Bug 89205

Summary: Don't try to do join without authentication unless explicitly requested
Product: realmd Reporter: Stef Walter <stefw>
Component: realmdAssignee: Stef Walter <stefw>
Status: RESOLVED FIXED QA Contact: yelley
Severity: normal    
Priority: medium CC: stefw
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: service: Refactor to support per domain supported cred types
Disable automatic AD joins by default

Description Stef Walter 2015-02-18 14:36:04 UTC 
The realm command and various other realmd clients should not do a join without authentication unless specifically requested.

We should not try to do a join with a preset computer account without authentication (such as an OTP or an admin password). The security of kerberos relies on the shared secret.

This currently occurs with the 'realm' command when used against AD.
Comment 1 Stef Walter 2015-02-20 21:24:15 UTC 
Created attachment 113699 [details] [review]
service: Refactor to support per domain supported cred types

This is so specific domains can be configured to support things
like automatic authentication.
Comment 2 Stef Walter 2015-02-20 21:24:18 UTC 
Created attachment 113700 [details] [review]
Disable automatic AD joins by default

We only offer them as an option to clients if they have been configured
in the realmd.conf file.

This is because automatic AD joins do not have the mutual authentication
we usually expect with kerberos. The computer account secret is
predictable and not secure enough to be on by default.
Comment 3 Stef Walter 2015-04-11 11:28:43 UTC 
Merged.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.