authpolicy: Make Kerberos user TGT available in Chrome |
|||||||||
Issue descriptionTo support SSO e.g. for Arc account provisioning. Design doc: https://docs.google.com/a/google.com/document/d/12k2cECJc4kp36gYcQEPKRIOBBHE10z6JS91IL6AxiGA/edit?usp=sharing
,
Jul 24 2017
,
Jul 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/system_api/+/3eac6aef29eb1219c7db9c7c15d42bcdd8f22cee commit 3eac6aef29eb1219c7db9c7c15d42bcdd8f22cee Author: Lutz Justen <ljusten@chromium.org> Date: Mon Jul 31 09:28:58 2017 authpolicy: Add proto for Kerberos files Adds a protobuf used for getting the user's Kerberos credential cache and configuration file into Chrome. Moreover, adds the new D-Bus call to dbus-constants. See CL:555491 for the corresponding authpolicy change. BUG= chromium:737960 TEST=Tested with dependend CL. Change-Id: Id955c0715df40c3e4d05b77657d723520e02e7ce Reviewed-on: https://chromium-review.googlesource.com/555512 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/3eac6aef29eb1219c7db9c7c15d42bcdd8f22cee/dbus/authpolicy/dbus-constants.h [modify] https://crrev.com/3eac6aef29eb1219c7db9c7c15d42bcdd8f22cee/dbus/authpolicy/active_directory_info.proto
,
Aug 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/11d4b2dd339c328d62947f47af8f0b1216a874c2 commit 11d4b2dd339c328d62947f47af8f0b1216a874c2 Author: Roman Sorokin <rsorokin@chromium.org> Date: Tue Aug 01 13:21:43 2017 Roll src/third_party/cros_system_api/ 542963a5c..3eac6aef2 (1 commit) https://chromium.googlesource.com/chromiumos/platform/system_api.git/+log/542963a5cdc8..3eac6aef29eb $ git log 542963a5c..3eac6aef2 --date=short --no-merges --format='%ad %ae %s' 2017-06-29 ljusten authpolicy: Add proto for Kerberos files Created with: roll-dep src/third_party/cros_system_api Bug: 737960 Change-Id: I84ac71002f0427e01e8a4f576dc8536237d1b330 Reviewed-on: https://chromium-review.googlesource.com/594050 Commit-Queue: Roman Sorokin <rsorokin@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/heads/master@{#490965} [modify] https://crrev.com/11d4b2dd339c328d62947f47af8f0b1216a874c2/DEPS
,
Aug 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/ab9049954fc2cb595c663b675846a40113ec4554 commit ab9049954fc2cb595c663b675846a40113ec4554 Author: Lutz Justen <ljusten@chromium.org> Date: Tue Aug 01 20:01:39 2017 authpolicy: Implement D-Bus methods to sync Kerberos files Implements a signal to notify Kerberos credential cache and configuration file changes as well as a method to get those files. The credential cache contains the user's Kerberos TGT, which is a short lived password for Active Directory services. The goal is to implement Kerberos SSO in Chrome, where Chrome authenticates the user using the TGT. For this reason, we must get the files into Chrome. Kerberos SSO will be first used to authenticate Active Directory enrolled users against DMServer during ARC account provisioning. CQ-DEPEND=CL:555512 BUG= chromium:737960 TEST=Tested D-Bus call on device: sudo -u chronos dbus-send --system --type=method_call --print-reply --dest=org.chromium.AuthPolicy /org/chromium/AuthPolicy org.chromium.AuthPolicy.GetUserKerberosFiles string:a-63e60df2-cb8f-424a-9d22-7420c3cb207a Ran unit tests: cros_run_unit_tests --board=amd64-generic --packages authpolicy Change-Id: I7fc188a6d95709c74eb6d1856fb20fd3e6d21dfc Reviewed-on: https://chromium-review.googlesource.com/555491 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/authpolicy_metrics.h [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/stub_kinit_main.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/authpolicy.h [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/stub_common.h [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/dbus_bindings/org.chromium.AuthPolicy.xml [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/samba_helper.h [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/tgt_manager.h [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/tgt_manager.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/samba_interface.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/samba_interface.h [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/constants.h [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/authpolicy_metrics.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/stub_common.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/constants.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/samba_helper.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/authpolicy.cc [modify] https://crrev.com/ab9049954fc2cb595c663b675846a40113ec4554/authpolicy/etc/dbus-1/org.chromium.AuthPolicy.conf
,
Aug 8 2017
,
Aug 8 2017
I link my Chrome CL to that bug.
,
Aug 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb commit 0a61d9ee2b51d8b2df8023f3493af2dce15af2bb Author: Roman Sorokin <rsorokin@chromium.org> Date: Wed Aug 09 08:33:47 2017 Chromad: Get Kerberos files from authpolicyd The goal is to let Chrome use the user's Kerberos ticket (through GSSAPI) to enable single sign-on to other services that use Active Directory authentication. Fetches credential cache file and krb5.conf file for the user. Puts them on the user partition. Set environment variables for GSSAPI library. Bug: 737960 Change-Id: Ie8ea1d0a3d032bf1cc647d579b7c908dd652c787 Reviewed-on: https://chromium-review.googlesource.com/555500 Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Commit-Queue: Roman Sorokin <rsorokin@chromium.org> Cr-Commit-Position: refs/heads/master@{#492906} [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.h [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager_unittest.cc [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chrome/browser/chromeos/login/enterprise_enrollment_browsertest.cc [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chrome/browser/chromeos/login/login_browsertest.cc [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chrome/browser/chromeos/policy/active_directory_policy_manager_unittest.cc [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chromeos/dbus/auth_policy_client.cc [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chromeos/dbus/auth_policy_client.h [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chromeos/dbus/fake_auth_policy_client.cc [modify] https://crrev.com/0a61d9ee2b51d8b2df8023f3493af2dce15af2bb/chromeos/dbus/fake_auth_policy_client.h
,
Aug 9 2017
,
Aug 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9 commit 4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9 Author: John Mellor <johnme@chromium.org> Date: Wed Aug 09 12:40:18 2017 Revert "Chromad: Get Kerberos files from authpolicyd" This reverts commit 0a61d9ee2b51d8b2df8023f3493af2dce15af2bb. Reason for revert: ActiveDirectoryLoginTest.LoginSuccess is failing on two bots: https://build.chromium.org/p/chromium.memory/builders/Linux%20Chromium%20OS%20ASan%20LSan%20Tests%20%281%29/builds/22890 and https://build.chromium.org/p/chromium.memory/builders/Linux%20ChromiumOS%20MSan%20Tests/builds/2225 due to a heap-use-after-free error: https://luci-logdog.appspot.com/v/?s=chromium%2Fbb%2Fchromium.memory%2FLinux_Chromium_OS_ASan_LSan_Tests__1_%2F22890%2F%2B%2Frecipes%2Fsteps%2Finteractive_ui_tests%2F0%2Flogs%2FActiveDirectoryLoginTest.LoginSuccess%2F0 Original change's description: > Chromad: Get Kerberos files from authpolicyd > > The goal is to let Chrome use the user's Kerberos ticket (through GSSAPI) to enable > single sign-on to other services that use Active Directory authentication. > > Fetches credential cache file and krb5.conf file for the user. > Puts them on the user partition. > Set environment variables for GSSAPI library. > > Bug: 737960 > Change-Id: Ie8ea1d0a3d032bf1cc647d579b7c908dd652c787 > Reviewed-on: https://chromium-review.googlesource.com/555500 > Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> > Commit-Queue: Roman Sorokin <rsorokin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#492906} TBR=xiyuan@chromium.org,rsorokin@chromium.org,ljusten@chromium.org Change-Id: Ib292d584592e0786be920c62d87db9e5fe854fb0 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 737960 Reviewed-on: https://chromium-review.googlesource.com/608247 Reviewed-by: John Mellor <johnme@chromium.org> Commit-Queue: John Mellor <johnme@chromium.org> Cr-Commit-Position: refs/heads/master@{#492955} [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.h [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager_unittest.cc [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chrome/browser/chromeos/login/enterprise_enrollment_browsertest.cc [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chrome/browser/chromeos/login/login_browsertest.cc [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chrome/browser/chromeos/policy/active_directory_policy_manager_unittest.cc [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chromeos/dbus/auth_policy_client.cc [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chromeos/dbus/auth_policy_client.h [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chromeos/dbus/fake_auth_policy_client.cc [modify] https://crrev.com/4112536b1cd8f0e01265bbf47cc6a8015b5b3fb9/chromeos/dbus/fake_auth_policy_client.h
,
Aug 9 2017
,
Aug 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f34edfdd32fd9660fa358ee546d4010f7ce04aa1 commit f34edfdd32fd9660fa358ee546d4010f7ce04aa1 Author: Gabriel Charette <gab@chromium.org> Date: Wed Aug 09 13:41:44 2017 Revert "Chromad: Get Kerberos files from authpolicyd" This reverts commit 0a61d9ee2b51d8b2df8023f3493af2dce15af2bb. Reason for revert: heap-user-after-free https://crbug.com/753792 Original change's description: > Chromad: Get Kerberos files from authpolicyd > > The goal is to let Chrome use the user's Kerberos ticket (through GSSAPI) to enable > single sign-on to other services that use Active Directory authentication. > > Fetches credential cache file and krb5.conf file for the user. > Puts them on the user partition. > Set environment variables for GSSAPI library. > > Bug: 737960 > Change-Id: Ie8ea1d0a3d032bf1cc647d579b7c908dd652c787 > Reviewed-on: https://chromium-review.googlesource.com/555500 > Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> > Commit-Queue: Roman Sorokin <rsorokin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#492906} TBR=xiyuan@chromium.org,rsorokin@chromium.org,ljusten@chromium.org Change-Id: If02f4da8e49beddb3180a8ef8c87e984c08a10d9 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 737960 , 753792 Reviewed-on: https://chromium-review.googlesource.com/608387 Reviewed-by: Gabriel Charette <gab@chromium.org> Commit-Queue: Gabriel Charette <gab@chromium.org> Cr-Commit-Position: refs/heads/master@{#492962}
,
Aug 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7076726c4f9a7cfd4a530e29e1cc6c6242341438 commit 7076726c4f9a7cfd4a530e29e1cc6c6242341438 Author: John Mellor <johnme@chromium.org> Date: Wed Aug 09 14:06:20 2017 Revert "Chromad: Get Kerberos files from authpolicyd" This reverts commit 0a61d9ee2b51d8b2df8023f3493af2dce15af2bb. Reason for revert: either this or 46d2ab06b03d8a32bf0c7e8b1e39856b7263810f caused https://build.chromium.org/p/chromium.memory/builders/Linux%20ChromiumOS%20MSan%20Tests/builds/2225 to start failing flakily on the following tests: AuthPolicyCredentialsManagerTest.SaveNames AuthPolicyCredentialsManagerTest.ShowSameNotificationOnce AuthPolicyCredentialsManagerTest.ShowDifferentNotifications Original change's description: > Chromad: Get Kerberos files from authpolicyd > > The goal is to let Chrome use the user's Kerberos ticket (through GSSAPI) to enable > single sign-on to other services that use Active Directory authentication. > > Fetches credential cache file and krb5.conf file for the user. > Puts them on the user partition. > Set environment variables for GSSAPI library. > > Bug: 737960 > Change-Id: Ie8ea1d0a3d032bf1cc647d579b7c908dd652c787 > Reviewed-on: https://chromium-review.googlesource.com/555500 > Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> > Commit-Queue: Roman Sorokin <rsorokin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#492906} TBR=xiyuan@chromium.org,rsorokin@chromium.org,ljusten@chromium.org Change-Id: If7f2a20a76ad725afbf5e8fe930662efeca154ed No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 737960 Reviewed-on: https://chromium-review.googlesource.com/608447 Reviewed-by: John Mellor <johnme@chromium.org> Commit-Queue: John Mellor <johnme@chromium.org> Cr-Commit-Position: refs/heads/master@{#492965}
,
Aug 9 2017
Oops, seemed I reverted this twice for two different failures. Though please fix both failures before relanding :)
,
Aug 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7 commit a6d454cd69f2626d1d26e6ec3f494d7dafde54b7 Author: Roman Sorokin <rsorokin@chromium.org> Date: Thu Aug 10 09:32:54 2017 Fix MSAN and ASAN bots failing for Chromad: Get Kerberos files from authpolicyd The goal is to let Chrome use the user's Kerberos ticket (through GSSAPI) to enable single sign-on to other services that use Active Directory authentication. Fetches credential cache file and krb5.conf file for the user. Puts them on the user partition. Set environment variables for GSSAPI library. TBR=xiyuan@chromium.org,ljusten@chromium.org Bug: 737960 Change-Id: I5e2129995a7d50b0411545d730545009b880d147 Reviewed-on: https://chromium-review.googlesource.com/608701 Reviewed-by: Roman Sorokin <rsorokin@chromium.org> Commit-Queue: Roman Sorokin <rsorokin@chromium.org> Cr-Commit-Position: refs/heads/master@{#493342} [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.h [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager_unittest.cc [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chrome/browser/chromeos/login/enterprise_enrollment_browsertest.cc [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chrome/browser/chromeos/login/login_browsertest.cc [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chrome/browser/chromeos/policy/active_directory_policy_manager_unittest.cc [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chromeos/dbus/auth_policy_client.cc [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chromeos/dbus/auth_policy_client.h [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chromeos/dbus/fake_auth_policy_client.cc [modify] https://crrev.com/a6d454cd69f2626d1d26e6ec3f494d7dafde54b7/chromeos/dbus/fake_auth_policy_client.h
,
Aug 10 2017
,
Feb 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a0a63aa020736946588429c56864a3cc9a93701f commit a0a63aa020736946588429c56864a3cc9a93701f Author: Lutz Justen <ljusten@chromium.org> Date: Thu Feb 22 15:14:57 2018 Histograms: Sync AuthPolicy metrics Brings in recent changes to AuthPolicy metrics from Chrome OS code. BUG=chromium:777979, chromium:737960 TEST=PCQ Change-Id: I2850c9d5bd7158bd992bc2f36be982ef8c179ad9 Reviewed-on: https://chromium-review.googlesource.com/925501 Reviewed-by: Roman Sorokin <rsorokin@chromium.org> Reviewed-by: Mark Pearson <mpearson@chromium.org> Commit-Queue: Lutz Justen <ljusten@chromium.org> Cr-Commit-Position: refs/heads/master@{#538437} [modify] https://crrev.com/a0a63aa020736946588429c56864a3cc9a93701f/tools/metrics/histograms/enums.xml [modify] https://crrev.com/a0a63aa020736946588429c56864a3cc9a93701f/tools/metrics/histograms/histograms.xml
,
Apr 30 2018
Verified, authpolicyd fetches credential cache file and krb5.conf file for the user: 2018-04-24T14:02:36.831107-07:00 INFO authpolicyd[7463]: authpolicyd starting 2018-04-24T14:02:36.833738-07:00 INFO authpolicyd[7463]: Read configuration file '/var/lib/authpolicyd/config.dat' 2018-04-24T14:02:36.834151-07:00 INFO authpolicyd[7463]: Running scheduled machine password age check 2018-04-24T14:02:41.581847-07:00 INFO authpolicyd[7463]: No need to change machine password (29 days left) 2018-04-24T14:02:44.569237-07:00 INFO authpolicyd[7463]: #033[41;1;97mReceived 'AuthenticateUser' request#033[0m 2018-04-24T14:02:50.021455-07:00 INFO authpolicyd[7463]: Firing signal UserKerberosFilesChanged 2018-04-24T14:02:54.843107-07:00 INFO authpolicyd[7463]: TGT RENEWAL - Scheduling renewal in 7h 59m 56s (valid for 9h 59m 56s, renewable for 167h 59m 55s) 2018-04-24T14:02:54.843158-07:00 INFO authpolicyd[7463]: AuthenticateUser succeeded 2018-04-24T14:02:54.843686-07:00 INFO authpolicyd[7463]: #033[41;1;97mReceived 'GetUserStatus' request#033[0m 2018-04-24T14:03:03.611845-07:00 INFO authpolicyd[7463]: GetUserStatus succeeded 2018-04-24T14:03:03.612317-07:00 INFO authpolicyd[7463]: #033[41;1;97mReceived 'GetUserKerberosFiles' request#033[0m 2018-04-24T14:03:03.612573-07:00 INFO authpolicyd[7463]: GetUserKerberosFiles succeeded ...and puts them on the user partition: localhost /var/log # ls -l /home/chronos/user/kerberos/ total 20 -rw-------. 1 chronos chronos 4498 Apr 27 15:29 krb5cc -rw-------. 1 chronos chronos 401 Apr 27 15:29 krb5.conf localhost /var/log # Chrome OS: 10575.17.0 Chrome: 67.0.3396.19 Device: Santa |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ljusten@chromium.org
, Jun 29 2017