enterprise desktop improving client side in the age of
play

Enterprise desktop: improving client side in the age of Samba AD and - PowerPoint PPT Presentation

Nov 30, 2023 •267 likes •1.33k views

Principal Software Engineer, Red Hat // Samba Team SambaXP16 Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2

  1. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 16 Practical case: Samba AD domain member Pure winbindd: nss_winbind and pam_winbind for identity and authentication Pure winbindd: Limited authorization capabilities (account lock) Hybrid approach: nss_sss and pam_sss for identity and authentication winbindd is used by Samba, configured to trust SSSD-provided ID range SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy SSSD does authorization using GPO and/or account lock ▶ A pure winbindd-based setup or a hybrid SSSD+winbindd configuration

  2. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 17 Practical case: Samba AD domain member Pure winbindd: Limited authorization capabilities (account lock) Hybrid approach: nss_sss and pam_sss for identity and authentication winbindd is used by Samba, configured to trust SSSD-provided ID range SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy SSSD does authorization using GPO and/or account lock ▶ A pure winbindd-based setup or a hybrid SSSD+winbindd configuration ▶ Pure winbindd: nss_winbind and pam_winbind for identity and authentication

  3. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 18 Practical case: Samba AD domain member Hybrid approach: nss_sss and pam_sss for identity and authentication winbindd is used by Samba, configured to trust SSSD-provided ID range SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy SSSD does authorization using GPO and/or account lock ▶ A pure winbindd-based setup or a hybrid SSSD+winbindd configuration ▶ Pure winbindd: nss_winbind and pam_winbind for identity and authentication ▶ Pure winbindd: Limited authorization capabilities (account lock)

  4. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 19 Practical case: Samba AD domain member nss_sss and pam_sss for identity and authentication winbindd is used by Samba, configured to trust SSSD-provided ID range SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy SSSD does authorization using GPO and/or account lock ▶ A pure winbindd-based setup or a hybrid SSSD+winbindd configuration ▶ Pure winbindd: nss_winbind and pam_winbind for identity and authentication ▶ Pure winbindd: Limited authorization capabilities (account lock) ▶ Hybrid approach:

  5. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 20 Practical case: Samba AD domain member winbindd is used by Samba, configured to trust SSSD-provided ID range SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy SSSD does authorization using GPO and/or account lock ▶ A pure winbindd-based setup or a hybrid SSSD+winbindd configuration ▶ Pure winbindd: nss_winbind and pam_winbind for identity and authentication ▶ Pure winbindd: Limited authorization capabilities (account lock) ▶ Hybrid approach: ▶ nss_sss and pam_sss for identity and authentication

  6. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 21 Practical case: Samba AD domain member SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy SSSD does authorization using GPO and/or account lock ▶ A pure winbindd-based setup or a hybrid SSSD+winbindd configuration ▶ Pure winbindd: nss_winbind and pam_winbind for identity and authentication ▶ Pure winbindd: Limited authorization capabilities (account lock) ▶ Hybrid approach: ▶ nss_sss and pam_sss for identity and authentication ▶ winbindd is used by Samba, configured to trust SSSD-provided ID range

  7. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 22 Practical case: Samba AD domain member SSSD does authorization using GPO and/or account lock ▶ A pure winbindd-based setup or a hybrid SSSD+winbindd configuration ▶ Pure winbindd: nss_winbind and pam_winbind for identity and authentication ▶ Pure winbindd: Limited authorization capabilities (account lock) ▶ Hybrid approach: ▶ nss_sss and pam_sss for identity and authentication ▶ winbindd is used by Samba, configured to trust SSSD-provided ID range ▶ SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy

  8. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 23 Practical case: Samba AD domain member ▶ A pure winbindd-based setup or a hybrid SSSD+winbindd configuration ▶ Pure winbindd: nss_winbind and pam_winbind for identity and authentication ▶ Pure winbindd: Limited authorization capabilities (account lock) ▶ Hybrid approach: ▶ nss_sss and pam_sss for identity and authentication ▶ winbindd is used by Samba, configured to trust SSSD-provided ID range ▶ SSSD supports offline logon, logon with smart cards, logon with Kerberos proxy ▶ SSSD does authorization using GPO and/or account lock

  9. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 24 That’s all behind the scenes, what would user see?

  10. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 25 How enterprisey are we?

  11. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 26 Let’s score by a password

  12. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 27 Let’s score by a password A typical workflow for every laptop reboot 1. Sign into a local system account (enter a password) 2. Jump onto virtual private network (enter a password or more) 3. Obtain initial Kerberos credentials (enter a password) 4. Use corporate applications (enter a password?)

  13. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 28 Let’s score by a password A typical workflow for every laptop reboot 1. Sign into a local system account (enter a password) 2. Jump onto virtual private network (enter a password or more) 3. Obtain initial Kerberos credentials (enter a password) 4. Use corporate applications (enter a password?)

  14. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 29 Let’s score by a password A typical workflow for every laptop reboot 1. Sign into a local system account (enter a password) 2. Jump onto virtual private network (enter a password or more) 3. Obtain initial Kerberos credentials (enter a password) 4. Use corporate applications (enter a password?)

  15. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 30 Let’s score by a password A typical workflow for every laptop reboot 1. Sign into a local system account (enter a password) 2. Jump onto virtual private network (enter a password or more) 3. Obtain initial Kerberos credentials (enter a password) 4. Use corporate applications (enter a password?)

  16. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 31 Can we do better than this? how far are we from ? ▶ Sign into a corporate environment ▶ Use corporate applications

  17. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 32 Let’s try to login! Demo (first 40 seconds): http://talks.vda.li/2016/05/SambaXP/freeipa-logon-1FA-2FA.webm

  18. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 33 What was that? SSSD handles login and Kerberos keys Login to the system is verified over public network using a proxy for Kerberos protocol Established VPN connection based on Kerberos ticket Credentials were entered only once ▶ The system is configured to be a client for FreeIPA

  19. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 34 What was that? Login to the system is verified over public network using a proxy for Kerberos protocol Established VPN connection based on Kerberos ticket Credentials were entered only once ▶ The system is configured to be a client for FreeIPA ▶ SSSD handles login and Kerberos keys

  20. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 35 What was that? Established VPN connection based on Kerberos ticket Credentials were entered only once ▶ The system is configured to be a client for FreeIPA ▶ SSSD handles login and Kerberos keys ▶ Login to the system is verified over public network using a proxy for Kerberos protocol

  21. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 36 What was that? Credentials were entered only once ▶ The system is configured to be a client for FreeIPA ▶ SSSD handles login and Kerberos keys ▶ Login to the system is verified over public network using a proxy for Kerberos protocol ▶ Established VPN connection based on Kerberos ticket

  22. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 37 What was that? ▶ The system is configured to be a client for FreeIPA ▶ SSSD handles login and Kerberos keys ▶ Login to the system is verified over public network using a proxy for Kerberos protocol ▶ Established VPN connection based on Kerberos ticket ▶ Credentials were entered only once

  23. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 38 Kerberos proxy Available on the client side with Microsoft Active Directory and MIT Kerberos 1.13 Kerberos proxy is implemented by FreeIPA 4.2, OpenConnect Server 7.05, and as a standalone server change on the client) GNOME developers ▶ protocol is called MS-KKDCP ▶ transparent for Kerberos library users ▶ Requires HTTPS connection, set up by default in FreeIPA 4.2, very easy to use (one line ▶ Allows to obtain tickets from anywhere ▶ SSSD 1.12+ ▶ Real-life example: GNOME project uses KDC proxy to allow GSSAPI authentication in SSH for

  24. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 39 VPN and Kerberos OpenConnect client supports GSSAPI negotiation OpenVPN does not support GSSAPI negotiation Support for GSSAPI in IPSEC is coming ▶ Fedora 22+ works out of the box ▶ to do since 2005, ignored by upstream

  25. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 40 Two-factor authentication FreeIPA 4.x supports 2FA natively hardware ▶ Yubikey, FreeOTP client for Android and iOS, any HOTP/TOTP compatible software and ▶ Two-factor authentication is enforced on Kerberos level ▶ Performs pre-authentication before issuing a ticket ▶ Authentication Indicators are in Kerberos 1.14 ▶ Pre-authentication modules can say how tickets were issued

  26. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 41 FreeOTP: Android and iOS Figure 1:

  27. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 42 Demo Demo (starting from 40s): http://talks.vda.li/2016/05/SambaXP/freeipa-logon-1FA-2FA.webm

  28. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 43 What was that? 2. SSSD handles login and notices OTP pre-authentication support in Kerberos conversation 3. Login to the system is verified over public network using a proxy for Kerberos protocol 4. Kerberos ticket is obtained, first factor is provided by SSSD to GDM for unlocking GNOME passwords and keys storage (SeaHorse) 5. Credentials were entered only once 1. One time password token was programmed to Yubikey and added for the user in FreeIPA

  29. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 44 What was that? 2. SSSD handles login and notices OTP pre-authentication support in Kerberos conversation 3. Login to the system is verified over public network using a proxy for Kerberos protocol 4. Kerberos ticket is obtained, first factor is provided by SSSD to GDM for unlocking GNOME passwords and keys storage (SeaHorse) 5. Credentials were entered only once 1. One time password token was programmed to Yubikey and added for the user in FreeIPA

  30. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 45 What was that? 2. SSSD handles login and notices OTP pre-authentication support in Kerberos conversation 3. Login to the system is verified over public network using a proxy for Kerberos protocol 4. Kerberos ticket is obtained, first factor is provided by SSSD to GDM for unlocking GNOME passwords and keys storage (SeaHorse) 5. Credentials were entered only once 1. One time password token was programmed to Yubikey and added for the user in FreeIPA

  31. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 46 What was that? 2. SSSD handles login and notices OTP pre-authentication support in Kerberos conversation 3. Login to the system is verified over public network using a proxy for Kerberos protocol 4. Kerberos ticket is obtained, first factor is provided by SSSD to GDM for unlocking GNOME passwords and keys storage (SeaHorse) 5. Credentials were entered only once 1. One time password token was programmed to Yubikey and added for the user in FreeIPA

  32. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 47 What was that? 2. SSSD handles login and notices OTP pre-authentication support in Kerberos conversation 3. Login to the system is verified over public network using a proxy for Kerberos protocol 4. Kerberos ticket is obtained, first factor is provided by SSSD to GDM for unlocking GNOME passwords and keys storage (SeaHorse) 5. Credentials were entered only once 1. One time password token was programmed to Yubikey and added for the user in FreeIPA

  33. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 48 If Kerberos credentials are available, what can we do with them? Obtain SAML assertion for other web services (and more) Use to access networking file systems Display properties of the available tickets Renew the ticket granting ticket (TGT) Choose which Kerberos principal is in use ▶ Authenticate with GSSAPI against almost anything

  34. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 49 If Kerberos credentials are available, what can we do with them? Use to access networking file systems Display properties of the available tickets Renew the ticket granting ticket (TGT) Choose which Kerberos principal is in use ▶ Authenticate with GSSAPI against almost anything ▶ Obtain SAML assertion for other web services (and more)

  35. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 50 If Kerberos credentials are available, what can we do with them? Display properties of the available tickets Renew the ticket granting ticket (TGT) Choose which Kerberos principal is in use ▶ Authenticate with GSSAPI against almost anything ▶ Obtain SAML assertion for other web services (and more) ▶ Use to access networking file systems

  36. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 51 If Kerberos credentials are available, what can we do with them? Renew the ticket granting ticket (TGT) Choose which Kerberos principal is in use ▶ Authenticate with GSSAPI against almost anything ▶ Obtain SAML assertion for other web services (and more) ▶ Use to access networking file systems ▶ Display properties of the available tickets

  37. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 52 If Kerberos credentials are available, what can we do with them? Choose which Kerberos principal is in use ▶ Authenticate with GSSAPI against almost anything ▶ Obtain SAML assertion for other web services (and more) ▶ Use to access networking file systems ▶ Display properties of the available tickets ▶ Renew the ticket granting ticket (TGT)

  38. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 53 If Kerberos credentials are available, what can we do with them? ▶ Authenticate with GSSAPI against almost anything ▶ Obtain SAML assertion for other web services (and more) ▶ Use to access networking file systems ▶ Display properties of the available tickets ▶ Renew the ticket granting ticket (TGT) ▶ Choose which Kerberos principal is in use

  39. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 54 Authenticate with GSSAPI Epiphany, the GNOME Web Browser, in GNOME 3.18: libsoup has been dragging since 2009, bug #587145 WebkitGtk is unusable for SAML/OAuth2 interactions involving Kerberos One cannot use Google apps with GSSAPI in Gnome Online Accounts No single sign-on with GSSAPI from GNOME applications using WebkitGtk to authenticate ▶ GSSAPI support is no more, depends on libsoup support

  40. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 55 Authenticate with GSSAPI Epiphany, the GNOME Web Browser, in GNOME 3.18: WebkitGtk is unusable for SAML/OAuth2 interactions involving Kerberos One cannot use Google apps with GSSAPI in Gnome Online Accounts No single sign-on with GSSAPI from GNOME applications using WebkitGtk to authenticate ▶ GSSAPI support is no more, depends on libsoup support ▶ libsoup has been dragging since 2009, bug #587145

  41. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 56 Authenticate with GSSAPI Epiphany, the GNOME Web Browser, in GNOME 3.18: One cannot use Google apps with GSSAPI in Gnome Online Accounts No single sign-on with GSSAPI from GNOME applications using WebkitGtk to authenticate ▶ GSSAPI support is no more, depends on libsoup support ▶ libsoup has been dragging since 2009, bug #587145 ▶ WebkitGtk is unusable for SAML/OAuth2 interactions involving Kerberos

  42. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 57 Authenticate with GSSAPI Epiphany, the GNOME Web Browser, in GNOME 3.18: No single sign-on with GSSAPI from GNOME applications using WebkitGtk to authenticate ▶ GSSAPI support is no more, depends on libsoup support ▶ libsoup has been dragging since 2009, bug #587145 ▶ WebkitGtk is unusable for SAML/OAuth2 interactions involving Kerberos ▶ One cannot use Google apps with GSSAPI in Gnome Online Accounts

  43. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 58 Authenticate with GSSAPI Epiphany, the GNOME Web Browser, in GNOME 3.18: ▶ GSSAPI support is no more, depends on libsoup support ▶ libsoup has been dragging since 2009, bug #587145 ▶ WebkitGtk is unusable for SAML/OAuth2 interactions involving Kerberos ▶ One cannot use Google apps with GSSAPI in Gnome Online Accounts ▶ No single sign-on with GSSAPI from GNOME applications using WebkitGtk to authenticate

  44. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 59 Can we do better than this?

  45. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 60 Demo of single sign-on in Epiphany Demo (until 1m42s): http: //talks.vda.li/2016/05/SambaXP/freeipa-ipsilon-googleapps-signon.webm

  46. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 61 What was that? Tomáš Popela (Red Hat), David Woodhouse (Intel), and Guido Guenther (Debian) worked to fix libsoup and WebkitGtk We logged into my FreeIPA server’s Web UI The code is in GNOME 3.20 (March 2016) and is in Fedora 24 beta (released on May 10th) By default, all HTTPS sites advertising WWW-Authenticate: Negotiate authentication method will be probed with GSSAPI

  47. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 62 Why all this is important? working, or have multi-factor authentication working (full circle loop now) ▶ Multi-factor authentication moves to Web-based flows (Azure, Windows 10) ▶ Corporate portals are used to authenticate when accessing external resources ▶ Captive portals prevent Internet access before logon ▶ You need to be able to be on VPN before logon to your system or have Kerberos proxy ▶ WebkitGTK+ is embedded in many applications

  48. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 63 Diversion: Running a browser before logon? But network profile (access point) needs to be selected first This means Network Manager has to run before logon This means Network Manager needs to access user-specific data before logon A complete re-arrangement of logon UX Down the rabbit hole… ▶ Yes, effectively, a sandbox with a locked-down web engine

  49. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 64 Diversion: Running a browser before logon? This means Network Manager has to run before logon This means Network Manager needs to access user-specific data before logon A complete re-arrangement of logon UX Down the rabbit hole… ▶ Yes, effectively, a sandbox with a locked-down web engine ▶ But network profile (access point) needs to be selected first

  50. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 65 Diversion: Running a browser before logon? This means Network Manager needs to access user-specific data before logon A complete re-arrangement of logon UX Down the rabbit hole… ▶ Yes, effectively, a sandbox with a locked-down web engine ▶ But network profile (access point) needs to be selected first ▶ This means Network Manager has to run before logon

  51. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 66 Diversion: Running a browser before logon? A complete re-arrangement of logon UX Down the rabbit hole… ▶ Yes, effectively, a sandbox with a locked-down web engine ▶ But network profile (access point) needs to be selected first ▶ This means Network Manager has to run before logon ▶ This means Network Manager needs to access user-specific data before logon

  52. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 67 Diversion: Running a browser before logon? Down the rabbit hole… ▶ Yes, effectively, a sandbox with a locked-down web engine ▶ But network profile (access point) needs to be selected first ▶ This means Network Manager has to run before logon ▶ This means Network Manager needs to access user-specific data before logon ▶ A complete re-arrangement of logon UX

  53. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 68 Ok, anything for users, not admins?

  54. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 69 Single sign-on to Google Apps Demo (starting from 1m42s): http: //talks.vda.li/2016/05/SambaXP/freeipa-ipsilon-googleapps-signon.webm

  55. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 70 What was that? Ipsilon project: http://ipsilon-project.org/ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for them At no point Google has access to FreeIPA users’ credentials SSSD is the key component here, the same setup will work for a SSSD enrolled to Samba AD GNOME Online Accounts now configured to access Google Apps’ services Setup recipe: https://ipsilon-project.org/doc/example/google-apps.html ▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA

  56. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 71 What was that? Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for them At no point Google has access to FreeIPA users’ credentials SSSD is the key component here, the same setup will work for a SSSD enrolled to Samba AD GNOME Online Accounts now configured to access Google Apps’ services Setup recipe: https://ipsilon-project.org/doc/example/google-apps.html ▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA ▶ Ipsilon project: http://ipsilon-project.org/

  57. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 72 What was that? Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for them At no point Google has access to FreeIPA users’ credentials SSSD is the key component here, the same setup will work for a SSSD enrolled to Samba AD GNOME Online Accounts now configured to access Google Apps’ services Setup recipe: https://ipsilon-project.org/doc/example/google-apps.html ▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA ▶ Ipsilon project: http://ipsilon-project.org/ ▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP

  58. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 73 What was that? At no point Google has access to FreeIPA users’ credentials SSSD is the key component here, the same setup will work for a SSSD enrolled to Samba AD GNOME Online Accounts now configured to access Google Apps’ services Setup recipe: https://ipsilon-project.org/doc/example/google-apps.html ▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA ▶ Ipsilon project: http://ipsilon-project.org/ ▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP ▶ Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for them

  59. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 74 What was that? SSSD is the key component here, the same setup will work for a SSSD enrolled to Samba AD GNOME Online Accounts now configured to access Google Apps’ services Setup recipe: https://ipsilon-project.org/doc/example/google-apps.html ▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA ▶ Ipsilon project: http://ipsilon-project.org/ ▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP ▶ Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for them ▶ At no point Google has access to FreeIPA users’ credentials

  60. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 75 What was that? GNOME Online Accounts now configured to access Google Apps’ services Setup recipe: https://ipsilon-project.org/doc/example/google-apps.html ▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA ▶ Ipsilon project: http://ipsilon-project.org/ ▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP ▶ Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for them ▶ At no point Google has access to FreeIPA users’ credentials ▶ SSSD is the key component here, the same setup will work for a SSSD enrolled to Samba AD

  61. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 76 What was that? Setup recipe: https://ipsilon-project.org/doc/example/google-apps.html ▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA ▶ Ipsilon project: http://ipsilon-project.org/ ▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP ▶ Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for them ▶ At no point Google has access to FreeIPA users’ credentials ▶ SSSD is the key component here, the same setup will work for a SSSD enrolled to Samba AD ▶ GNOME Online Accounts now configured to access Google Apps’ services

  62. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 77 What was that? https://ipsilon-project.org/doc/example/google-apps.html ▶ Ipsilon as an Identity Provider (IdP) taking user information from FreeIPA ▶ Ipsilon project: http://ipsilon-project.org/ ▶ Google Apps as a Service Provider (SP) talking to FreeIPA via Ipsilon’s IdP ▶ Users from FreeIPA can logon to Google Apps if admin did pre-create accounts for them ▶ At no point Google has access to FreeIPA users’ credentials ▶ SSSD is the key component here, the same setup will work for a SSSD enrolled to Samba AD ▶ GNOME Online Accounts now configured to access Google Apps’ services ▶ Setup recipe:

  63. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 78 What does GSSAPI support open for use in GNOME Online Accounts? Automated credentials renewal Automated token/assertion renewal for SAML/OpenID No need to store passwords locally (secure kiosks?) ▶ Single sign-on is the primary feature

  64. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 79 What does GSSAPI support open for use in GNOME Online Accounts? Automated token/assertion renewal for SAML/OpenID No need to store passwords locally (secure kiosks?) ▶ Single sign-on is the primary feature ▶ Automated credentials renewal

  65. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 80 What does GSSAPI support open for use in GNOME Online Accounts? No need to store passwords locally (secure kiosks?) ▶ Single sign-on is the primary feature ▶ Automated credentials renewal ▶ Automated token/assertion renewal for SAML/OpenID

  66. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 81 What does GSSAPI support open for use in GNOME Online Accounts? ▶ Single sign-on is the primary feature ▶ Automated credentials renewal ▶ Automated token/assertion renewal for SAML/OpenID ▶ No need to store passwords locally (secure kiosks?)

  67. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 82 Visualize GNOME Online Accounts could show Kerberos ticket properties ▶ Ticket time validity, flags (forward, renewal) ▶ Authentication indicators ▶ Existing service tickets in the credentials cache and allow to remove them selectively ▶ Allow automatic ticket renewal if KDC permits it

  68. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 83 Consume Choose between different Kerberos principals of credentials ▶ MIT Kerberos supports kernel keyring (1.12+) and directory-based (1.11+) storage of credentials ▶ Multiple Kerberos principals can be stored and used at the same time ▶ Only a single principal can be defined as “primary” for each Kerberos realm in the collection

  69. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 84 Kerberos ticket renewal factors) as in 2FA case needed information could be provided via SSSD InfoPipe/AuthPipe ▶ SSSD supports automatic Kerberos ticket renewal for single factor cases ▶ Renewing 2FA tickets requires UI interaction triggered by expiry time ▶ Automatic ticket renewal requires permission from KDC, visible as a ticket flag ▶ GNOME Online Accounts could integrate with SSSD in prompting for credentials (multiple

  70. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 85 Better Kerberos in browsers prompted for confirmation once details 43 Red Hat Firefox team together with Firefox upstream ▶ Firefox Kerberos setup isn’t nice ▶ needs about:config manipulation ▶ DNS domains associated with Kerberos realm could be discovered via DNS SRV records, ▶ FreeIPA used to provide an extension to automate Firefox setup ▶ Extension was generated locally for for each FreeIPA deployment to provide configuration ▶ not anymore: Firefox removed ability to provide non-publicly available extensions since version ▶ There are about dozen bugs related to GSSAPI support in Firefox, gradually being fixed by

  71. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 86 Better Kerberos in browsers are not available poor user experience WWW-Authenticate: Negotiate over HTTPS the first logon WWW-Authenticate: Negotiate over HTTPS ▶ Chromium/Chrome ▶ Have bugs for processing of WWW-Authenticate: Negotiate when Kerberos credentials ▶ On Linux only allows to configure Kerberos use through command line or statically system-wide, ▶ A fixed libsoup/WebkitGtk allows to always use GSSAPI if server advertises ▶ no need to configure anything in Epiphany ▶ could be further confined with a user confirmation similar to how passwords are managed at ▶ Konqueror browser in KDE allows to always use GSSAPI if server advertises

  72. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 87 Better Kerberos in browsers https://bugzilla.mozilla.org/show_bug.cgi?id=890908 ▶ GSSAPI flow is synchronous, needs better UI interaction to avoid hogging down other tabs ▶ still major issue for many browsers ▶ Bug #890908 is on the way to be fixed in Firefox ▶ But asynchronous GSSAPI flow would do wonders too!

  73. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 88 Any practical use of it?

  74. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 89 Single sign-on at home Demo : http: //talks.vda.li/2016/05/SambaXP/freeipa-ipsilon-owncloud-signon.webm

  75. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 90 What was that? I set up Owncloud instance and created a simple application to do login via Ipsilon SAML Successfully logged-in users get created in Owncloud if they belong to a certain group in FreeIPA No need to enter password if Kerberos credentials are available Credentials were entered only once ▶ I set up Ipsilon to authenticate against my FreeIPA server

  76. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 91 What was that? Successfully logged-in users get created in Owncloud if they belong to a certain group in FreeIPA No need to enter password if Kerberos credentials are available Credentials were entered only once ▶ I set up Ipsilon to authenticate against my FreeIPA server ▶ I set up Owncloud instance and created a simple application to do login via Ipsilon SAML

  77. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 92 What was that? FreeIPA No need to enter password if Kerberos credentials are available Credentials were entered only once ▶ I set up Ipsilon to authenticate against my FreeIPA server ▶ I set up Owncloud instance and created a simple application to do login via Ipsilon SAML ▶ Successfully logged-in users get created in Owncloud if they belong to a certain group in

  78. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 93 What was that? FreeIPA Credentials were entered only once ▶ I set up Ipsilon to authenticate against my FreeIPA server ▶ I set up Owncloud instance and created a simple application to do login via Ipsilon SAML ▶ Successfully logged-in users get created in Owncloud if they belong to a certain group in ▶ No need to enter password if Kerberos credentials are available

  79. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 94 What was that? FreeIPA ▶ I set up Ipsilon to authenticate against my FreeIPA server ▶ I set up Owncloud instance and created a simple application to do login via Ipsilon SAML ▶ Successfully logged-in users get created in Owncloud if they belong to a certain group in ▶ No need to enter password if Kerberos credentials are available ▶ Credentials were entered only once

  80. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 95 Better support for SAML in GNOME Online Accounts GNOME Online Accounts in GNOME 3.20 supports single sign-on with a catch There is a plan to fix GNOME VFS to support SAML negotiation so that Nautilus would be able to re-negotiate when accessing WebDAV shares ▶ WebDAV protocol doesn’t really work well with mod_auth_mellon as SAML client ▶ Have to use separate Owncloud end-point for non-SAML logon

  81. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 96 How enterprisey our home could become?

  82. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 97 Very very enterprisey Demo : http://talks.vda.li/2016/05/SambaXP/ freeipa-ipsilon-trusted-domain-owncloud-signon.webm

  83. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 98 What is that? Ipsilon is configured to accept all valid users provided by FreeIPA Active Directory users are valid ones, with fully qualified user names to differentiate them from IPA users Active Directory administrator signed into Owncloud as a normal user Credentials were entered only once ▶ FreeIPA has a cross-forest trust to an Active Directory forest

  84. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 99 What is that? Active Directory users are valid ones, with fully qualified user names to differentiate them from IPA users Active Directory administrator signed into Owncloud as a normal user Credentials were entered only once ▶ FreeIPA has a cross-forest trust to an Active Directory forest ▶ Ipsilon is configured to accept all valid users provided by FreeIPA

  85. Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 100 What is that? from IPA users Active Directory administrator signed into Owncloud as a normal user Credentials were entered only once ▶ FreeIPA has a cross-forest trust to an Active Directory forest ▶ Ipsilon is configured to accept all valid users provided by FreeIPA ▶ Active Directory users are valid ones, with fully qualified user names to differentiate them

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Enterprise and Desktop Search Lecture 5: Desktop Search and Personal Information Personal

Enterprise and Desktop Search Lecture 5: Desktop Search and Personal Information Personal

Enterprise and Desktop Search Lecture 5: Desktop Search and Personal Information Personal Information Management Pavel Dmitriev Pavel Serdyukov Sergey Chernov Delft University of L3S Research Center Yahoo! Labs Technology Hannover

1.13k views • 90 slides
Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

January 30th, 2016 FOSDEM16 Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com ) Enterprise desktop at home with FreeIPA and GNOME 2 Enterprise? Enterprise desktop at home with FreeIPA and GNOME 3 *

978 views • 71 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering Web Programming Paradigms So far we have seen server-side programming Next Enrich user experience, interactivity with client- side

759 views • 24 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Challenge: Database Access for Client-side Apps Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App Presented by Marek Zawirski App App Inria / UPMC-LIP6, Paris (now at Google, Zrich) Marek

469 views • 13 slides
CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

812 views • 51 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides
Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Content Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard Krger, Albrecht Schmidt 3. Server Side Programming Universitt Karlsruhe Fakultt fr Informatik Institut fr Telematik Wintersemester

532 views • 14 slides
Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

24th International Working Conference, REFSQ 2018, Utrecht, The Netherlands, March 19-22, 2018 Security Requirements Elicitation from Engineering Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

305 views • 14 slides
Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October

Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October

Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October 3, 2017 1 Acknoweledgements !! Frank Wuerthwein Edgar Fajardo Mark Neubauer, Dave Lesny & Peter Onyisi Mats Rynge Rob Quick 2 Goal

676 views • 28 slides
Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
Federal Advocacy and Policy Updates: What's New for HCBS and Self-Direction Alison Barkoff Dan

Federal Advocacy and Policy Updates: What's New for HCBS and Self-Direction Alison Barkoff Dan

Federal Advocacy and Policy Updates: What's New for HCBS and Self-Direction Alison Barkoff Dan Berland Director of Advocacy Director of Federal Policy Center for Public Representation NASDDDS abarkoff@cpr-us.org dberland@nasddds.org

817 views • 59 slides
Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA

Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA

Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA Research sec4dev, Feb 27 th , 2019 SBA Research gGmbH, 2019 Classification: Public 2 $ whoami Thomas Konrad $ id uid=123(tom) gid=0(SBA Research)

733 views • 52 slides
Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan University, Israel PKC 2013 Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 1 / 39 Secure Computation Background A set of

689 views • 39 slides
MariaDB security features and best practices Robert Bindar Software Developer @MariaDB

MariaDB security features and best practices Robert Bindar Software Developer @MariaDB

MariaDB security features and best practices Robert Bindar Software Developer @MariaDB Foundation Percona Live Austin, 28-30 May 2019 Motivation - Users Potential public shaming through data breaches Massive loss of business

606 views • 42 slides
Title Slide Math 696 Class July 19, 2002 Line 1 Line 2 Line 3 Line 4 Line 5 Line 6 Line 7

Title Slide Math 696 Class July 19, 2002 Line 1 Line 2 Line 3 Line 4 Line 5 Line 6 Line 7

Title Slide Math 696 Class July 19, 2002 Line 1 Line 2 Line 3 Line 4 Line 5 Line 6 Line 7 1 0 sin( x ) =?

312 views • 3 slides

More recommend