<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Word 14 (filtered medium)"> <style></style> </head> <body bgcolor="white" lang="EN-US" link="blue" vlink="purple"> <div class="WordSection1"> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m not, in general, in favor of solutions which promiscuously sling Kerberos passwords around the net. </span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> pGina + Kerberos authenticating directly off of IPA would be the way to go, I think.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Presumably Dimitri’s statement about the user being “foreign” and having limited access to windows services would apply equally well to a user with a SID from a foreign domain in a large Kerberos federation. This, and the uncertainty concerning what type of directory service the foreign KDC is paired with, is probably responsible for keeping Kerberos-based federations small. <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That being said, the collaboration use case (not to mention “home networks”) is what makes “foreign” logins interesting. There’s hardly anything in common between two collaboration projects, so it’s hard to define far-reaching policies (i.e., you’re not missing out on much). Most all authorization decisions are delegated out to some project member responsible for the server/asset. Constructing authorization sets having members defined by text based principals makes a certain amount of sense. Hence the LDAP “member” attribute in RFC4519.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">What would really be cool is the “inverse” of gluu or openam. Kerberos preauthentication data which allows the KDC to authenticate off of an OpenID Connect, SAML, or LDAP authentication source, caching the provided password and provisioning a Kerberos principal. Future AS exchanges would start out as “normal” Kerberos. Sort of like migration mode does now. If the KDC could then signal IPA that a new principal was provisioned, IPA could allocate and harmonize an SID and a UID for the principal in the domain. <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Poof. Console logins for Windows (pGina) and Linux (sssd) using IPA backed by your google account. That just eliminated 98% of the external accounts you would have had to create and manage.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Food for thought.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Bryce<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p> <div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt"> <div> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> freeipa-users-bounces@redhat.com [mailto:freeipa-users-bounces@redhat.com] <b>On Behalf Of </b>Dmitri Pal<br> <b>Sent:</b> Saturday, March 22, 2014 5:55 PM<br> <b>To:</b> Will Sheldon<br> <b>Cc:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] About Windows client<o:p></o:p></span></p> </div> </div> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">On 03/22/2014 05:47 PM, Will Sheldon wrote: <o:p></o:p></p> <div> <div> <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif""><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif"">I’d be curious to see how well a solution that combines pGina using RADIUS against some middleware like the Gluu server (<a href="http://www.gluu.org">www.gluu.org</a>) backed by IPA would work.<o:p></o:p></span></p> </div> </div> <p class="MsoNormal"><br> This is not an interesting scenario. This would would probably work right now but the machine would still not know who the user is because it will not know user SID so he would be foreign and no Windows policies would apply to him. I suspect such user would have no or very limited read only access to Windows resources because all Windows ACLs are based on knowing the user SIDs and SIDs of the groups the user is a member of.<br> The value of native IdM integration would be to get user SID and SIDs of the groups from IdM and then get the right kerberos ticket(s) for Windows resources using cross realm kerberos trusts and put these tickets into the right place so that windows system can use them automatically when user navigates to the corresponding resource. Something like this.<br> <br> <br> <o:p></o:p></p> <div> <div> <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif""><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif"">It strikes me that getting domain federation between IPA and Gluu would tick a lot of boxes as it seems to offer a host of authentication and accounting interfaces including oAuth, SAML, OpenID and of course RADIUS.<o:p></o:p></span></p> </div> </div> <div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <p class="MsoNormal"><br> Kind regards,<br> <br> Will Sheldon<br> +1.778-689-1244 <o:p></o:p></p> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> </div> <p><span style="color:#A0A0A8">On Saturday, March 22, 2014 at 2:17 PM, Dmitri Pal wrote:<o:p></o:p></span></p> <blockquote style="border:none;border-left:solid windowtext 1.0pt;padding:0in 0in 0in 8.0pt;margin-left:0in;margin-top:5.0pt;margin-bottom:5.0pt"> <div> <div> <div> <p class="MsoNormal">On 03/22/2014 01:18 PM, Arthur wrote:<o:p></o:p></p> </div> <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"> <div> <div> <p class="MsoNormal">Dmitri Pal wrote:<o:p></o:p></p> </div> <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"> <div> <div> <p class="MsoNormal">On 03/20/2014 11:15 PM, Arthur Faizullin wrote:<o:p></o:p></p> </div> <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"> <div> <div> <p class="MsoNormal">HI!<o:p></o:p></p> </div> <div> <p class="MsoNormal">I've got some thoughts on 4-th point: there is a <a href="http://pgina.org"> http://pgina.org</a>/ <o:p></o:p></p> </div> <div> <p class="MsoNormal">pgina<o:p></o:p></p> </div> <div> <p class="MsoNormal">project, may be them are able to do such thing.<o:p></o:p></p> </div> </div> </blockquote> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Yes pgina is one of the options.<o:p></o:p></p> </div> <div> <p class="MsoNormal">Someone would have to take it and integrate with MIT Kerberos for <o:p></o:p></p> </div> <div> <p class="MsoNormal">Windows if it is not already doing so.<o:p></o:p></p> </div> <div> <p class="MsoNormal">But I suspect that it would be more a project in itself that would <o:p></o:p></p> </div> <div> <p class="MsoNormal">leverage code from MIT and may be pgina to integrate different parts.<o:p></o:p></p> </div> <div> <p class="MsoNormal">The biggest part figuring out the domain affiliation. I mean the use <o:p></o:p></p> </div> <div> <p class="MsoNormal">cases like this:<o:p></o:p></p> </div> <div> <p class="MsoNormal">a) The system is domainless but user authentictaes with user name and <o:p></o:p></p> </div> <div> <p class="MsoNormal">password against IPA<o:p></o:p></p> </div> <div> <p class="MsoNormal">b) The system is domainless but user authentictaes with user name and <o:p></o:p></p> </div> <div> <p class="MsoNormal">OTP against IPA<o:p></o:p></p> </div> <div> <p class="MsoNormal">c) The system is in an AD domain trusted by IdM domain but user <o:p></o:p></p> </div> <div> <p class="MsoNormal">authenticates with user name and password against IPA because he is <o:p></o:p></p> </div> <div> <p class="MsoNormal">in IdM domain.<o:p></o:p></p> </div> <div> <p class="MsoNormal">d) The system is in an AD domain trusted by IdM domain but user <o:p></o:p></p> </div> <div> <p class="MsoNormal">authenticates with user name and password against IPA because he is <o:p></o:p></p> </div> <div> <p class="MsoNormal">in IdM domain.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">More to research. We can help with guidance if someone wants to run <o:p></o:p></p> </div> <div> <p class="MsoNormal">with it.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Thanks<o:p></o:p></p> </div> <div> <p class="MsoNormal">Dmitri<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"> <div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">20.02.2014 04:23, Dmitri Pal пишет:<o:p></o:p></p> </div> <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"> <div> <div> <p class="MsoNormal">Hello,<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">I want to summarize our position regarding joining Windows systems<o:p></o:p></p> </div> <div> <p class="MsoNormal">into IPA.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">1) If you already have AD we recommend using this system with AD and<o:p></o:p></p> </div> <div> <p class="MsoNormal">using trusts between AD and IPA.<o:p></o:p></p> </div> <div> <p class="MsoNormal">2) If you do not have AD then use Samba 4 instead of it. It would be<o:p></o:p></p> </div> <div> <p class="MsoNormal">great when Samba 4 grows capability to establish trusts. Right now it<o:p></o:p></p> </div> <div> <p class="MsoNormal">can't but there is an effort going on. If you are interested - please<o:p></o:p></p> </div> <div> <p class="MsoNormal">contribute.<o:p></o:p></p> </div> <div> <p class="MsoNormal">3) If neither of the two options work for you you can configure<o:p></o:p></p> </div> <div> <p class="MsoNormal">Windows system to work directly with IPA as described on the wiki. It<o:p></o:p></p> </div> <div> <p class="MsoNormal">is an option of last resort because IPA does not provide the services<o:p></o:p></p> </div> <div> <p class="MsoNormal">windows client expects. If this is good enough for you, fine by us.<o:p></o:p></p> </div> <div> <p class="MsoNormal">4) Build a native Windows client (cred provider) for IPA using latest<o:p></o:p></p> </div> <div> <p class="MsoNormal">Kerberos. IMO this would be really useful if someone does that because<o:p></o:p></p> </div> <div> <p class="MsoNormal">we will not build this ourselves. With the native OTP support in IPA<o:p></o:p></p> </div> <div> <p class="MsoNormal">it becomes a real business opportunity to provide a native 2FA inside<o:p></o:p></p> </div> <div> <p class="MsoNormal">enterprise across multiple platforms. But please do it open source way<o:p></o:p></p> </div> <div> <p class="MsoNormal">otherwise we would not recommend you ;-)<o:p></o:p></p> </div> </div> </blockquote> <div> <p class="MsoNormal">_______________________________________________<o:p></o:p></p> </div> <div> <p class="MsoNormal">Freeipa-users mailing list<o:p></o:p></p> </div> <div> <p class="MsoNormal"><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></p> </div> <div> <p class="MsoNormal"><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></p> </div> </div> </blockquote> </div> </blockquote> <div> <p class="MsoNormal">My friend agreed to try. He is C# programmer. But the problem that has <o:p></o:p></p> </div> <div> <p class="MsoNormal">low knowledge about kerberos, GSSAPI, and I could not told him what is <o:p></o:p></p> </div> <div> <p class="MsoNormal">wrong with current pgina's ldap plugin.<o:p></o:p></p> </div> <div> <p class="MsoNormal">He does not want to subscribe to freeipa mail-lists, so may be I shall <o:p></o:p></p> </div> <div> <p class="MsoNormal">give him your (Dmitri) e-mail?<o:p></o:p></p> </div> <div> <p class="MsoNormal">He speaks russian :)<o:p></o:p></p> </div> </div> </blockquote> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">List is really the way to develop open source software collaboratively. <o:p></o:p></p> </div> <div> <p class="MsoNormal">This is what we are doing here.<o:p></o:p></p> </div> <div> <p class="MsoNormal">We can agree that the communication about the topic will be prefixed in <o:p></o:p></p> </div> <div> <p class="MsoNormal">such a way that he can create a filter so that he would get only mails <o:p></o:p></p> </div> <div> <p class="MsoNormal">that match the filter.<o:p></o:p></p> </div> <div> <p class="MsoNormal">Would that work?<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">I am not sure that I would be able to provide all the support. We are a <o:p></o:p></p> </div> <div> <p class="MsoNormal">community here and we have different roles and angles. Working with just <o:p></o:p></p> </div> <div> <p class="MsoNormal">one person would not fly, sorry.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"> <div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">_______________________________________________<o:p></o:p></p> </div> <div> <p class="MsoNormal">Freeipa-users mailing list<o:p></o:p></p> </div> <div> <p class="MsoNormal"><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></p> </div> <div> <p class="MsoNormal"><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></p> </div> </div> </blockquote> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">-- <o:p></o:p></p> </div> <div> <p class="MsoNormal">Thank you,<o:p></o:p></p> </div> <div> <p class="MsoNormal">Dmitri Pal<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Sr. Engineering Manager for IdM portfolio<o:p></o:p></p> </div> <div> <p class="MsoNormal">Red Hat Inc.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">-------------------------------<o:p></o:p></p> </div> <div> <p class="MsoNormal">Looking to carve out IT costs?<o:p></o:p></p> </div> <div> <p class="MsoNormal"><a href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">_______________________________________________<o:p></o:p></p> </div> <div> <p class="MsoNormal">Freeipa-users mailing list<o:p></o:p></p> </div> <div> <p class="MsoNormal"><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></p> </div> <div> <p class="MsoNormal"><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></p> </div> </div> </div> </blockquote> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <p class="MsoNormal"><br> <br> <br> <o:p></o:p></p> <pre>-- <o:p></o:p></pre> <pre>Thank you,<o:p></o:p></pre> <pre>Dmitri Pal<o:p></o:p></pre> <pre><o:p> </o:p></pre> <pre>Sr. Engineering Manager for IdM portfolio<o:p></o:p></pre> <pre>Red Hat Inc.<o:p></o:p></pre> <pre><o:p> </o:p></pre> <pre><o:p> </o:p></pre> <pre>-------------------------------<o:p></o:p></pre> <pre>Looking to carve out IT costs?<o:p></o:p></pre> <pre><a href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><o:p></o:p></pre> <pre><o:p> </o:p></pre> <pre><o:p> </o:p></pre> </div> </div> <br> <br> <br> <br> This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. </body> </html>