Enterprise Accounts
Status: Mostly done
Description
GNOME 3.0 introduced a nice control-center panel for managing local user accounts. The user panel currently just shows user accounts found in /etc/passwd (with some additional information stored elsewhere).
It would be good if the panel was aware of centrally managed user accounts that might come from some directory service such as LDAP or AD (Active Directory). One difference in this scenario is that the user accounts will often not be editable at all, and there may be far too many accounts to show them all in the list.
It would also be good if other aspects of user identity, such as Kerberos tickets, were integrated in the control-center, including ticket renewal and domain logon. Some of this functionality is currently provided by the krb5-auth-dialog module.
Although the initial design called for this functionality to be added to the user panel, the current plan is to make secondary Kerberos identities appear in the online-accounts panel. The ticket renewal functionality may either be taken over by a gnome-settings-daemon plugin or by the goa-daemon that already issues notifications about expired online accounts.
Other modules that show user information like the gnome-shell user menu may need small adjustments too.
A wiki page for design work on this has been started: Design/Proposals/UserIdentities
A related goal is to make GNOME machines very easy to enroll in AD domains and allow users to log on to such domains using their AD user id. This will require changes in the login screen (gnome-shell, gdm) and the new gnome-initial-setup tool.
Design input related to AD enrollment is being collected here: StefWalter/Scratch/JoiningDirectory
Owner
Ray Strode
Involved Parties
Stef Walter, Jasper St. Pierre
Affected modules: gdm, gnome-control-center (user panel, online accounts panel), gnome-shell (user menu, login screen), accountsservice, gnome-settings-daemon, gnome-online-accounts, krb5-auth-dialog, seahorse
Current Status
The Kerberos support will add a krb5-libs dependency to gnome-control-center and gnome-settings-daemon, but it will be optional, with a --disable-kerberos configure option. The AD enrollment makes use of a new D-Bus service, called realmd, which is currently under development. This will be an optional runtime dependency.
The following bugs are used for reviewing the code:
#681769 (gnome-control-center) Indicate currently-logged-in status as check mark in user list
#681866 (gnome-control-center) Slim down password dialog for remote users
#681762 (gnome-control-center) Support a locked down mode for the user accounts panel
#681767 (gnome-control-center) Rework the user list secondary text - #681770 (gnome-control-center) Visibility and sensitivity of user details
- #681771 (gnome-control-center) Capitalization: 'Account type' -> 'Account Type'
- #679253 (gnome-online-accounts) Support kerberos identities
- #681975 (gdm, gnome-shell) Add hint on how to log in with enterprise login
- #677548 (control-center) Add 'Enterprise Login' via user panel
- fd50770 (accountsservice) daemon: Add CacheUser() DBus method
- fd51037 (accountsservice) Flag local users and treat them differently
- #677860 (jhbuild) Add realmd
Possible enhancements post 3.6 include:
#681772 (gnome-control-center) Last logged in field, and lastlog history button
#681773 (gnome-control-center) Offer a way to undo removing a user account
Stef has posted a progress report with lots of screenshots. More recently, he provided detailed testing instructions for AD.
The user panel changes for AD enrollment have been included in gnome-control-center 3.5.4.
The Kerberos ticket support will be included in gnome-online-accounts 3.5.90.
The required accountsservice changes are included in the 0.6.24 release.
The required realmd version is 0.7.
How to Help
Contact Ray or Stef or add your comments to the design page