
        filter_groups = root
        filter_users = root
        reconnection_retries = 3
        override_homedir = /home/%u

        [pam]
        reconnection_retries = 3

        [domain/default]
        cache_credentials = True

        [domain/EXAMPLE]
        cache_credentials = True
        enumerate = False
        id_provider = ldap
        chpass_provider = krb5
        ldap_uri = ldap://ldap.example.com
        ldap_search_base = dc=example,dc=com
        ldap_user_search_base = ou=users,dc=example,dc=com
        ldap_group_search_base = ou=groups,dc=example,dc=com
        ldap_schema = rfc2307
        ldap_tls_reqcert = never

        auth_provider = krb5
        krb5_server = kerberos.example.com
        krb5_realm = EXAMPLE.COM
        krb5_auth_timeout = 15
        krb5_store_password_if_offline = True
        krb5_ccachedir = /run/user/%U
        krb5_ccname_template = DIR:%d/krb5cc

Leave a Reply (Markdown syntax supported)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s