I have recently found out that GNOME Online Accounts now support Kerberos authentication. I assume this might be interesting for many people who use GNOME in an corporate environment, so I decided to spend a few words about it here.
The setup is as simple as it can get. You just add a new Kerberos account in GNOME Online Accounts and provide a domain name, your user name and a password. Then you see this:
Every time you boot your computer now, you will also receive a Kerberos ticket. Awesome!
Unfortunately, the world is not perfect, and neither is GNOME Online Accounts. So there are a few annoying problems:
- Your computer has to boot inside the company network. If you connect to the network afterwards, you will not receive the Kerberos ticket.
- You can’t use the ON-OFF slider the force a ticket retrieval, because GNOME Online Accounts crashes. So back to kinit in this case.
Let’s hope these problems will be ironed out in GNOME 3.8, currently it’s just a half-baked solution. But it’s definitely better than having nothing at all.
Unfortunately GNOME is just terrible. I switched to Fedora KDE spin and it is a lot better. I think KDE spin should become default Fedora desktop.
super, i hope corporates increase adoption of linux after this. I am stuck with windows at work place
SSSD can automatically get your ticket as soon as the corporate network is reachable, e.g., VPN is connected, and it’s desktop-agnostic.
Right, I thought sssd was supposed to do this?
Can you be a bit more specific? A link to an easy-to-set-up tutorial perhaps?
Where does sssd store my kerberos password (my kerberos password is different than my local account password)?
You won’t have a local account password anymore when you turn on SSSD.
Instead SSSD will cache your Kerberos credentials and you’ll login with
your Kerberos password all the time. SSSD will store your password in
the kernel keyring so it’s pretty secure and then it will get a TGT from
the Kerberos server as soon as it’s reachable.
There’s a chapter in the Fedora docs on setting up SSSD:
http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Setting_Up_SSSD.html
Here’s my quick how-to:
1. Configure SSSD by editing /etc/sssd/sssd.conf.
In my example below I’m using LDAP + Kerberos.
The key lines in the config are
cache_credentials = True
krb5_store_password_if_offline = True
The cache_credentials line will keep a local cache of your password
so you can login when disconnected from the corporate network.
And krb5_store_password_if_offline will store your password in the
kernel keyring as mentioned above.
2. Turn on SSSD in /etc/nsswitch.conf, /etc/pam.d/* and such
[root@localhost ~]# authconfig –enablesssd –enablesssdauth –updateall
3. Enable SSSD
[root@localhost ~]# systemctl enable sssd.service
[root@localhost ~]# systemctl start sssd.service
4. Remove your entries from /etc/{passwd,shadow,group,gshadow}
5. Login! Be sure to do this at least once so the local cache can be
populated with your Kerberos password.
Example sssd.conf file
~~~~~~~~~~~~~~~~~~~~~~
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = EXAMPLE
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
override_homedir = /home/%u
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
[domain/EXAMPLE]
cache_credentials = True
enumerate = False
id_provider = ldap
chpass_provider = krb5
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=users,dc=example,dc=com
ldap_group_search_base = ou=groups,dc=example,dc=com
ldap_schema = rfc2307
ldap_tls_reqcert = never
auth_provider = krb5
krb5_server = kerberos.example.com
krb5_realm = EXAMPLE.COM
krb5_auth_timeout = 15
krb5_store_password_if_offline = True
krb5_ccachedir = /run/user/%U
krb5_ccname_template = DIR:%d/krb5cc