DevHeads.net

Fedora in GNOME Online Accountes

Hello, I don't know if this is the right place to ask this question.
Btw, on Fedora 31, in the Online Accounts list there is a "Fedora"
voice alongside "Google", "Nextcloud" and so on. What is its purpose?

Thanks,
A.

Comments

Re: Fedora in GNOME Online Accountes

By Felipe Borges at 09/18/2019 - 05:18

Hi!

On Wed, Sep 18, 2019 at 11:07 AM < ... at gmail dot com> wrote:
The "Fedora" account is just a branded Kerberos account. By adding a
Fedora account in GNOME Online Accounts you would get automatically
signed on whenever you'd need to enter your FAS credentials. This
means while accessing Pagure, participating in discussions in
discussion.fedoraproject.org, and also while using Bodhi, Koji, and
all.

Re: Fedora in GNOME Online Accountes

By Peter Robinson at 09/18/2019 - 12:49

Not everything afaict, pagure uses API keys for example, some Fedora
services are kerberised but it's far from all.

Re: Fedora in GNOME Online Accountes

By Michael Catanzaro at 09/18/2019 - 10:01

On Wed, Sep 18, 2019 at 11:18 am, Felipe Borges < ... at redhat dot com>
wrote:
Sadly, it's broken for me because it still doesn't work in flatpak. :(

I wonder if we can get the right people together to discuss how to make
this work.

Michael

Re: Fedora in GNOME Online Accountes

By Robbie Harwood at 09/18/2019 - 10:43

<a href="mailto: ... at gnome dot org"> ... at gnome dot org</a> writes:

Can you link the bug you've filed about this?

Thanks,
--Robbie

Re: Fedora in GNOME Online Accountes

By Michael Catanzaro at 09/18/2019 - 11:34

On Wed, Sep 18, 2019 at 10:43 am, Robbie Harwood < ... at redhat dot com>
wrote:
I don't even know where to file a bug. Which component? kerberos?
xdg-desktop-portal?

It's seems less like a bug in any Fedora component, rather something
that's never been designed to work. How is kerberos supposed to work
under flatpak without a desktop portal to make it work? I don't know.
It needs people who understand both kerberos and flatpak to think about
it.

Michael

Re: Fedora in GNOME Online Accountes

By Robbie Harwood at 09/18/2019 - 13:33

<a href="mailto: ... at gnome dot org"> ... at gnome dot org</a> writes:

When filing bugs that you don't know the cause of, it's best to start
with the highest level component that doesn't exhibit the behavior you
want and let the maintainers narrow it down and possibly reassign.

So: probably gnome-online-accounts.

There's basically no chance of it ever working if there's no bug :)

Well, they probably don't exist, so if you don't want to file a bug,
you're out of luck. I (krb5 maintainer) don't "understand" flatpak, at
any rate (beyond knowing that I don't have a use case for it).

Thanks,
--Robbie

Re: Fedora in GNOME Online Accountes

By Debarshi Ray at 09/18/2019 - 14:13

Hey,

Speaking as someone who understands a little bit of all the pieces
involved here, but without claiming to be an expert in anything ...

I would expect Flatpak containers to consume Kerberos in roughly the
same way as Toolbox [1] containers do.

First, the host must be configured to use KCM credential caches
[2]. That's been the case since Fedora 27.

The container should similarly be configured to use KCM. Then you bind
mount the KCM socket into the container, and things (eg., klist,
kinit, other libkrb5 consumers, etc.) should work.

On Fedora, you can see the path to the socket with:
$ systemctl show --value --property Listen sssd-kcm.socket

There's also libkrb5 API to do the same.

The socket usually lives at /var/run/.heim_org.h5l.kcm-socket

Now, since this is Flatpak, we may eventually want to have a desktop
portal to gate access to the socket instead of giving the application
blanket access. I vaguely recall these old mockups from pre-Flatpak
days, but they very likely need to be revisited:
<a href="https://wiki.gnome.org/Design/Whiteboards/EnterpriseLogin" title="https://wiki.gnome.org/Design/Whiteboards/EnterpriseLogin">https://wiki.gnome.org/Design/Whiteboards/EnterpriseLogin</a>

I hope that makes sense.

Cheers,
Rishi

[1] <a href="https://github.com/debarshiray/toolbox" title="https://github.com/debarshiray/toolbox">https://github.com/debarshiray/toolbox</a>
[2] <a href="https://fedoraproject.org/wiki/Changes/KerberosKCMCache" title="https://fedoraproject.org/wiki/Changes/KerberosKCMCache">https://fedoraproject.org/wiki/Changes/KerberosKCMCache</a>

Re: Fedora in GNOME Online Accountes

By Michael Catanzaro at 09/19/2019 - 10:42

So with help from Rishi, we got it working by:

* Adding a config file [1] into the container.
* Poking a hole in the flatpak sandbox [2], though this is clearly a
nasty hack.

I think this will do for now, though improvements would be good....

[1]
<a href="https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389/diffs" title="https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389/diffs">https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389/diffs</a>
[2]
<a href="https://gitlab.gnome.org/GNOME/epiphany/commit/bba622a1b92c29cad65af3ca27f4d6be55a925c9" title="https://gitlab.gnome.org/GNOME/epiphany/commit/bba622a1b92c29cad65af3ca27f4d6be55a925c9">https://gitlab.gnome.org/GNOME/epiphany/commit/bba622a1b92c29cad65af3ca2...</a>

Re: Fedora in GNOME Online Accountes

By Matthew Miller at 09/19/2019 - 17:07

On Thu, Sep 19, 2019 at 09:42:04AM -0500, Michael Catanzaro wrote:

Nasty hack and all, this is really cool! Thanks everyone for working to make
this happen!

Re: Fedora in GNOME Online Accountes

By Vitaly Zaitsev ... at 09/18/2019 - 07:52

On 9/18/19 11:18 AM, Felipe Borges wrote:
Just out of curiosity, is this done by a patch or with a separate package?

Re: Fedora in GNOME Online Accountes

By Ernestas Kulik at 09/18/2019 - 08:18

On Wed, 2019-09-18 at 13:52 +0200, Sheogorath via devel wrote:

Looks like <a href="https://gitlab.gnome.org/GNOME/gnome-online-accounts/merge_requests/27" title="https://gitlab.gnome.org/GNOME/gnome-online-accounts/merge_requests/27">https://gitlab.gnome.org/GNOME/gnome-online-accounts/merge_requests/27</a>

Re: Fedora in GNOME Online Accountes

By Ismael Olea at 09/18/2019 - 05:41

The "Fedora" account is just a branded Kerberos account. By adding a
Fedora account in GNOME Online Accounts you would get automatically
signed on whenever you'd need to enter your FAS credentials.

Love it.

Re: Fedora in GNOME Online Accountes

By Alessio Ciregia at 09/18/2019 - 05:26

On Wed, 2019-09-18 at 11:18 +0200, Felipe Borges wrote:
:-O
Nice!

Thank you for the answer.

Ciao,
A.