A typical Active Directory or FreeIPA deployment assumes strong trust between the domain controllers and client systems enrolled into the domain. Kerberos configuration, machine credentials, TLS certificates and their CA chains are unique to each environment and not all this information can be made public as a part of a generally available image. Additional packages need to be present in the image to make sure enrollment is succesfull as well. On-demand domain enrollment, adjustment of the configurations to enable use of single sign-on services, and many other features provided by traditional Fedora don't work well with Silverblue images.

This talk is an investigation on what is needed to adjust Samba, FreeIPA, and SSSD clients to work properly with CoreOS/Silverblue-based deployments. It is based on a 1.5 year experiment of running own automatically rebased Silverblue images for a FreeIPA client in custom domain environment.

When using FreeIPA with Fedora 37 or later, one can login with the help of external identity providers using OAuth2 device authorization flow. With Fedora 39 a support for passkeys (FIDO2 tokens) was added. Yet, this did not work well for a login to a GNOME session.

This talk is a report on our progress in expanding use of passwordless methods in Fedora. GNOME login integration is improving and will get better usability for OAuth2 authentication. At the same time, support for standalone passwordless experience, without using FreeIPA will soon be possible as well, opening a way to use the same improved security features for a default Fedora workstations and servers.