Logging in with Kerberos Network Identity
Contents
After configuring the machine to use network identities to log in, instead of local user accounts, the login screen needs to display hints, instructions, or UI elements to show how to log in with a network identity.
The renewal of kerberos tickets is handled by the user identities work.
Status
Needs design Design in progress Needs implementation Implementation in progress Stable
Objectives
- Make it clear to the user how to log in using a network identity from the login screen.
Use case: Logging in using network identity
- Fry has configured GNOME to allow him to use a corporate network identity to log in.
- After completing setup, he sees instructions or UI elements that allow him to log in using his network identity.
Integration points
- GDM
Design Limitations
- We cannot allow setup of an arbitrary network identity from the GDM login screen. Doing so would allow anybody to walk up to a GNOME machine and log in.
- It is not possible to enumerate all the users of a kerberos domain/realm in a realistic amount of time. There may be 10,000's of identities. In some cases it is not possible to enumerate identities at all for a given type of network identity.
Relevant art and experiences
Windows
- Windows allows pretty straight forward.
- During the wizard for joining the domain, you get to enter the login you'd like to use to log in. They offer to configure that account as a local machine administrator, as well as make the data for the current user available to that account.
- When the user next restarts, that new domain\user is specified by default as the login.
Scratch(2f)DirectoryLogin/login-windows-default.png "login-windows-default.png")
- If the user wishes to specify a domain based user to log in with, then the user has to type explicitly "Domain\User". There's an obvious link which pulls up instructions for this.
Scratch(2f)DirectoryLogin/login-windows-other-domain.png "login-windows-other-domain.png")
- Previous versions of windows used to have a drop down with the various domains that the user could log into.
OpenSUSE
- Can setup domain accounts during install.
- Get a message "Theme not usable with authentication method 'Winbind/Samba" when trying to log in using GDM. Tried to login with "DOMAIN+User", but that didn't work.
Scratch(2f)DirectoryLogin/ads-opensuse-gnome-login.png "ads-opensuse-gnome-login.png")
- What does work is "DOMAIN\User", which then takes a moment to setup a clickable user in GDM. You can then click that user and type password to log in.
- Domain is sorta integrated into KDM? login prompt. listed and selectable:
Scratch(2f)DirectoryLogin/ads-opensuse-login-prompt-unusable.png "ads-opensuse-login-prompt-unusable.png")
- But cannot actually use it to log in.
Fedora
- Cannot join a domain or setup domain logins during setup due to missing packages.
- After creating temporary account, can configure system to allow domain logins.
- No apparent support for selecting domain in login prompt, use "DOMAIN+User" to log in.
Mageia
- From what I can see there is no GUI support for setting up network logins in Mageia.
Notes
- It's possible that the login screen changes depending on whether network identities are configured or not.
- Need to have offline caching of credentials working by default for logins with network identities. This is vital for later access to the users data, when not connected to the network.
If using network identity to log in, it's important to be able to catch any problems that would prevent login (such as invalid NTP, or maybe DNS/hostname problems, and make sure they never occur).