[gnome-online-accounts/wip/kerberos: 3/4] daemon: Add kerberos renewal service



commit 897b391518bd1c666edebc00dc07489b4d482af3
Author: Ray Strode <rstrode redhat com>
Date:   Fri Jul 27 16:17:28 2012 -0400

    daemon: Add kerberos renewal service
    
    This commit adds an identity service whose purpose is
    to automatically renew expiring kerberos credentials,
    and to expose a mechanism over the bus to "kinit".
    
    This service lays the groundwork for integrating a
    kerberos provider into gnome-online-accounts.
    
    A subsequent commit will add the provider itself.
    
    Some changes by Debarshi Ray
    
    https://bugzilla.gnome.org/show_bug.cgi?id=679253

 configure.ac                                 |   82 +
 src/Makefile.am                              |    2 +-
 src/daemon/Makefile.am                       |   14 +-
 src/daemon/goadaemon.c                       |   14 +
 src/goaidentity/Makefile.am                  |  135 ++
 src/goaidentity/goaalarm.c                   |  611 ++++++
 src/goaidentity/goaalarm.h                   |   64 +
 src/goaidentity/goaidentity.c                |   83 +
 src/goaidentity/goaidentity.h                |   79 +
 src/goaidentity/goaidentityenumtypes.c.in    |   42 +
 src/goaidentity/goaidentityenumtypes.h.in    |   24 +
 src/goaidentity/goaidentityinquiry.c         |  144 ++
 src/goaidentity/goaidentityinquiry.h         |  110 ++
 src/goaidentity/goaidentityinquiryprivate.h  |   34 +
 src/goaidentity/goaidentitymanager.c         |  314 +++
 src/goaidentity/goaidentitymanager.h         |  179 ++
 src/goaidentity/goaidentitymanagerprivate.h  |   49 +
 src/goaidentity/goaidentityservice.c         | 2656 ++++++++++++++++++++++++++
 src/goaidentity/goaidentityservice.h         |   61 +
 src/goaidentity/goaidentityutils.c           |  218 +++
 src/goaidentity/goaidentityutils.h           |   41 +
 src/goaidentity/goakerberosidentity.c        | 1518 +++++++++++++++
 src/goaidentity/goakerberosidentity.h        |   89 +
 src/goaidentity/goakerberosidentityinquiry.c |  375 ++++
 src/goaidentity/goakerberosidentityinquiry.h |   73 +
 src/goaidentity/goakerberosidentitymanager.c | 1617 ++++++++++++++++
 src/goaidentity/goakerberosidentitymanager.h |   61 +
 src/goaidentity/org.freedesktop.realmd.xml   |  666 +++++++
 src/goaidentity/org.gnome.Identity.xml       |  124 ++
 src/goaidentity/um-realm-manager.c           |  828 ++++++++
 src/goaidentity/um-realm-manager.h           |  106 +
 31 files changed, 10411 insertions(+), 2 deletions(-)
---
diff --git a/configure.ac b/configure.ac
index adea2b8..9cc8b00 100644
--- a/configure.ac
+++ b/configure.ac
@@ -204,6 +204,87 @@ if test "$enable_windows_live" != "no"; then
   AC_DEFINE(GOA_WINDOWS_LIVE_ENABLED, 1, [Enable Windows Live data provider])
 fi
 
+# Kerberos
+AC_ARG_ENABLE([kerberos],
+              [AS_HELP_STRING([--enable-kerberos],
+              [Enable kerberos support])],
+              [with_kerberos=$enableval],
+              [enable_kerberos=no])
+AC_PATH_PROG([KRB5_CONFIG], krb5-config, none, $PATH:/usr/kerberos/bin)
+
+if test "x$KRB5_CONFIG" != "xnone"; then
+    KRB5_LIBS="`${KRB5_CONFIG} --libs krb5`"
+    KRB5_CFLAGS="`${KRB5_CONFIG} --cflags krb5`"
+    have_kerberos=yes
+else
+    KRB5_LIBS=""
+    KRB5_CFLAGS=""
+    have_kerberos=no
+fi
+AC_SUBST(KRB5_CFLAGS)
+AC_SUBST(KRB5_LIBS)
+
+if test "$enable_kerberos" != "no"; then
+  if test "$have_kerberos" = "no" ; then
+      AC_MSG_ERROR([kerberos support requested, but not available])
+  fi
+
+  PKG_CHECK_MODULES(GCR, gcr-3)
+  AC_DEFINE(GCR_API_SUBJECT_TO_CHANGE, 1, [Define to use the GCR API])
+fi
+AM_CONDITIONAL(BUILD_KERBEROS, [test x$enable_kerberos != xno])
+
+# Optional timerfd support
+AC_MSG_CHECKING([for timerfd support])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
+#include <sys/timerfd.h>
+#include <unistd.h>
+],[
+int
+main (void)
+{
+  struct itimerspec timer_spec = { 0 };
+  timerfd_settime (timerfd_create (CLOCK_MONOTONIC, TFD_CLOEXEC),
+                   TFD_TIMER_ABSTIME,
+                   &timer_spec,
+                   NULL);
+
+  return 0;
+}
+])],
+[have_timerfd=yes],
+[have_timerfd=no])
+AC_MSG_RESULT($have_timerfd)
+if test x"$have_timerfd" = x"yes"; then
+    AC_DEFINE(HAVE_TIMERFD, 1, [have timerfd support])
+
+    dnl libc headers tend to trail kernel support
+    dnl so compensate if necessary
+    AC_MSG_CHECKING([for timerfd cancel-on-set support])
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
+    #include <sys/timerfd.h>
+    #include <unistd.h>
+    ],[
+    int
+    main (void)
+    {
+      struct itimerspec timer_spec = { 0 };
+      timerfd_settime (timerfd_create (CLOCK_MONOTONIC, TFD_CLOEXEC),
+                       TFD_TIMER_ABSTIME | TFD_TIMER_CANCEL_ON_SET,
+                       &timer_spec,
+                       NULL);
+
+      return 0;
+    }
+    ])],
+    [have_tfd_timer_cancel_on_set=yes],
+    [have_tfd_timer_cancel_on_set=no])
+    AC_MSG_RESULT($have_tfd_timer_cancel_on_set)
+    if test x"$have_tfd_timer_cancel_on_set" = x"no"; then
+       AC_DEFINE(TFD_TIMER_CANCEL_ON_SET, [(1 << 1)], [have timerfd support])
+    fi
+fi
+
 # Internationalization
 #
 
@@ -231,6 +312,7 @@ src/goa/Makefile
 src/goa/goa-1.0.pc
 src/goabackend/Makefile
 src/goabackend/goa-backend-1.0.pc
+src/goaidentity/Makefile
 src/daemon/Makefile
 src/examples/Makefile
 po/Makefile.in
diff --git a/src/Makefile.am b/src/Makefile.am
index bda8d46..63a20e5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,6 +1,6 @@
 
 NULL =
 
-SUBDIRS = goa goabackend daemon examples
+SUBDIRS = goa goaidentity goabackend daemon examples
 
 -include $(top_srcdir)/git.mk
diff --git a/src/daemon/Makefile.am b/src/daemon/Makefile.am
index 236502b..fb62f71 100644
--- a/src/daemon/Makefile.am
+++ b/src/daemon/Makefile.am
@@ -1,8 +1,9 @@
-
 NULL =
 
 INCLUDES = 							\
 	-I$(top_builddir)/src -I$(top_srcdir)/src		\
+	-I$(top_builddir)/goaidentity				\
+	-I$(top_srcdir)/goaidentity				\
 	-DPACKAGE_LIBEXEC_DIR=\""$(libexecdir)"\" 		\
 	-DPACKAGE_SYSCONF_DIR=\""$(sysconfdir)"\" 		\
 	-DPACKAGE_DATA_DIR=\""$(datadir)"\" 			\
@@ -16,6 +17,9 @@ INCLUDES = 							\
 	$(WARN_CFLAGS)						\
 	$(NULL)
 
+BUILT_SOURCES = $(NULL)
+EXTRA_DIST = $(NULL)
+
 libexec_PROGRAMS = goa-daemon
 
 goa_daemon_SOURCES = 						\
@@ -46,6 +50,14 @@ goa_daemon_LDADD = 						\
 	$(REST_LIBS)						\
 	$(NULL)
 
+if BUILD_KERBEROS
+goa_daemon_LDADD += 						\
+	$(top_builddir)/src/goaidentity/libgoaidentity.la	\
+	$(KRB5_LIBS)						\
+	$(GCR_LIBS)						\
+	$(NULL)
+endif
+
 clean-local :
 	rm -f *~
 
diff --git a/src/daemon/goadaemon.c b/src/daemon/goadaemon.c
index 2debae3..b4ca4bc 100644
--- a/src/daemon/goadaemon.c
+++ b/src/daemon/goadaemon.c
@@ -30,6 +30,7 @@
 #include "goadaemon.h"
 #include "goabackend/goabackend.h"
 #include "goabackend/goautils.h"
+#include "goaidentity/goaidentityservice.h"
 
 struct _GoaDaemon
 {
@@ -45,6 +46,7 @@ struct _GoaDaemon
 
   GoaManager *manager;
 
+  GoaIdentityService *identity_service;
   NotifyNotification *notification;
 
   guint config_timeout_id;
@@ -126,6 +128,8 @@ goa_daemon_finalize (GObject *object)
   g_object_unref (daemon->object_manager);
   g_object_unref (daemon->connection);
 
+  g_clear_object (&daemon->identity_service);
+
   G_OBJECT_CLASS (goa_daemon_parent_class)->finalize (object);
 }
 
@@ -189,6 +193,7 @@ goa_daemon_init (GoaDaemon *daemon)
   static volatile GQuark goa_error_domain = 0;
   GoaObjectSkeleton *object;
   gchar *path;
+  GError *error = NULL;
 
   /* this will force associating errors in the GOA_ERROR error domain
    * with org.freedesktop.Goa.Error.* errors via g_dbus_error_register_error_domain().
@@ -235,6 +240,15 @@ goa_daemon_init (GoaDaemon *daemon)
 
   /* Export objects */
   g_dbus_object_manager_server_set_connection (daemon->object_manager, daemon->connection);
+
+  daemon->identity_service = goa_identity_service_new ();
+  if (!goa_identity_service_activate (daemon->identity_service,
+                                      &error))
+    {
+      goa_warning ("Error activating identity service: %s", error->message);
+      g_error_free (error);
+      g_clear_object (&daemon->identity_service);
+    }
 }
 
 static void
diff --git a/src/goaidentity/Makefile.am b/src/goaidentity/Makefile.am
new file mode 100644
index 0000000..9e74b26
--- /dev/null
+++ b/src/goaidentity/Makefile.am
@@ -0,0 +1,135 @@
+NULL =
+BUILT_SOURCES = $(NULL)
+EXTRA_DIST = $(NULL)
+CLEANFILES= $(NULL)
+
+INCLUDES = 							\
+	-I$(top_builddir)/src -I$(top_srcdir)/src		\
+	-I$(top_srcdir)/src/goabackend				\
+	-DPACKAGE_LIBEXEC_DIR=\""$(libexecdir)"\" 		\
+	-DPACKAGE_SYSCONF_DIR=\""$(sysconfdir)"\" 		\
+	-DPACKAGE_DATA_DIR=\""$(datadir)"\" 			\
+	-DPACKAGE_BIN_DIR=\""$(bindir)"\" 			\
+	-DPACKAGE_LOCALSTATE_DIR=\""$(localstatedir)"\" 	\
+	-DPACKAGE_LOCALE_DIR=\""$(localedir)"\" 		\
+	-DPACKAGE_LIB_DIR=\""$(libdir)"\" 			\
+	-D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT			\
+	-DGOA_API_IS_SUBJECT_TO_CHANGE				\
+	-DGOA_BACKEND_API_IS_SUBJECT_TO_CHANGE			\
+	$(WARN_CFLAGS)						\
+	$(NULL)
+
+identity_headers =						\
+	goaalarm.h						\
+	goaidentity.h						\
+	goaidentityinquiry.h					\
+	goaidentityservice.h					\
+	goaidentitymanagerprivate.h				\
+	goaidentitymanager.h					\
+	goaidentityutils.h					\
+	goakerberosidentity.h					\
+	goakerberosidentityinquiry.h				\
+	goakerberosidentitymanager.h				\
+	um-realm-manager.h					\
+	$(NULL)
+
+identity_sources =						\
+	$(identity_headers)					\
+				goaalarm.c			\
+				goaidentity.c			\
+				goaidentityinquiry.c		\
+				goaidentityservice.c		\
+				goaidentitymanager.c		\
+				goaidentityutils.c		\
+				goakerberosidentity.c		\
+				goakerberosidentityinquiry.c	\
+				goakerberosidentitymanager.c	\
+				um-realm-manager.c		\
+	$(NULL)
+
+identity_dbus_built_sources =					\
+	org.gnome.Identity.c		org.gnome.Identity.h	\
+	$(NULL)
+
+$(identity_dbus_built_sources) : Makefile.am org.gnome.Identity.xml
+	gdbus-codegen						\
+		--interface-prefix org.gnome.Identity.		\
+		--c-namespace GoaIdentityService		\
+		--c-generate-object-manager			\
+		--generate-c-code org.gnome.Identity		\
+		org.gnome.Identity.xml				\
+		--annotate "org.gnome.Identity"			\
+		           "org.gtk.GDBus.C.Name" Identity	\
+		$(NULL)
+BUILT_SOURCES += $(identity_dbus_built_sources)
+EXTRA_DIST += org.gnome.Identity.xml
+
+goaidentityenumtypes.h: goaidentityenumtypes.h.in $(identity_headers)
+	$(AM_V_GEN) glib-mkenums --template $^ > $@
+EXTRA_DIST += goaidentityenumtypes.h.in
+BUILT_SOURCES += goaidentityenumtypes.h
+
+goaidentityenumtypes.c: goaidentityenumtypes.c.in $(identity_headers)
+	$(AM_V_GEN) glib-mkenums --template $^ > $@
+EXTRA_DIST += goaidentityenumtypes.c.in
+BUILT_SOURCES += goaidentityenumtypes.c
+
+realmd_dbus_built_sources =					\
+	um-realm-generated.h					\
+	um-realm-generated.c					\
+	$(NULL)
+
+$(realmd_dbus_built_sources) : Makefile.am org.freedesktop.realmd.xml
+	gdbus-codegen						\
+		--interface-prefix org.freedesktop.realmd.	\
+		--generate-c-code um-realm-generated		\
+		--c-generate-object-manager			\
+		--c-namespace UmRealm				\
+		--annotate "org.freedesktop.realmd.Realm"	\
+		            org.gtk.GDBus.C.Name Common		\
+		org.freedesktop.realmd.xml			\
+		$(NULL)
+BUILT_SOURCES += $(realmd_dbus_built_sources)
+EXTRA_DIST += org.freedesktop.realmd.xml
+
+if BUILD_KERBEROS
+noinst_LTLIBRARIES = libgoaidentity.la
+
+libgoaidentity_la_SOURCES = 					\
+	goaidentityenumtypes.h		goaidentityenumtypes.c	\
+	$(identity_dbus_built_sources)				\
+	$(realmd_dbus_built_sources)				\
+	$(identity_sources)					\
+	$(NULL)
+
+libgoaidentity_la_CPPFLAGS =					\
+	-DG_LOG_DOMAIN=\"libgoaidentity\"			\
+	-DGOA_BACKEND_COMPILATION				\
+	$(NULL)
+
+libgoaidentity_la_CFLAGS =					\
+	$(GLIB_CFLAGS) 						\
+	$(GTK_CFLAGS)						\
+	$(LIBNOTIFY_CFLAGS)					\
+	$(KRB5_CFLAGS)						\
+	$(GCR_CFLAGS)						\
+	$(NULL)
+
+libgoaidentity_la_LIBADD = 					\
+	$(GLIB_LIBS) 						\
+	$(GTK_LIBS)						\
+	$(LIBNOTIFY_LIBS)					\
+	$(KRB5_LIBS)						\
+	$(GCR_LIBS)						\
+	$(NULL)
+
+else
+EXTRA_DIST += $(identity_sources)
+endif
+
+CLEANFILES += $(BUILT_SOURCES)
+
+clean-local :
+	rm -f *~
+
+-include $(top_srcdir)/git.mk
diff --git a/src/goaidentity/goaalarm.c b/src/goaidentity/goaalarm.c
new file mode 100644
index 0000000..e28dd86
--- /dev/null
+++ b/src/goaidentity/goaalarm.c
@@ -0,0 +1,611 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Author: Ray Strode
+ * Based on work by Colin Walters
+ */
+
+#include "config.h"
+
+#include "goaalarm.h"
+
+#ifdef HAVE_TIMERFD
+#include <sys/timerfd.h>
+#endif
+
+#include <unistd.h>
+#include <string.h>
+
+#include <glib.h>
+#include <glib/gi18n.h>
+#include <gio/gio.h>
+#include <gio/gunixinputstream.h>
+
+#include "goalogging.h"
+
+typedef struct
+{
+  GSource *source;
+  GInputStream *stream;
+} Timer;
+
+typedef struct
+{
+  GSource *source;
+} Timeout;
+
+#define MAX_TIMEOUT_INTERVAL (10 *1000)
+
+typedef enum
+{
+  GOA_ALARM_TYPE_UNSCHEDULED,
+  GOA_ALARM_TYPE_TIMER,
+  GOA_ALARM_TYPE_TIMEOUT,
+} GoaAlarmType;
+
+struct _GoaAlarmPrivate
+{
+  GCancellable *cancellable;
+  gulong cancelled_id;
+  GDateTime *time;
+  GDateTime *previous_wakeup_time;
+  GMainContext *context;
+  GSource *immediate_wakeup_source;
+  GRecMutex lock;
+
+  GoaAlarmType type;
+  union
+  {
+    Timer timer;
+    Timeout timeout;
+  };
+};
+
+enum
+{
+  FIRED,
+  REARMED,
+  NUMBER_OF_SIGNALS,
+};
+
+enum
+{
+  PROP_0,
+  PROP_TIME
+};
+
+static void schedule_wakeups (GoaAlarm *self);
+static void schedule_wakeups_with_timeout_source (GoaAlarm *self);
+static guint signals[NUMBER_OF_SIGNALS] = { 0 };
+
+G_DEFINE_TYPE (GoaAlarm, goa_alarm, G_TYPE_OBJECT);
+
+static void
+clear_scheduled_immediate_wakeup (GoaAlarm *self)
+{
+  g_clear_pointer (&self->priv->immediate_wakeup_source,
+                   (GDestroyNotify) g_source_destroy);
+}
+
+static void
+clear_scheduled_timer_wakeups (GoaAlarm *self)
+{
+#ifdef HAVE_TIMERFD
+  GError *error;
+  gboolean is_closed;
+
+  g_clear_pointer (&self->priv->timer.source, (GDestroyNotify) g_source_destroy);
+
+  error = NULL;
+  is_closed = g_input_stream_close (self->priv->timer.stream, NULL, &error);
+
+  if (!is_closed)
+    {
+      goa_warning ("GoaAlarm: could not close timer stream: %s", error->message);
+      g_error_free (error);
+    }
+
+  g_clear_object (&self->priv->timer.stream);
+#endif
+}
+
+static void
+clear_scheduled_timeout_wakeups (GoaAlarm *self)
+{
+  g_clear_pointer (&self->priv->timeout.source, (GDestroyNotify) g_source_destroy);
+}
+
+static void
+clear_scheduled_wakeups (GoaAlarm *self)
+{
+  g_rec_mutex_lock (&self->priv->lock);
+  clear_scheduled_immediate_wakeup (self);
+
+  switch (self->priv->type)
+    {
+    case GOA_ALARM_TYPE_TIMER:
+      clear_scheduled_timer_wakeups (self);
+      break;
+
+    case GOA_ALARM_TYPE_TIMEOUT:
+      clear_scheduled_timeout_wakeups (self);
+      break;
+
+    default:
+      break;
+    }
+
+  g_clear_object (&self->priv->cancellable);
+
+  g_clear_pointer (&self->priv->context, (GDestroyNotify) g_main_context_unref);
+
+  g_clear_pointer (&self->priv->previous_wakeup_time,
+                   (GDestroyNotify) g_date_time_unref);
+
+  g_clear_pointer (&self->priv->time, (GDestroyNotify) g_date_time_unref);
+
+  g_assert (self->priv->timeout.source == NULL);
+
+  self->priv->type = GOA_ALARM_TYPE_UNSCHEDULED;
+  g_rec_mutex_unlock (&self->priv->lock);
+}
+
+static void
+goa_alarm_finalize (GObject *object)
+{
+  GoaAlarm *self = GOA_ALARM (object);
+
+  clear_scheduled_wakeups (self);
+
+  G_OBJECT_CLASS (goa_alarm_parent_class)->finalize (object);
+}
+
+static void
+goa_alarm_set_property (GObject      *object,
+                        guint         property_id,
+                        const GValue *value,
+                        GParamSpec   *param_spec)
+{
+  GoaAlarm *self = GOA_ALARM (object);
+  GDateTime *time;
+
+  switch (property_id)
+    {
+    case PROP_TIME:
+      time = (GDateTime *) g_value_get_boxed (value);
+      goa_alarm_set_time (self, time, self->priv->cancellable);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, param_spec);
+      break;
+    }
+}
+
+static void
+goa_alarm_get_property (GObject    *object,
+                        guint       property_id,
+                        GValue     *value,
+                        GParamSpec *param_spec)
+{
+  GoaAlarm *self = GOA_ALARM (object);
+
+  switch (property_id)
+    {
+    case PROP_TIME:
+      g_value_set_boxed (value, self->priv->time);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, param_spec);
+      break;
+    }
+}
+
+static void
+goa_alarm_class_init (GoaAlarmClass *klass)
+{
+  GObjectClass *object_class;
+
+  object_class = G_OBJECT_CLASS (klass);
+
+  object_class->finalize = goa_alarm_finalize;
+  object_class->get_property = goa_alarm_get_property;
+  object_class->set_property = goa_alarm_set_property;
+
+  g_type_class_add_private (klass, sizeof (GoaAlarmPrivate));
+
+  signals[FIRED] = g_signal_new ("fired",
+                                 G_TYPE_FROM_CLASS (klass),
+                                 G_SIGNAL_RUN_LAST,
+                                 0, NULL, NULL, NULL, G_TYPE_NONE, 0);
+
+  signals[REARMED] = g_signal_new ("rearmed",
+                                   G_TYPE_FROM_CLASS (klass),
+                                   G_SIGNAL_RUN_LAST,
+                                   0, NULL, NULL, NULL, G_TYPE_NONE, 0);
+
+  g_object_class_install_property (object_class,
+                                   PROP_TIME,
+                                   g_param_spec_boxed ("time",
+                                                       _("Time"),
+                                                       _("Time to fire"),
+                                                       G_TYPE_DATE_TIME,
+                                                       G_PARAM_READWRITE));
+}
+
+static void
+goa_alarm_init (GoaAlarm *self)
+{
+  self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, GOA_TYPE_ALARM, GoaAlarmPrivate);
+  self->priv->type = GOA_ALARM_TYPE_UNSCHEDULED;
+  g_rec_mutex_init (&self->priv->lock);
+}
+
+static void
+on_cancelled (GCancellable *cancellable, gpointer user_data)
+{
+  GoaAlarm *self = GOA_ALARM (user_data);
+
+  clear_scheduled_wakeups (self);
+}
+
+static void
+fire_alarm (GoaAlarm *self)
+{
+  g_signal_emit (G_OBJECT (self), signals[FIRED], 0);
+}
+
+static void
+rearm_alarm (GoaAlarm *self)
+{
+  g_signal_emit (G_OBJECT (self), signals[REARMED], 0);
+}
+
+static void
+fire_or_rearm_alarm (GoaAlarm *self)
+{
+  GTimeSpan time_until_fire;
+  GTimeSpan previous_time_until_fire;
+  GDateTime *now;
+
+  now = g_date_time_new_now_local ();
+  time_until_fire = g_date_time_difference (self->priv->time, now);
+
+  if (self->priv->previous_wakeup_time == NULL)
+    {
+      self->priv->previous_wakeup_time = now;
+
+      /* If, according to the time, we're past when we should have fired,
+       * then fire the alarm.
+       */
+      if (time_until_fire <= 0)
+        fire_alarm (self);
+    }
+  else
+    {
+      previous_time_until_fire =
+          g_date_time_difference (self->priv->time,
+                                  self->priv->previous_wakeup_time);
+
+      g_date_time_unref (self->priv->previous_wakeup_time);
+      self->priv->previous_wakeup_time = now;
+
+      /* If, according to the time, we're past when we should have fired,
+       * and this is the first wakeup where that's been true then fire
+       * the alarm. The first check makes sure we don't fire prematurely,
+       * and the second check makes sure we don't fire more than once
+       */
+      if (time_until_fire <= 0 && previous_time_until_fire > 0)
+        {
+          fire_alarm (self);
+
+          /* If, according to the time, we're before when we should fire,
+           * and we previously fired the alarm, then we've jumped back in
+           * time and need to rearm the alarm.
+           */
+        }
+      else if (time_until_fire > 0 && previous_time_until_fire <= 0)
+        {
+          rearm_alarm (self);
+        }
+    }
+}
+
+static gboolean
+on_immediate_wakeup_source_ready (GoaAlarm *self)
+{
+  g_return_val_if_fail (self->priv->type != GOA_ALARM_TYPE_UNSCHEDULED, FALSE);
+
+  g_rec_mutex_lock (&self->priv->lock);
+  if (g_cancellable_is_cancelled (self->priv->cancellable))
+    goto out;
+
+  fire_or_rearm_alarm (self);
+
+out:
+  g_rec_mutex_unlock (&self->priv->lock);
+  return FALSE;
+}
+
+#ifdef HAVE_TIMERFD
+static gboolean
+on_timer_source_ready (GObject *stream, GoaAlarm *self)
+{
+  gint64 number_of_fires;
+  gssize bytes_read;
+  gboolean run_again = FALSE;
+
+  g_return_val_if_fail (GOA_IS_ALARM (self), FALSE);
+  g_return_val_if_fail (self->priv->type == GOA_ALARM_TYPE_TIMER, FALSE);
+
+  g_rec_mutex_lock (&self->priv->lock);
+  if (g_cancellable_is_cancelled (self->priv->cancellable))
+    goto out;
+
+  bytes_read =
+    g_pollable_input_stream_read_nonblocking (G_POLLABLE_INPUT_STREAM (stream),
+                                              &number_of_fires, sizeof (gint64),
+                                              NULL, NULL);
+
+  if (bytes_read == sizeof (gint64))
+    {
+      if (number_of_fires < 0 || number_of_fires > 1)
+        {
+          goa_warning ("GoaAlarm: expected timerfd to report firing once,"
+                       "but it reported firing %ld times\n", (long) number_of_fires);
+        }
+    }
+
+  fire_or_rearm_alarm (self);
+  run_again = TRUE;
+out:
+  g_rec_mutex_unlock (&self->priv->lock);
+  return run_again;
+}
+
+static void
+clear_timer_source_pointer (GoaAlarm *self)
+{
+  self->priv->timer.source = NULL;
+}
+#endif
+
+static gboolean
+schedule_wakeups_with_timerfd (GoaAlarm *self)
+{
+#ifdef HAVE_TIMERFD
+  struct itimerspec timer_spec;
+  int fd;
+  int result;
+  GSource *source;
+  static gboolean seen_before = FALSE;
+
+  if (!seen_before)
+    {
+      goa_debug ("GoaAlarm: trying to use kernel timer");
+      seen_before = TRUE;
+    }
+
+  fd = timerfd_create (CLOCK_REALTIME, TFD_CLOEXEC | TFD_NONBLOCK);
+
+  if (fd < 0)
+    {
+      goa_debug ("GoaAlarm: could not create timer fd: %m");
+      return FALSE;
+    }
+
+  memset (&timer_spec, 0, sizeof (timer_spec));
+  timer_spec.it_value.tv_sec = g_date_time_to_unix (self->priv->time) + 1;
+
+  result = timerfd_settime (fd,
+                            TFD_TIMER_ABSTIME | TFD_TIMER_CANCEL_ON_SET,
+                            &timer_spec, NULL);
+
+  if (result < 0)
+    {
+      goa_debug ("GoaAlarm: could not set timer: %m");
+      return FALSE;
+    }
+
+  self->priv->type = GOA_ALARM_TYPE_TIMER;
+  self->priv->timer.stream = g_unix_input_stream_new (fd, TRUE);
+
+  source =
+    g_pollable_input_stream_create_source (G_POLLABLE_INPUT_STREAM
+                                           (self->priv->timer.stream),
+                                           self->priv->cancellable);
+  self->priv->timer.source = source;
+  g_source_set_callback (self->priv->timer.source,
+                         (GSourceFunc) on_timer_source_ready, self,
+                         (GDestroyNotify) clear_timer_source_pointer);
+  g_source_attach (self->priv->timer.source, self->priv->context);
+  g_source_unref (source);
+
+  return TRUE;
+
+#endif /*HAVE_TIMERFD */
+
+  return FALSE;
+}
+
+static gboolean
+on_timeout_source_ready (GoaAlarm *self)
+{
+  g_return_val_if_fail (GOA_IS_ALARM (self), FALSE);
+
+  g_rec_mutex_lock (&self->priv->lock);
+
+  if (g_cancellable_is_cancelled (self->priv->cancellable) ||
+      self->priv->type == GOA_ALARM_TYPE_UNSCHEDULED)
+    goto out;
+
+  fire_or_rearm_alarm (self);
+
+  if (g_cancellable_is_cancelled (self->priv->cancellable))
+    goto out;
+
+  schedule_wakeups_with_timeout_source (self);
+
+out:
+  g_rec_mutex_unlock (&self->priv->lock);
+  return FALSE;
+}
+
+static void
+clear_timeout_source_pointer (GoaAlarm *self)
+{
+  self->priv->timeout.source = NULL;
+}
+
+static void
+schedule_wakeups_with_timeout_source (GoaAlarm *self)
+{
+  GDateTime *now;
+  GSource   *source;
+  GTimeSpan  time_span;
+  guint      interval;
+
+  self->priv->type = GOA_ALARM_TYPE_TIMEOUT;
+
+  now = g_date_time_new_now_local ();
+  time_span = g_date_time_difference (self->priv->time, now);
+  g_date_time_unref (now);
+
+  time_span =
+    CLAMP (time_span, 1000 *G_TIME_SPAN_MILLISECOND,
+           G_MAXUINT *G_TIME_SPAN_MILLISECOND);
+  interval = (guint) time_span / G_TIME_SPAN_MILLISECOND;
+
+  /* We poll every 10 seconds or so because we want to catch time skew
+   */
+  interval = MIN (interval, MAX_TIMEOUT_INTERVAL);
+
+  source = g_timeout_source_new (interval);
+
+  self->priv->timeout.source = source;
+  g_source_set_callback (self->priv->timeout.source,
+                         (GSourceFunc)
+                         on_timeout_source_ready,
+                         self, (GDestroyNotify) clear_timeout_source_pointer);
+
+  g_source_attach (self->priv->timeout.source, self->priv->context);
+  g_source_unref (source);
+}
+
+static void
+schedule_wakeups (GoaAlarm *self)
+{
+  gboolean wakeup_scheduled;
+
+  wakeup_scheduled = schedule_wakeups_with_timerfd (self);
+
+  if (!wakeup_scheduled)
+    {
+      static gboolean seen_before = FALSE;
+
+      if (!seen_before)
+        {
+          goa_debug ("GoaAlarm: falling back to polling timeout");
+          seen_before = TRUE;
+        }
+      schedule_wakeups_with_timeout_source (self);
+    }
+}
+
+static void
+clear_immediate_wakeup_source_pointer (GoaAlarm *self)
+{
+  self->priv->immediate_wakeup_source = NULL;
+}
+
+static void
+schedule_immediate_wakeup (GoaAlarm *self)
+{
+  GSource *source;
+
+  source = g_idle_source_new ();
+
+  self->priv->immediate_wakeup_source = source;
+  g_source_set_callback (self->priv->immediate_wakeup_source,
+                         (GSourceFunc)
+                         on_immediate_wakeup_source_ready,
+                         self,
+                         (GDestroyNotify) clear_immediate_wakeup_source_pointer);
+
+  g_source_attach (self->priv->immediate_wakeup_source, self->priv->context);
+  g_source_unref (source);
+}
+
+void
+goa_alarm_set_time (GoaAlarm *self, GDateTime *time, GCancellable *cancellable)
+{
+  if (g_cancellable_is_cancelled (cancellable))
+    return;
+
+  if (self->priv->cancellable != NULL && self->priv->cancellable != cancellable)
+    g_cancellable_cancel (self->priv->cancellable);
+
+  if (cancellable != NULL)
+    g_object_ref (cancellable);
+
+  if (self->priv->cancelled_id != 0)
+    g_cancellable_disconnect (self->priv->cancellable, self->priv->cancelled_id);
+
+  g_clear_object (&self->priv->cancellable);
+
+  if (cancellable != NULL)
+    self->priv->cancellable = cancellable;
+  else
+    self->priv->cancellable = g_cancellable_new ();
+
+  self->priv->cancelled_id = g_cancellable_connect (self->priv->cancellable,
+                                                    G_CALLBACK (on_cancelled),
+                                                    self, NULL);
+
+  g_date_time_ref (time);
+
+  if (self->priv->time != NULL)
+    g_date_time_unref (self->priv->time);
+
+  self->priv->time = time;
+
+  self->priv->context = g_main_context_ref (g_main_context_default ());
+
+  g_object_notify (G_OBJECT (self), "time");
+
+  schedule_wakeups (self);
+
+  /* Wake up right away, in case it's already expired leaving the gate */
+  schedule_immediate_wakeup (self);
+}
+
+GDateTime *
+goa_alarm_get_time (GoaAlarm *self)
+{
+  return self->priv->time;
+}
+
+GoaAlarm *
+goa_alarm_new (void)
+{
+  GoaAlarm *self;
+
+  self = GOA_ALARM (g_object_new (GOA_TYPE_ALARM, NULL));
+
+  return GOA_ALARM (self);
+}
diff --git a/src/goaidentity/goaalarm.h b/src/goaidentity/goaalarm.h
new file mode 100644
index 0000000..a93991d
--- /dev/null
+++ b/src/goaidentity/goaalarm.h
@@ -0,0 +1,64 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_ALARM_H__
+#define __GOA_ALARM_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+G_BEGIN_DECLS
+#define GOA_TYPE_ALARM             (goa_alarm_get_type ())
+#define GOA_ALARM(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GOA_TYPE_ALARM, GoaAlarm))
+#define GOA_ALARM_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GOA_TYPE_ALARM, GoaAlarmClass))
+#define GOA_IS_ALARM(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GOA_TYPE_ALARM))
+#define GOA_IS_ALARM_CLASS(klass)  (G_TYPE_CHECK_CLASS_TYPE ((klass), GOA_TYPE_ALARM))
+#define GOA_ALARM_GET_CLASS(obj)   (G_TYPE_INSTANCE_GET_CLASS((obj), GOA_TYPE_ALARM, GoaAlarmClass))
+typedef struct _GoaAlarm GoaAlarm;
+typedef struct _GoaAlarmClass GoaAlarmClass;
+typedef struct _GoaAlarmPrivate GoaAlarmPrivate;
+
+struct _GoaAlarm
+{
+  GObject parent;
+
+  GoaAlarmPrivate *priv;
+};
+
+struct _GoaAlarmClass
+{
+  GObjectClass parent_class;
+
+  void (* fired)   (GoaAlarm *alarm);
+  void (* rearmed) (GoaAlarm *alarm);
+};
+
+GType goa_alarm_get_type (void);
+
+GoaAlarm *goa_alarm_new (void);
+void goa_alarm_set_time (GoaAlarm     *alarm,
+                         GDateTime    *time,
+                         GCancellable *cancellable);
+GDateTime *goa_alarm_get_time (GoaAlarm *alarm);
+G_END_DECLS
+#endif /* __GOA_ALARM_H__ */
diff --git a/src/goaidentity/goaidentity.c b/src/goaidentity/goaidentity.c
new file mode 100644
index 0000000..07575c2
--- /dev/null
+++ b/src/goaidentity/goaidentity.c
@@ -0,0 +1,83 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include <glib-object.h>
+#include <glib/gi18n.h>
+
+#include "goaidentity.h"
+#include "goalogging.h"
+
+G_DEFINE_INTERFACE (GoaIdentity, goa_identity, G_TYPE_OBJECT);
+
+static void
+goa_identity_default_init (GoaIdentityInterface *interface)
+{
+  g_object_interface_install_property (interface,
+                                       g_param_spec_string ("identifier",
+                                                            "identifier",
+                                                            "identifier",
+                                                            NULL, G_PARAM_READABLE));
+  g_object_interface_install_property (interface,
+                                       g_param_spec_boolean ("is-signed-in",
+                                                             "Is signed in",
+                                                             "Whether or not identity is currently signed in",
+                                                             FALSE,
+                                                             G_PARAM_READABLE));
+  g_object_interface_install_property (interface,
+                                       g_param_spec_int64 ("expiration-timestamp",
+                                                           "Expiration Timestamp",
+                                                           "A timestamp of when the identities credentials expire",
+                                                           -1,
+                                                           G_MAXINT64,
+                                                           -1, G_PARAM_READABLE));
+}
+
+GQuark
+goa_identity_error_quark (void)
+{
+  static GQuark error_quark = 0;
+
+  if (error_quark == 0)
+    {
+      error_quark = g_quark_from_static_string ("goa-identity-error");
+    }
+
+  return error_quark;
+}
+
+const char *
+goa_identity_get_identifier (GoaIdentity *self)
+{
+  return GOA_IDENTITY_GET_IFACE (self)->get_identifier (self);
+}
+
+gboolean
+goa_identity_is_signed_in (GoaIdentity *self)
+{
+  return GOA_IDENTITY_GET_IFACE (self)->is_signed_in (self);
+}
+
+GBytes *
+goa_identity_get_credentials (GoaIdentity *self)
+{
+  return GOA_IDENTITY_GET_IFACE (self)->get_credentials (self);
+}
diff --git a/src/goaidentity/goaidentity.h b/src/goaidentity/goaidentity.h
new file mode 100644
index 0000000..24f9647
--- /dev/null
+++ b/src/goaidentity/goaidentity.h
@@ -0,0 +1,79 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode <rstrode redhat com>
+ */
+
+#ifndef __GOA_IDENTITY_H__
+#define __GOA_IDENTITY_H__
+
+#include <glib.h>
+#include <glib-object.h>
+
+G_BEGIN_DECLS
+#define GOA_TYPE_IDENTITY             (goa_identity_get_type ())
+#define GOA_IDENTITY(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GOA_TYPE_IDENTITY, GoaIdentity))
+#define GOA_IDENTITY_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GOA_TYPE_IDENTITY, GoaIdentityInterface))
+#define GOA_IS_IDENTITY(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GOA_TYPE_IDENTITY))
+#define GOA_IDENTITY_GET_IFACE(obj)   (G_TYPE_INSTANCE_GET_INTERFACE((obj), GOA_TYPE_IDENTITY, GoaIdentityInterface))
+#define GOA_IDENTITY_ERROR            (goa_identity_error_quark ())
+typedef struct _GoaIdentity GoaIdentity;
+typedef struct _GoaIdentityInterface GoaIdentityInterface;
+
+struct _GoaIdentityInterface
+{
+  GTypeInterface base_interface;
+
+  const char * (* get_identifier)            (GoaIdentity *identity);
+  GBytes     * (* get_credentials)           (GoaIdentity *identity);
+  gboolean     (* is_signed_in)              (GoaIdentity *identity);
+};
+
+typedef enum
+{
+  GOA_IDENTITY_ERROR_NOT_FOUND,
+  GOA_IDENTITY_ERROR_VERIFYING,
+  GOA_IDENTITY_ERROR_RENEWING,
+  GOA_IDENTITY_ERROR_CREDENTIALS_UNAVAILABLE,
+  GOA_IDENTITY_ERROR_ENUMERATING_CREDENTIALS,
+  GOA_IDENTITY_ERROR_ALLOCATING_CREDENTIALS,
+  GOA_IDENTITY_ERROR_AUTHENTICATION_FAILED,
+  GOA_IDENTITY_ERROR_SAVING_CREDENTIALS,
+  GOA_IDENTITY_ERROR_REMOVING_CREDENTIALS,
+  GOA_IDENTITY_ERROR_PARSING_IDENTIFIER,
+} GoaIdentityError;
+
+typedef enum
+{
+  GOA_IDENTITY_SIGN_IN_FLAGS_NONE                        = 0,
+  GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_RENEWAL            = 1,
+  GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_FORWARDING         = 1 << 1,
+  GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_PROXYING           = 1 << 2
+} GoaIdentitySignInFlags;
+
+GType  goa_identity_get_type    (void);
+GQuark goa_identity_error_quark (void);
+
+const char  *goa_identity_get_identifier            (GoaIdentity *identity);
+GBytes      *goa_identity_get_credentials           (GoaIdentity *identity);
+gboolean     goa_identity_is_signed_in              (GoaIdentity *identity);
+
+
+G_END_DECLS
+#endif /* __GOA_IDENTITY_H__ */
diff --git a/src/goaidentity/goaidentityenumtypes.c.in b/src/goaidentity/goaidentityenumtypes.c.in
new file mode 100644
index 0000000..c028690
--- /dev/null
+++ b/src/goaidentity/goaidentityenumtypes.c.in
@@ -0,0 +1,42 @@
+/*** BEGIN file-header ***/
+
+#include <glib-object.h>
+
+/*** END file-header ***/
+
+/*** BEGIN file-production ***/
+#include "@filename@"
+/* enumerations from "@filename@" */
+/*** END file-production ***/
+
+/*** BEGIN value-header ***/
+GType @enum_name _get_type (void) G_GNUC_CONST;
+
+GType
+ enum_name@_get_type (void)
+{
+        static GType etype = 0;
+
+        if (G_UNLIKELY(etype == 0)) {
+                static const G Type@Value values[] = {
+/*** END value-header ***/
+
+/*** BEGIN value-production ***/
+                { @VALUENAME@, "@VALUENAME@", "@valuenick@" },
+/*** END value-production ***/
+
+/*** BEGIN value-tail ***/
+                { 0, NULL, NULL }
+        };
+
+        etype = g_ type@_register_static (g_intern_static_string ("@EnumName@"), values);
+    }
+
+    return etype;
+}
+
+/*** END value-tail ***/
+
+/*** BEGIN file-tail ***/
+ /**/
+/*** END file-tail ***/
diff --git a/src/goaidentity/goaidentityenumtypes.h.in b/src/goaidentity/goaidentityenumtypes.h.in
new file mode 100644
index 0000000..35d4d5c
--- /dev/null
+++ b/src/goaidentity/goaidentityenumtypes.h.in
@@ -0,0 +1,24 @@
+/*** BEGIN file-header ***/
+#ifndef GOA_IDENTITY_ENUM_TYPES_H
+#define GOA_IDENTITY_ENUM_TYPES_H
+
+#include <glib-object.h>
+
+G_BEGIN_DECLS
+/*** END file-header ***/
+
+/*** BEGIN file-production ***/
+
+/* enumerations from "@filename@" */
+/*** END file-production ***/
+
+/*** BEGIN value-header ***/
+GType @enum_name _get_type (void) G_GNUC_CONST;
+#define @ENUMPREFIX _TYPE_@ENUMSHORT@ (@enum_name _get_type ())
+/*** END value-header ***/
+
+/*** BEGIN file-tail ***/
+G_END_DECLS
+
+#endif /* GOA_IDENTITY_ENUM_TYPES_H */
+/*** END file-tail ***/
diff --git a/src/goaidentity/goaidentityinquiry.c b/src/goaidentity/goaidentityinquiry.c
new file mode 100644
index 0000000..db68541
--- /dev/null
+++ b/src/goaidentity/goaidentityinquiry.c
@@ -0,0 +1,144 @@
+/* -*- Mode: C; tab-width: 8; ident-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Author: Ray Strode
+ */
+
+#include "config.h"
+
+#include "goaidentityinquiry.h"
+#include "goaidentityinquiryprivate.h"
+#include "goalogging.h"
+
+#include <string.h>
+#include <glib/gi18n.h>
+#include <gio/gio.h>
+
+enum
+{
+  COMPLETE,
+  NUMBER_OF_SIGNALS,
+};
+
+static guint signals[NUMBER_OF_SIGNALS] = { 0 };
+
+G_DEFINE_INTERFACE (GoaIdentityInquiry, goa_identity_inquiry, G_TYPE_OBJECT);
+
+static void
+goa_identity_inquiry_default_init (GoaIdentityInquiryInterface *interface)
+{
+  signals[COMPLETE] = g_signal_new ("complete",
+                                    G_TYPE_FROM_INTERFACE (interface),
+                                    G_SIGNAL_RUN_LAST,
+                                    0, NULL, NULL, NULL, G_TYPE_NONE, 0);
+}
+
+void
+_goa_identity_inquiry_emit_complete (GoaIdentityInquiry *self)
+{
+  g_signal_emit (G_OBJECT (self), signals[COMPLETE], 0);
+}
+
+char *
+goa_identity_inquiry_get_name (GoaIdentityInquiry *self)
+{
+  g_return_val_if_fail (GOA_IS_IDENTITY_INQUIRY (self), NULL);
+
+  return GOA_IDENTITY_INQUIRY_GET_IFACE (self)->get_name (self);
+}
+
+char *
+goa_identity_inquiry_get_banner (GoaIdentityInquiry *self)
+{
+  g_return_val_if_fail (GOA_IS_IDENTITY_INQUIRY (self), NULL);
+
+  return GOA_IDENTITY_INQUIRY_GET_IFACE (self)->get_banner (self);
+}
+
+gboolean
+goa_identity_inquiry_is_complete (GoaIdentityInquiry *self)
+{
+  g_return_val_if_fail (GOA_IS_IDENTITY_INQUIRY (self), TRUE);
+
+  return GOA_IDENTITY_INQUIRY_GET_IFACE (self)->is_complete (self);
+}
+
+void
+goa_identity_inquiry_iter_init (GoaIdentityInquiryIter *iter,
+                                GoaIdentityInquiry     *inquiry)
+{
+  g_return_if_fail (GOA_IS_IDENTITY_INQUIRY (inquiry));
+
+  GOA_IDENTITY_INQUIRY_GET_IFACE (inquiry)->iter_init (iter, inquiry);
+}
+
+GoaIdentityQuery *
+goa_identity_inquiry_iter_next (GoaIdentityInquiryIter *iter,
+                                GoaIdentityInquiry     *inquiry)
+{
+  g_return_val_if_fail (GOA_IS_IDENTITY_INQUIRY (inquiry), NULL);
+
+  return GOA_IDENTITY_INQUIRY_GET_IFACE (inquiry)->iter_next (iter, inquiry);
+}
+
+GoaIdentity *
+goa_identity_inquiry_get_identity (GoaIdentityInquiry *self)
+{
+  g_return_val_if_fail (GOA_IS_IDENTITY_INQUIRY (self), NULL);
+
+  return GOA_IDENTITY_INQUIRY_GET_IFACE (self)->get_identity (self);
+}
+
+GoaIdentityQueryMode
+goa_identity_query_get_mode (GoaIdentityInquiry *self,
+                             GoaIdentityQuery   *query)
+{
+  g_return_val_if_fail (GOA_IS_IDENTITY_INQUIRY (self),
+                        GOA_IDENTITY_QUERY_MODE_INVISIBLE);
+
+  return GOA_IDENTITY_INQUIRY_GET_IFACE (self)->get_mode (self, query);
+}
+
+char *
+goa_identity_query_get_prompt (GoaIdentityInquiry *self,
+                               GoaIdentityQuery   *query)
+{
+  g_return_val_if_fail (GOA_IS_IDENTITY_INQUIRY (self), NULL);
+
+  return GOA_IDENTITY_INQUIRY_GET_IFACE (self)->get_prompt (self, query);
+}
+
+void
+goa_identity_inquiry_answer_query (GoaIdentityInquiry *self,
+                                   GoaIdentityQuery   *query,
+                                   const char         *answer)
+{
+  g_return_if_fail (GOA_IS_IDENTITY_INQUIRY (self));
+
+  GOA_IDENTITY_INQUIRY_GET_IFACE (self)->answer_query (self, query, answer);
+}
+
+gboolean
+goa_identity_query_is_answered (GoaIdentityInquiry *self,
+                                GoaIdentityQuery   *query)
+{
+  g_return_val_if_fail (GOA_IS_IDENTITY_INQUIRY (self), FALSE);
+
+  return GOA_IDENTITY_INQUIRY_GET_IFACE (self)->is_answered (self, query);
+}
diff --git a/src/goaidentity/goaidentityinquiry.h b/src/goaidentity/goaidentityinquiry.h
new file mode 100644
index 0000000..a62d1f9
--- /dev/null
+++ b/src/goaidentity/goaidentityinquiry.h
@@ -0,0 +1,110 @@
+/* -*- Mode: C; tab-width: 8; ident-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_IDENTITY_INQUIRY_H__
+#define __GOA_IDENTITY_INQUIRY_H__
+
+#include <stdint.h>
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include "goaidentity.h"
+
+G_BEGIN_DECLS
+#define GOA_TYPE_IDENTITY_INQUIRY             (goa_identity_inquiry_get_type ())
+#define GOA_IDENTITY_INQUIRY(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GOA_TYPE_IDENTITY_INQUIRY, GoaIdentityInquiry))
+#define GOA_IDENTITY_INQUIRY_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GOA_TYPE_IDENTITY_INQUIRY, GoaIdentityInquiryClass))
+#define GOA_IS_IDENTITY_INQUIRY(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GOA_TYPE_IDENTITY_INQUIRY))
+#define GOA_IDENTITY_INQUIRY_GET_IFACE(obj)   (G_TYPE_INSTANCE_GET_INTERFACE((obj), GOA_TYPE_IDENTITY_INQUIRY, GoaIdentityInquiryInterface))
+typedef struct _GoaIdentityInquiry GoaIdentityInquiry;
+typedef struct _GoaIdentityInquiryInterface GoaIdentityInquiryInterface;
+typedef struct _GoaIdentityInquiryIter GoaIdentityInquiryIter;
+
+typedef struct _GoaIdentityQuery GoaIdentityQuery;
+
+typedef void (* GoaIdentityInquiryFunc) (GoaIdentityInquiry *inquiry,
+                                         GCancellable       *cancellable,
+                                         gpointer            user_data);
+
+typedef enum
+{
+  GOA_IDENTITY_QUERY_MODE_INVISIBLE,
+  GOA_IDENTITY_QUERY_MODE_VISIBLE
+} GoaIdentityQueryMode;
+
+struct _GoaIdentityInquiryIter
+{
+  gpointer data;
+};
+
+struct _GoaIdentityInquiryInterface
+{
+  GTypeInterface base_interface;
+
+  GoaIdentity * (* get_identity) (GoaIdentityInquiry *inquiry);
+  char *        (* get_name)     (GoaIdentityInquiry *inquiry);
+  char *        (* get_banner)   (GoaIdentityInquiry *inquiry);
+
+  gboolean      (* is_complete)  (GoaIdentityInquiry *inquiry);
+  void          (* answer_query) (GoaIdentityInquiry *inquiry,
+                                  GoaIdentityQuery   *query,
+                                  const char         *answer);
+
+  void          (* iter_init)    (GoaIdentityInquiryIter *iter,
+                                  GoaIdentityInquiry     *inquiry);
+
+  GoaIdentityQuery *   (* iter_next) (GoaIdentityInquiryIter *iter,
+                                      GoaIdentityInquiry     *inquiry);
+
+  GoaIdentityQueryMode (* get_mode) (GoaIdentityInquiry *inquiry,
+                                     GoaIdentityQuery   *query);
+  char *               (* get_prompt) (GoaIdentityInquiry *inquiry,
+                                       GoaIdentityQuery   *query);
+  gboolean             (* is_answered) (GoaIdentityInquiry *inquiry,
+                                        GoaIdentityQuery   *query);
+};
+
+GType goa_identity_inquiry_get_type (void);
+
+GoaIdentity *goa_identity_inquiry_get_identity (GoaIdentityInquiry *inquiry);
+char        *goa_identity_inquiry_get_name     (GoaIdentityInquiry *inquiry);
+char        *goa_identity_inquiry_get_banner   (GoaIdentityInquiry *inquiry);
+gboolean     goa_identity_inquiry_is_complete  (GoaIdentityInquiry *inquiry);
+void         goa_identity_inquiry_answer_query (GoaIdentityInquiry *inquiry,
+                                                GoaIdentityQuery   *query,
+                                                const char         *answer);
+
+void              goa_identity_inquiry_iter_init (GoaIdentityInquiryIter *iter,
+                                                  GoaIdentityInquiry     *inquiry);
+GoaIdentityQuery *goa_identity_inquiry_iter_next (GoaIdentityInquiryIter *iter,
+                                                  GoaIdentityInquiry     *inquiry);
+
+GoaIdentityQueryMode goa_identity_query_get_mode   (GoaIdentityInquiry *inquiry,
+                                                    GoaIdentityQuery   *query);
+char *               goa_identity_query_get_prompt (GoaIdentityInquiry *inquiry,
+                                                    GoaIdentityQuery   *query);
+gboolean             goa_identity_query_is_answered (GoaIdentityInquiry *inquiry,
+                                                     GoaIdentityQuery *query);
+
+#endif /* __GOA_IDENTITY_INQUIRY_H__ */
diff --git a/src/goaidentity/goaidentityinquiryprivate.h b/src/goaidentity/goaidentityinquiryprivate.h
new file mode 100644
index 0000000..12c628e
--- /dev/null
+++ b/src/goaidentity/goaidentityinquiryprivate.h
@@ -0,0 +1,34 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_IDENTITY_INQUIRY_PRIVATE_H__
+#define __GOA_IDENTITY_INQUIRY_PRIVATE_H__
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include "goaidentityinquiry.h"
+
+G_BEGIN_DECLS
+void _goa_identity_inquiry_emit_complete (GoaIdentityInquiry *inquiry);
+G_END_DECLS
+#endif /* __GOA_IDENTITY_INQUIRY_PRIVATE_H__ */
diff --git a/src/goaidentity/goaidentitymanager.c b/src/goaidentity/goaidentitymanager.c
new file mode 100644
index 0000000..79335c5
--- /dev/null
+++ b/src/goaidentity/goaidentitymanager.c
@@ -0,0 +1,314 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include <glib-object.h>
+#include <glib/gi18n.h>
+#include <gio/gio.h>
+
+#include "goaidentitymanager.h"
+#include "goaidentitymanagerprivate.h"
+#include "goalogging.h"
+
+enum
+{
+  IDENTITY_ADDED,
+  IDENTITY_REMOVED,
+  IDENTITY_RENAMED,
+  IDENTITY_REFRESHED,
+  IDENTITY_NEEDS_RENEWAL,
+  IDENTITY_EXPIRING,
+  IDENTITY_EXPIRED,
+  NUMBER_OF_SIGNALS,
+};
+
+static guint signals[NUMBER_OF_SIGNALS] = { 0 };
+
+G_DEFINE_INTERFACE (GoaIdentityManager, goa_identity_manager, G_TYPE_OBJECT);
+
+static void
+goa_identity_manager_default_init (GoaIdentityManagerInterface *interface)
+{
+  signals[IDENTITY_ADDED] = g_signal_new ("identity-added",
+                                          G_TYPE_FROM_INTERFACE (interface),
+                                          G_SIGNAL_RUN_LAST,
+                                          G_STRUCT_OFFSET
+                                          (GoaIdentityManagerInterface,
+                                           identity_added), NULL, NULL, NULL,
+                                          G_TYPE_NONE, 1, GOA_TYPE_IDENTITY);
+  signals[IDENTITY_REMOVED] = g_signal_new ("identity-removed",
+                                            G_TYPE_FROM_INTERFACE (interface),
+                                            G_SIGNAL_RUN_LAST,
+                                            G_STRUCT_OFFSET (GoaIdentityManagerInterface,
+                                                             identity_removed),
+                                            NULL,
+                                            NULL,
+                                            NULL,
+                                            G_TYPE_NONE,
+                                            1,
+                                            GOA_TYPE_IDENTITY);
+  signals[IDENTITY_REFRESHED] = g_signal_new ("identity-refreshed",
+                                              G_TYPE_FROM_INTERFACE (interface),
+                                              G_SIGNAL_RUN_LAST,
+                                              G_STRUCT_OFFSET (GoaIdentityManagerInterface,
+                                                               identity_refreshed),
+                                              NULL,
+                                              NULL,
+                                              NULL,
+                                              G_TYPE_NONE,
+                                              1,
+                                              GOA_TYPE_IDENTITY);
+  signals[IDENTITY_RENAMED] = g_signal_new ("identity-renamed",
+                                            G_TYPE_FROM_INTERFACE (interface),
+                                            G_SIGNAL_RUN_LAST,
+                                            G_STRUCT_OFFSET (GoaIdentityManagerInterface,
+                                                             identity_renamed),
+                                            NULL,
+                                            NULL,
+                                            NULL,
+                                            G_TYPE_NONE,
+                                            1,
+                                            GOA_TYPE_IDENTITY);
+  signals[IDENTITY_NEEDS_RENEWAL] = g_signal_new ("identity-needs-renewal",
+                                                  G_TYPE_FROM_INTERFACE (interface),
+                                                  G_SIGNAL_RUN_LAST,
+                                                  G_STRUCT_OFFSET (GoaIdentityManagerInterface,
+                                                                   identity_needs_renewal),
+                                                  NULL,
+                                                  NULL,
+                                                  NULL,
+                                                  G_TYPE_NONE,
+                                                  1,
+                                                  GOA_TYPE_IDENTITY);
+  signals[IDENTITY_EXPIRING] = g_signal_new ("identity-expiring",
+                                             G_TYPE_FROM_INTERFACE (interface),
+                                             G_SIGNAL_RUN_LAST,
+                                             G_STRUCT_OFFSET (GoaIdentityManagerInterface,
+                                                              identity_expiring),
+                                             NULL,
+                                             NULL,
+                                             NULL,
+                                             G_TYPE_NONE,
+                                             1,
+                                             GOA_TYPE_IDENTITY);
+  signals[IDENTITY_EXPIRED] = g_signal_new ("identity-expired",
+                                            G_TYPE_FROM_INTERFACE (interface),
+                                            G_SIGNAL_RUN_LAST,
+                                            G_STRUCT_OFFSET (GoaIdentityManagerInterface,
+                                                             identity_expired),
+                                            NULL,
+                                            NULL,
+                                            NULL,
+                                            G_TYPE_NONE,
+                                            1,
+                                            GOA_TYPE_IDENTITY);
+}
+
+GQuark
+goa_identity_manager_error_quark (void)
+{
+  static GQuark error_quark = 0;
+
+  if (error_quark == 0)
+    error_quark = g_quark_from_static_string ("goa-identity-manager-error");
+
+  return error_quark;
+}
+
+void
+goa_identity_manager_get_identity (GoaIdentityManager  *self,
+                                   const char          *identifier,
+                                   GCancellable        *cancellable,
+                                   GAsyncReadyCallback  callback,
+                                   gpointer             user_data)
+{
+  GOA_IDENTITY_MANAGER_GET_IFACE (self)->get_identity (self,
+                                                       identifier,
+                                                       cancellable,
+                                                       callback,
+                                                       user_data);
+}
+
+GoaIdentity *
+goa_identity_manager_get_identity_finish (GoaIdentityManager  *self,
+                                          GAsyncResult        *result,
+                                          GError             **error)
+{
+  return GOA_IDENTITY_MANAGER_GET_IFACE (self)->get_identity_finish (self,
+                                                                     result,
+                                                                     error);
+}
+
+void
+goa_identity_manager_list_identities (GoaIdentityManager  *self,
+                                      GCancellable        *cancellable,
+                                      GAsyncReadyCallback  callback,
+                                      gpointer             user_data)
+{
+  GOA_IDENTITY_MANAGER_GET_IFACE (self)->list_identities (self,
+                                                          cancellable,
+                                                          callback,
+                                                          user_data);
+}
+
+GList *
+goa_identity_manager_list_identities_finish (GoaIdentityManager  *self,
+                                             GAsyncResult        *result,
+                                             GError             **error)
+{
+  return GOA_IDENTITY_MANAGER_GET_IFACE (self)->list_identities_finish (self,
+                                                                        result,
+                                                                        error);
+}
+
+void
+goa_identity_manager_renew_identity (GoaIdentityManager  *self,
+                                     GoaIdentity         *identity,
+                                     GCancellable        *cancellable,
+                                     GAsyncReadyCallback  callback,
+                                     gpointer             user_data)
+{
+  GOA_IDENTITY_MANAGER_GET_IFACE (self)->renew_identity (self,
+                                                         identity,
+                                                         cancellable,
+                                                         callback,
+                                                         user_data);
+}
+
+void
+goa_identity_manager_renew_identity_finish (GoaIdentityManager  *self,
+                                            GAsyncResult        *result,
+                                            GError             **error)
+{
+  GOA_IDENTITY_MANAGER_GET_IFACE (self)->renew_identity_finish (self, result, error);
+}
+
+void
+goa_identity_manager_sign_identity_in (GoaIdentityManager     *self,
+                                       const char             *identifier,
+                                       gconstpointer           initial_password,
+                                       GoaIdentitySignInFlags  flags,
+                                       GoaIdentityInquiryFunc  inquiry_func,
+                                       gpointer                inquiry_data,
+                                       GCancellable           *cancellable,
+                                       GAsyncReadyCallback     callback,
+                                       gpointer                user_data)
+{
+  GOA_IDENTITY_MANAGER_GET_IFACE (self)->sign_identity_in (self,
+                                                           identifier,
+                                                           initial_password,
+                                                           flags,
+                                                           inquiry_func,
+                                                           inquiry_data,
+                                                           cancellable,
+                                                           callback,
+                                                           user_data);
+}
+
+GoaIdentity *
+goa_identity_manager_sign_identity_in_finish (GoaIdentityManager  *self,
+                                              GAsyncResult        *result,
+                                              GError             **error)
+{
+  return GOA_IDENTITY_MANAGER_GET_IFACE (self)->sign_identity_in_finish (self,
+                                                                         result,
+                                                                         error);
+}
+
+void
+goa_identity_manager_sign_identity_out (GoaIdentityManager  *self,
+                                        GoaIdentity         *identity,
+                                        GCancellable        *cancellable,
+                                        GAsyncReadyCallback  callback,
+                                        gpointer             user_data)
+{
+  GOA_IDENTITY_MANAGER_GET_IFACE (self)->sign_identity_out (self,
+                                                            identity,
+                                                            cancellable,
+                                                            callback,
+                                                            user_data);
+}
+
+void
+goa_identity_manager_sign_identity_out_finish (GoaIdentityManager  *self,
+                                               GAsyncResult        *result,
+                                               GError             **error)
+{
+  GOA_IDENTITY_MANAGER_GET_IFACE (self)->sign_identity_out_finish (self,
+                                                                   result,
+                                                                   error);
+}
+
+char *
+goa_identity_manager_name_identity (GoaIdentityManager *self,
+                                    GoaIdentity *identity)
+{
+  return GOA_IDENTITY_MANAGER_GET_IFACE (self)->name_identity (self, identity);
+}
+
+void
+_goa_identity_manager_emit_identity_added (GoaIdentityManager *self,
+                                           GoaIdentity        *identity)
+{
+  g_signal_emit (G_OBJECT (self), signals[IDENTITY_ADDED], 0, identity);
+}
+
+void
+_goa_identity_manager_emit_identity_removed (GoaIdentityManager *self,
+                                             GoaIdentity        *identity)
+{
+  g_signal_emit (G_OBJECT (self), signals[IDENTITY_REMOVED], 0, identity);
+}
+
+void
+_goa_identity_manager_emit_identity_renamed (GoaIdentityManager *self,
+                                             GoaIdentity        *identity)
+{
+  g_signal_emit (G_OBJECT (self), signals[IDENTITY_RENAMED], 0, identity);
+}
+
+void
+_goa_identity_manager_emit_identity_refreshed (GoaIdentityManager *self,
+                                               GoaIdentity        *identity)
+{
+  g_signal_emit (G_OBJECT (self), signals[IDENTITY_REFRESHED], 0, identity);
+}
+
+void
+_goa_identity_manager_emit_identity_needs_renewal (GoaIdentityManager *self,
+                                                   GoaIdentity        *identity)
+{
+  g_signal_emit (G_OBJECT (self), signals[IDENTITY_NEEDS_RENEWAL], 0, identity);
+}
+
+void
+_goa_identity_manager_emit_identity_expiring (GoaIdentityManager *self,
+                                              GoaIdentity        *identity)
+{
+  g_signal_emit (G_OBJECT (self), signals[IDENTITY_EXPIRING], 0, identity);
+}
+
+void
+_goa_identity_manager_emit_identity_expired (GoaIdentityManager *self,
+                                             GoaIdentity        *identity)
+{
+  g_signal_emit (G_OBJECT (self), signals[IDENTITY_EXPIRED], 0, identity);
+}
diff --git a/src/goaidentity/goaidentitymanager.h b/src/goaidentity/goaidentitymanager.h
new file mode 100644
index 0000000..5b60c24
--- /dev/null
+++ b/src/goaidentity/goaidentitymanager.h
@@ -0,0 +1,179 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_IDENTITY_MANAGER_H__
+#define __GOA_IDENTITY_MANAGER_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include "goaidentity.h"
+#include "goaidentityinquiry.h"
+
+G_BEGIN_DECLS
+#define GOA_TYPE_IDENTITY_MANAGER             (goa_identity_manager_get_type ())
+#define GOA_IDENTITY_MANAGER(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GOA_TYPE_IDENTITY_MANAGER, GoaIdentityManager))
+#define GOA_IDENTITY_MANAGER_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GOA_TYPE_IDENTITY_MANAGER, GoaIdentityManagerInterface))
+#define GOA_IS_IDENTITY_MANAGER(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GOA_TYPE_IDENTITY_MANAGER))
+#define GOA_IDENTITY_MANAGER_GET_IFACE(obj)   (G_TYPE_INSTANCE_GET_INTERFACE((obj), GOA_TYPE_IDENTITY_MANAGER, GoaIdentityManagerInterface))
+#define GOA_IDENTITY_MANAGER_ERROR            (goa_identity_manager_error_quark ())
+typedef struct _GoaIdentityManager GoaIdentityManager;
+typedef struct _GoaIdentityManagerInterface GoaIdentityManagerInterface;
+
+struct _GoaIdentityManagerInterface
+{
+  GTypeInterface base_interface;
+
+  /* Signals */
+  void (* identity_added) (GoaIdentityManager *identity_manager,
+                           GoaIdentity        *identity);
+
+  void (* identity_removed) (GoaIdentityManager *identity_manager,
+                             GoaIdentity        *identity);
+  void (* identity_renamed) (GoaIdentityManager *identity_manager,
+                             GoaIdentity        *identity);
+  void (* identity_refreshed) (GoaIdentityManager *identity_manager,
+                               GoaIdentity        *identity);
+  void (* identity_needs_renewal) (GoaIdentityManager *identity_manager,
+                                   GoaIdentity        *identity);
+  void (* identity_expiring) (GoaIdentityManager *identity_manager,
+                              GoaIdentity        *identity);
+  void (* identity_expired) (GoaIdentityManager *identity_manager,
+                             GoaIdentity        *identity);
+
+  /* Virtual Functions */
+  void (* get_identity) (GoaIdentityManager *identity_manager,
+                         const char         *identifier,
+                         GCancellable       *cancellable,
+                         GAsyncReadyCallback callback,
+                         gpointer            user_data);
+  GoaIdentity * (* get_identity_finish) (GoaIdentityManager  *identity_manager,
+                                         GAsyncResult        *result,
+                                         GError             **error);
+  void (* list_identities) (GoaIdentityManager  *identity_manager,
+                            GCancellable        *cancellable,
+                            GAsyncReadyCallback  callback,
+                            gpointer             user_data);
+  GList * (* list_identities_finish) (GoaIdentityManager  *identity_manager,
+                                      GAsyncResult        *result,
+                                      GError             **error);
+
+  void (* sign_identity_in) (GoaIdentityManager     *identity_manager,
+                             const char             *identifier,
+                             gconstpointer           initial_password,
+                             GoaIdentitySignInFlags  flags,
+                             GoaIdentityInquiryFunc  inquiry_func,
+                             gpointer                inquiry_data,
+                             GCancellable           *cancellable,
+                             GAsyncReadyCallback     callback,
+                             gpointer                user_data);
+  GoaIdentity * (* sign_identity_in_finish) (GoaIdentityManager  *identity_manager,
+                                             GAsyncResult        *result,
+                                             GError             **error);
+
+  void (* sign_identity_out) (GoaIdentityManager  *identity_manager,
+                              GoaIdentity         *identity,
+                              GCancellable        *cancellable,
+                              GAsyncReadyCallback  callback,
+                              gpointer             user_data);
+  void (* sign_identity_out_finish) (GoaIdentityManager  *identity_manager,
+                                     GAsyncResult        *result,
+                                     GError             **error);
+
+  void (* renew_identity) (GoaIdentityManager *identity_manager,
+                           GoaIdentity        *identity,
+                           GCancellable       *cancellable,
+                           GAsyncReadyCallback callback,
+                           gpointer            user_data);
+  void (* renew_identity_finish) (GoaIdentityManager  *identity_manager,
+                                  GAsyncResult        *result,
+                                  GError             **error);
+
+  char * (* name_identity) (GoaIdentityManager *identity_manager,
+                            GoaIdentity        *identity);
+};
+
+typedef enum
+{
+  GOA_IDENTITY_MANAGER_ERROR_INITIALIZING,
+  GOA_IDENTITY_MANAGER_ERROR_IDENTITY_NOT_FOUND,
+  GOA_IDENTITY_MANAGER_ERROR_CREATING_IDENTITY,
+  GOA_IDENTITY_MANAGER_ERROR_ACCESSING_CREDENTIALS,
+  GOA_IDENTITY_MANAGER_ERROR_UNSUPPORTED_CREDENTIALS
+} GoaIdentityManagerError;
+
+GType  goa_identity_manager_get_type    (void);
+GQuark goa_identity_manager_error_quark (void);
+
+void goa_identity_manager_get_identity (GoaIdentityManager  *identity_manager,
+                                        const char          *identifier,
+                                        GCancellable        *cancellable,
+                                        GAsyncReadyCallback  callback,
+                                        gpointer             user_data);
+GoaIdentity *goa_identity_manager_get_identity_finish (GoaIdentityManager  *identity_manager,
+                                                       GAsyncResult        *result,
+                                                       GError             **error);
+void goa_identity_manager_list_identities (GoaIdentityManager *identity_manager,
+                                           GCancellable       *cancellable,
+                                           GAsyncReadyCallback callback,
+                                           gpointer            user_data);
+GList *goa_identity_manager_list_identities_finish (GoaIdentityManager  *identity_manager,
+                                                    GAsyncResult        *result,
+                                                    GError             **error);
+
+void goa_identity_manager_sign_identity_in (GoaIdentityManager     *identity_manager,
+                                            const char             *identifier,
+                                            gconstpointer           initial_password,
+                                            GoaIdentitySignInFlags  flags,
+                                            GoaIdentityInquiryFunc  inquiry_func,
+                                            gpointer                inquiry_data,
+                                            GCancellable           *cancellable,
+                                            GAsyncReadyCallback     callback,
+                                            gpointer                user_data);
+GoaIdentity *goa_identity_manager_sign_identity_in_finish (GoaIdentityManager  *identity_manager,
+                                                           GAsyncResult        *result,
+                                                           GError             **error);
+
+void goa_identity_manager_sign_identity_out (GoaIdentityManager *identity_manager,
+                                             GoaIdentity        *identity,
+                                             GCancellable       *cancellable,
+                                             GAsyncReadyCallback callback,
+                                             gpointer            user_data);
+void goa_identity_manager_sign_identity_out_finish (GoaIdentityManager  *identity_manager,
+                                                    GAsyncResult        *result,
+                                                    GError             **error);
+
+void goa_identity_manager_renew_identity (GoaIdentityManager  *identity_manager,
+                                          GoaIdentity         *identity,
+                                          GCancellable        *cancellable,
+                                          GAsyncReadyCallback  callback,
+                                          gpointer             user_data);
+void goa_identity_manager_renew_identity_finish (GoaIdentityManager  *identity_manager,
+                                                 GAsyncResult        *result,
+                                                 GError             **error);
+
+char *goa_identity_manager_name_identity (GoaIdentityManager *identity_manager,
+                                          GoaIdentity        *identity);
+
+G_END_DECLS
+#endif /* __GOA_IDENTITY_MANAGER_H__ */
diff --git a/src/goaidentity/goaidentitymanagerprivate.h b/src/goaidentity/goaidentitymanagerprivate.h
new file mode 100644
index 0000000..1f613b6
--- /dev/null
+++ b/src/goaidentity/goaidentitymanagerprivate.h
@@ -0,0 +1,49 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_IDENTITY_MANAGER_PRIVATE_H__
+#define __GOA_IDENTITY_MANAGER_PRIVATE_H__
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include "goaidentitymanager.h"
+
+G_BEGIN_DECLS
+void _goa_identity_manager_emit_identity_added (GoaIdentityManager *identity_manager,
+                                                GoaIdentity        *identity);
+void _goa_identity_manager_emit_identity_removed (GoaIdentityManager *identity_manager,
+                                                  GoaIdentity        *identity);
+void _goa_identity_manager_emit_identity_refreshed (GoaIdentityManager *identity_manager,
+                                                    GoaIdentity        *identity);
+void _goa_identity_manager_emit_identity_renamed (GoaIdentityManager *identity_manager,
+                                                  GoaIdentity        *identity);
+
+void _goa_identity_manager_emit_identity_expiring (GoaIdentityManager *identity_manager,
+                                                   GoaIdentity        *identity);
+
+void _goa_identity_manager_emit_identity_needs_renewal (GoaIdentityManager *identity_manager,
+                                                        GoaIdentity        *identity);
+void _goa_identity_manager_emit_identity_expired (GoaIdentityManager *identity_manager,
+                                                  GoaIdentity        *identity);
+G_END_DECLS
+#endif /* __GOA_IDENTITY_MANAGER_PRIVATE_H__ */
diff --git a/src/goaidentity/goaidentityservice.c b/src/goaidentity/goaidentityservice.c
new file mode 100644
index 0000000..7e0bd49
--- /dev/null
+++ b/src/goaidentity/goaidentityservice.c
@@ -0,0 +1,2656 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Written by: Ray Strode
+ *             Stef Walter
+ */
+
+#include "config.h"
+#include "goaidentityservice.h"
+
+#include <glib/gi18n-lib.h>
+#include <gmodule.h>
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include <gcr/gcr.h>
+
+#include "goaidentityenumtypes.h"
+#include "goaidentityutils.h"
+
+#include "goakerberosidentitymanager.h"
+#include "goalogging.h"
+
+#include "um-realm-manager.h"
+
+struct _GoaIdentityServicePrivate
+{
+  GDBusConnection          *connection;
+  GDBusObjectManagerServer *object_manager_server;
+  guint                     bus_id;
+
+  GoaIdentityManager       *identity_manager;
+
+  UmRealmManager           *realm_manager;
+  guint                     realmd_watch;
+  GCancellable             *cancellable;
+
+  GHashTable               *watched_client_connections;
+  GHashTable               *key_holders;
+
+  /* FIXME: This is a little ucky, since the goa service
+   * is in process, we should able to use direct calls.
+   */
+  GoaClient                *client;
+  GoaManager               *accounts_manager;
+};
+
+static void identity_service_manager_interface_init (GoaIdentityServiceManagerIface *interface);
+
+static void on_realm_joined (UmRealmObject      *realm,
+                             GAsyncResult       *result,
+                             GSimpleAsyncResult *operation_result);
+
+static void on_realm_looked_up_for_sign_in (GoaIdentityService *self,
+                                            GAsyncResult       *result,
+                                            GSimpleAsyncResult *operation_result);
+
+static void
+look_up_realm (GoaIdentityService  *self,
+               const char          *identifier,
+               const char          *domain,
+               GCancellable        *cancellable,
+               GAsyncReadyCallback  callback,
+               gpointer             user_data);
+static void
+sign_in (GoaIdentityService     *self,
+         const char             *identifier,
+         UmRealmObject          *realm,
+         gconstpointer           initial_password,
+         GoaIdentitySignInFlags  flags,
+         GCancellable           *cancellable,
+         GAsyncReadyCallback     callback,
+         gpointer                user_data);
+
+G_DEFINE_TYPE_WITH_CODE (GoaIdentityService,
+                         goa_identity_service,
+                         GOA_IDENTITY_SERVICE_TYPE_MANAGER_SKELETON,
+                         G_IMPLEMENT_INTERFACE (GOA_IDENTITY_SERVICE_TYPE_MANAGER,
+                                                identity_service_manager_interface_init));
+
+static char *
+get_object_path_for_identity (GoaIdentityService *self,
+                              GoaIdentity        *identity)
+{
+  const char *identifier;
+  char       *escaped_identifier;
+  char       *object_path;
+
+  identifier = goa_identity_get_identifier (identity);
+  escaped_identifier = goa_identity_utils_escape_object_path (identifier,
+                                                              strlen (identifier));
+  object_path = g_strdup_printf ("/org/gnome/Identity/Identities/%s", escaped_identifier);
+
+  g_free (escaped_identifier);
+  return object_path;
+}
+
+static char *
+export_identity (GoaIdentityService *self,
+                 GoaIdentity        *identity)
+{
+  char *object_path;
+  GDBusObjectSkeleton *object;
+  GDBusInterfaceSkeleton *interface;
+
+  object_path = get_object_path_for_identity (self, identity);
+
+  object = G_DBUS_OBJECT_SKELETON (goa_identity_service_object_skeleton_new (object_path));
+  interface = G_DBUS_INTERFACE_SKELETON (goa_identity_service_identity_skeleton_new ());
+
+  g_object_bind_property (G_OBJECT (identity),
+                          "identifier",
+                          G_OBJECT (interface),
+                          "identifier",
+                          G_BINDING_SYNC_CREATE);
+
+  g_object_bind_property (G_OBJECT (identity),
+                          "expiration-timestamp",
+                          G_OBJECT (interface),
+                          "expiration-timestamp",
+                          G_BINDING_SYNC_CREATE);
+
+  g_object_bind_property (G_OBJECT (identity),
+                          "is-signed-in",
+                          G_OBJECT (interface),
+                          "is-signed-in",
+                          G_BINDING_SYNC_CREATE);
+
+  g_dbus_object_skeleton_add_interface (object, interface);
+  g_object_unref (interface);
+
+  g_dbus_object_manager_server_export (self->priv->object_manager_server, object);
+  g_object_unref (object);
+
+  return object_path;
+}
+
+static void
+unexport_identity (GoaIdentityService *self,
+                   GoaIdentity        *identity)
+{
+  char *object_path;
+
+  object_path = get_object_path_for_identity (self, identity);
+
+  g_dbus_object_manager_server_unexport (self->priv->object_manager_server,
+                                         object_path);
+  g_free (object_path);
+}
+
+static char *
+get_object_path_for_realm (GoaIdentityService *self,
+                           UmRealmObject      *realm)
+{
+  const char *domain;
+  char       *escaped_domain;
+  char       *object_path;
+
+  domain = um_realm_kerberos_get_domain_name (um_realm_object_peek_kerberos (realm));
+  escaped_domain = goa_identity_utils_escape_object_path (domain,
+                                                          strlen (domain));
+  object_path = g_strdup_printf ("/org/gnome/Identity/Realms/%s", escaped_domain);
+
+  g_free (escaped_domain);
+  return object_path;
+}
+
+static void
+on_realm_gone (GoaIdentityService *self,
+               GAsyncResult       *result,
+               char               *object_path)
+{
+  g_dbus_object_manager_server_unexport (self->priv->object_manager_server,
+                                         object_path);
+  g_free (object_path);
+  g_object_unref (result);
+}
+
+static char *
+export_realm (GoaIdentityService *self,
+              UmRealmObject      *realm)
+{
+  char *object_path;
+  GDBusObjectSkeleton *object;
+  GDBusInterfaceSkeleton *interface;
+  UmRealmKerberos    *kerberos;
+  GSimpleAsyncResult *operation_result;
+
+  kerberos = um_realm_object_peek_kerberos (realm);
+
+  goa_debug ("GoaIdentityService: exporting realm %s",
+             um_realm_kerberos_get_domain_name (kerberos));
+
+  object_path = get_object_path_for_realm (self, realm);
+
+  object = G_DBUS_OBJECT_SKELETON (goa_identity_service_object_skeleton_new (object_path));
+  interface = G_DBUS_INTERFACE_SKELETON (goa_identity_service_realm_skeleton_new ());
+
+  g_object_bind_property (G_OBJECT (realm),
+                          "configured",
+                          G_OBJECT (interface),
+                          "is-enrolled",
+                          G_BINDING_SYNC_CREATE);
+
+  g_object_bind_property (G_OBJECT (kerberos),
+                          "realm-name",
+                          G_OBJECT (interface),
+                          "realm-name",
+                          G_BINDING_SYNC_CREATE);
+
+  g_object_bind_property (G_OBJECT (kerberos),
+                          "domain-name",
+                          G_OBJECT (interface),
+                          "domain-name",
+                          G_BINDING_SYNC_CREATE);
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                (GAsyncReadyCallback)
+                                                on_realm_gone,
+                                                g_strdup (object_path),
+                                                export_realm);
+
+  g_object_weak_ref (G_OBJECT (self->priv->realm_manager),
+                     (GWeakNotify)
+                     g_simple_async_result_complete_in_idle,
+                     operation_result);
+
+  g_dbus_object_skeleton_add_interface (object, interface);
+  g_object_unref (interface);
+
+  g_dbus_object_manager_server_export (self->priv->object_manager_server, object);
+  g_object_unref (object);
+
+  return object_path;
+}
+
+static void
+on_system_enrollment_prompt_answered (GcrPrompt           *prompt,
+                                      GAsyncResult        *result,
+                                      GSimpleAsyncResult  *operation_result)
+{
+  GCancellable       *cancellable;
+  const char         *answer;
+  GError             *error;
+
+  error = NULL;
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+
+  answer = gcr_prompt_password_finish (prompt, result, &error);
+
+  if (answer == NULL)
+    {
+      if (error != NULL)
+        g_simple_async_result_take_error (operation_result, error);
+      else
+        g_cancellable_cancel (cancellable);
+
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  g_simple_async_result_set_op_res_gpointer (operation_result,
+                                             (gpointer)
+                                             answer,
+                                             NULL);
+  g_simple_async_result_complete_in_idle (operation_result);
+  g_object_unref (operation_result);
+}
+
+static void
+on_system_enrollment_prompt_open (GcrSystemPrompt    *system_prompt,
+                                  GAsyncResult       *result,
+                                  GSimpleAsyncResult *operation_result)
+{
+  GCancellable       *cancellable;
+  GcrPrompt          *prompt;
+  GError             *error;
+  const char         *message;
+
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+  message = g_simple_async_result_get_source_tag (operation_result);
+
+  error = NULL;
+  prompt = gcr_system_prompt_open_finish (result, &error);
+
+  if (prompt == NULL)
+    {
+      if (error != NULL)
+        g_simple_async_result_complete_in_idle (operation_result);
+      else
+        g_cancellable_cancel (cancellable);
+
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  g_object_set_data (G_OBJECT (operation_result), "prompt", prompt);
+
+  gcr_prompt_set_title (prompt, _("Domain Administrator Login"));
+
+  message = g_object_get_data (G_OBJECT (operation_result), "message");
+  gcr_prompt_set_message (prompt, message);
+
+  /* FIXME: When asking for a username, we show password bullets.
+   */
+  gcr_prompt_password_async (prompt,
+                             cancellable,
+                             (GAsyncReadyCallback)
+                             on_system_enrollment_prompt_answered,
+                             operation_result);
+}
+
+static void
+open_system_enrollment_prompt (GoaIdentityService  *self,
+                               const char          *message,
+                               GCancellable        *cancellable,
+                               GAsyncReadyCallback  callback,
+                               gpointer             user_data)
+{
+  GSimpleAsyncResult *operation_result;
+
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                callback,
+                                                user_data,
+                                                (gpointer)
+                                                message);
+  g_simple_async_result_set_check_cancellable (operation_result, cancellable);
+
+  g_object_set_data (G_OBJECT (operation_result),
+                     "cancellable",
+                     cancellable);
+
+  gcr_system_prompt_open_async (-1,
+                                cancellable,
+                                (GAsyncReadyCallback)
+                                on_system_enrollment_prompt_open,
+                                operation_result);
+}
+
+static void
+on_system_enrollment_password_answered (GoaIdentityService  *self,
+                                        GAsyncResult        *result,
+                                        GSimpleAsyncResult  *operation_result)
+{
+  GCancellable       *cancellable;
+  GcrPrompt          *prompt;
+  UmRealmObject      *realm;
+  GBytes             *credentials;
+  const char         *username;
+  const char         *password;
+  GError             *error;
+
+  prompt = g_object_get_data (G_OBJECT (result), "prompt");
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      g_simple_async_result_take_error (operation_result, error);
+
+      gcr_system_prompt_close (GCR_SYSTEM_PROMPT (prompt), NULL, &error);
+
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+
+  password = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+
+  realm = g_simple_async_result_get_source_tag (operation_result);
+  username = g_object_get_data (G_OBJECT (operation_result), "username");
+  credentials = g_object_get_data (G_OBJECT (operation_result), "credentials");
+
+  if (!um_realm_join_as_admin (realm,
+                               username,
+                               password,
+                               credentials,
+                               cancellable,
+                               (GAsyncReadyCallback)
+                               on_realm_joined,
+                               operation_result))
+    {
+       g_simple_async_result_set_error (operation_result,
+                                        UM_REALM_ERROR,
+                                        UM_REALM_ERROR_GENERIC,
+                                        _("Could not find supported credentials"));
+       g_simple_async_result_complete_in_idle (operation_result);
+       g_object_unref (operation_result);
+       return;
+    }
+  gcr_system_prompt_close (GCR_SYSTEM_PROMPT (prompt), NULL, &error);
+}
+
+static void
+on_system_enrollment_username_answered (GoaIdentityService  *self,
+                                        GAsyncResult        *result,
+                                        GSimpleAsyncResult  *operation_result)
+{
+  GCancellable       *cancellable;
+  GcrPrompt          *prompt;
+  const char         *username;
+  GError             *error;
+
+  prompt = g_object_get_data (G_OBJECT (result), "prompt");
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      g_simple_async_result_take_error (operation_result, error);
+
+      gcr_system_prompt_close (GCR_SYSTEM_PROMPT (prompt), NULL, &error);
+
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+
+  username = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "username",
+                          g_strdup (username),
+                          (GDestroyNotify)
+                          g_free);
+  gcr_system_prompt_close (GCR_SYSTEM_PROMPT (prompt), NULL, &error);
+
+  open_system_enrollment_prompt (self,
+                                 _("In order to use this enterprise identity, the computer needs to be "
+                                   "enrolled in the domain. Please have your network administrator "
+                                   "type their domain password here."),
+                                 cancellable,
+                                 (GAsyncReadyCallback)
+                                 on_system_enrollment_password_answered,
+                                 operation_result);
+}
+
+static void
+enroll_machine_as_administrator (GoaIdentityService  *self,
+                                 GoaIdentity         *identity,
+                                 UmRealmObject       *realm,
+                                 GBytes              *credentials,
+                                 GCancellable        *cancellable,
+                                 GAsyncReadyCallback  callback,
+                                 gpointer             user_data)
+{
+  GSimpleAsyncResult *operation_result;
+
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                callback,
+                                                user_data,
+                                                realm);
+  g_simple_async_result_set_check_cancellable (operation_result, cancellable);
+
+  g_object_set_data (G_OBJECT (operation_result),
+                     "cancellable",
+                     cancellable);
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "identity",
+                          g_object_ref (identity),
+                          (GDestroyNotify)
+                          g_object_unref);
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "credentials",
+                          g_bytes_ref (credentials),
+                          (GDestroyNotify)
+                          g_bytes_unref);
+  open_system_enrollment_prompt (self,
+                                 _("In order to use this enterprise identity, the computer needs to be "
+                                   "enrolled in the domain. Please have your network administrator "
+                                   "type their domain username here."),
+                                 cancellable,
+                                 (GAsyncReadyCallback)
+                                 on_system_enrollment_username_answered,
+                                 operation_result);
+
+}
+
+static void
+on_machine_enrolled (GoaIdentityService *self,
+                     GAsyncResult       *result,
+                     GSimpleAsyncResult *operation_result)
+{
+  g_object_unref (operation_result);
+}
+
+static void
+on_realm_joined (UmRealmObject      *realm,
+                 GAsyncResult       *result,
+                 GSimpleAsyncResult *operation_result)
+{
+  GoaIdentityService  *self;
+  GoaIdentity         *identity;
+  GError              *error;
+
+  self = GOA_IDENTITY_SERVICE (g_async_result_get_source_object (G_ASYNC_RESULT (operation_result)));
+
+  error = NULL;
+  if (!um_realm_join_finish (realm, result, &error))
+    {
+      GCancellable *cancellable;
+      GBytes       *credentials;
+
+      if (!g_error_matches (error, UM_REALM_ERROR, UM_REALM_ERROR_BAD_LOGIN) &&
+          !g_error_matches (error, UM_REALM_ERROR, UM_REALM_ERROR_BAD_PASSWORD))
+        {
+          g_simple_async_result_take_error (operation_result, error);
+          g_simple_async_result_complete_in_idle (operation_result);
+          g_object_unref (operation_result);
+          return;
+        }
+
+      cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+      identity = g_object_get_data (G_OBJECT (operation_result), "identify");
+      credentials = g_object_get_data (G_OBJECT (operation_result), "credentials");
+
+      /* Try again, as an administrator */
+      enroll_machine_as_administrator (self,
+                                       identity,
+                                       realm,
+                                       credentials,
+                                       cancellable,
+                                       (GAsyncReadyCallback)
+                                       on_machine_enrolled,
+                                       operation_result);
+
+      return;
+    }
+
+  g_simple_async_result_complete_in_idle (operation_result);
+  g_object_unref (operation_result);
+}
+
+static void
+enroll_machine_as_user (GoaIdentityService  *self,
+                        GoaIdentity         *identity,
+                        UmRealmObject       *realm,
+                        const char          *password,
+                        GBytes              *credentials,
+                        GCancellable        *cancellable,
+                        GAsyncReadyCallback  callback,
+                        gpointer             user_data)
+{
+  GSimpleAsyncResult *operation_result;
+
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                callback,
+                                                user_data,
+                                                realm);
+  g_simple_async_result_set_check_cancellable (operation_result, cancellable);
+
+  g_object_set_data (G_OBJECT (operation_result),
+                     "cancellable",
+                     cancellable);
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "identity",
+                          g_object_ref (identity),
+                          (GDestroyNotify)
+                          g_object_unref);
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "credentials",
+                          g_bytes_ref (credentials),
+                          (GDestroyNotify)
+                          g_bytes_unref);
+
+  if (!um_realm_join_as_user (realm,
+                              goa_identity_get_identifier (identity),
+                              password,
+                              credentials,
+                              cancellable,
+                              (GAsyncReadyCallback)
+                              on_realm_joined,
+                              operation_result))
+    {
+       g_simple_async_result_set_error (operation_result,
+                                        UM_REALM_ERROR,
+                                        UM_REALM_ERROR_GENERIC,
+                                        _("Could not find supported credentials"));
+       g_simple_async_result_complete_in_idle (operation_result);
+       g_object_unref (operation_result);
+       return;
+    }
+}
+
+static void
+on_realm_looked_up_for_enrollment (GoaIdentityService *self,
+                                   GAsyncResult       *result,
+                                   GSimpleAsyncResult *operation_result)
+{
+  UmRealmObject *realm;
+  GoaIdentity   *identity;
+  GError        *error;
+  GCancellable  *cancellable;
+  GBytes        *credentials;
+  gconstpointer  initial_password;
+
+  realm = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+                                             &error))
+    {
+      goa_debug ("GoaIdentityService: Could not discover realm: %s",
+                 error->message);
+      g_error_free (error);
+
+      g_object_unref (operation_result);
+      return;
+    }
+
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+  initial_password = g_object_get_data (G_OBJECT (operation_result),
+                                        "initial-password");
+  identity = g_object_get_data (G_OBJECT (operation_result), "identity");
+  credentials = goa_identity_get_credentials (identity);
+
+  /* Otherwise, try to enroll the machine with the domain controller
+   */
+  enroll_machine_as_user (self,
+                          identity,
+                          realm,
+                          initial_password,
+                          credentials,
+                          cancellable,
+                          (GAsyncReadyCallback)
+                          on_machine_enrolled,
+                          operation_result);
+  g_bytes_unref (credentials);
+}
+
+static void
+on_sign_in_done (GoaIdentityService *self,
+                 GAsyncResult       *result,
+                 GSimpleAsyncResult *operation_result)
+{
+  GoaIdentity      *identity;
+  char             *object_path;
+  char             *domain;
+  GCancellable     *cancellable;
+  UmRealmObject    *realm;
+  GError           *error;
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      g_simple_async_result_take_error (operation_result, error);
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  identity = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+  object_path = export_identity (self, identity);
+  realm = g_simple_async_result_get_source_tag (G_SIMPLE_ASYNC_RESULT (result));
+
+  g_simple_async_result_set_op_res_gpointer (operation_result,
+                                             object_path,
+                                             (GDestroyNotify)
+                                             g_free);
+
+  /* User is signed in, so we're mostly done
+   */
+  g_simple_async_result_complete_in_idle (operation_result);
+
+  if (realm != NULL && um_realm_is_configured (realm))
+    {
+      g_object_unref (operation_result);
+      return;
+    }
+
+  /* Try to enroll the machine at the point, too, if necessary.
+   */
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "identity",
+                          g_object_ref (identity),
+                          (GDestroyNotify)
+                          g_object_unref);
+
+  domain = g_object_get_data (G_OBJECT (operation_result),
+                                        "domain");
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+
+  look_up_realm (self,
+                 goa_identity_get_identifier (identity),
+                 domain,
+                 cancellable,
+                 (GAsyncReadyCallback)
+                 on_realm_looked_up_for_enrollment,
+                 operation_result);
+}
+
+static GoaObject *
+find_object_with_principal (GoaIdentityService *self,
+                            const char         *principal,
+                            gboolean            must_be_enabled)
+{
+  GList      *objects;
+  GList      *node;
+  GoaObject  *found_object;
+
+  objects = goa_client_get_accounts (self->priv->client);
+
+  found_object = NULL;
+  for (node = objects; node != NULL; node = node->next)
+    {
+      GoaObject *object = GOA_OBJECT (node->data);
+      GoaAccount *account;
+      const char *provider_type;
+      const char *account_identity;
+
+      account = goa_object_peek_account (object);
+
+      if (account == NULL)
+        continue;
+
+      provider_type = goa_account_get_provider_type (account);
+
+      if (g_strcmp0 (provider_type, "kerberos") != 0)
+        continue;
+
+      if (must_be_enabled)
+        {
+          GoaTicketing *ticketing;
+
+          ticketing = goa_object_peek_ticketing (object);
+
+          if (ticketing == NULL)
+              continue;
+        }
+
+      account_identity = goa_account_get_identity (account);
+
+      if (g_strcmp0 (account_identity, principal) == 0)
+        {
+          found_object = g_object_ref (object);
+          break;
+        }
+    }
+  g_list_free_full (objects, (GDestroyNotify) g_object_unref);
+
+  return found_object;
+}
+
+static void
+on_credentials_ensured (GoaAccount         *account,
+                        GAsyncResult       *result,
+                        GoaIdentityService *self)
+{
+  GError     *error;
+  const char *account_identity;
+  int         expires_in;
+
+  account_identity = goa_account_get_identity (account);
+
+  error = NULL;
+  if (!goa_account_call_ensure_credentials_finish (account,
+                                                   &expires_in,
+                                                   result,
+                                                   &error))
+    {
+      goa_debug ("GoaIdentityService: could not ensure credentials for account %s: %s",
+                 account_identity,
+                 error->message);
+      g_error_free (error);
+      return;
+    }
+
+  goa_debug ("GoaIdentityService: credentials for account %s ensured for %d seconds",
+             account_identity,
+             expires_in);
+}
+
+static gboolean
+should_ignore_object (GoaIdentityService *self,
+                      GoaObject          *object)
+{
+  GoaAccount *account;
+
+  account = goa_object_peek_account (object);
+
+  if (goa_account_get_ticketing_disabled (account))
+    return TRUE;
+
+  return FALSE;
+}
+
+static void
+ensure_account_credentials (GoaIdentityService *self,
+                            GoaObject          *object)
+{
+
+  GoaAccount *account;
+
+  if (should_ignore_object (self, object))
+    return;
+
+  account = goa_object_peek_account (object);
+  goa_account_call_ensure_credentials (account,
+                                       NULL,
+                                       (GAsyncReadyCallback)
+                                       on_credentials_ensured,
+                                       self);
+}
+
+static void
+on_sign_in_handled (GoaIdentityService    *self,
+                    GAsyncResult          *result,
+                    GDBusMethodInvocation *invocation)
+{
+  GError *error = NULL;
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      g_dbus_method_invocation_take_error (invocation, error);
+    }
+  else
+    {
+      const char *object_path;
+
+      object_path = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+      goa_identity_service_manager_complete_sign_in (GOA_IDENTITY_SERVICE_MANAGER (self),
+                                                     invocation,
+                                                     object_path);
+    }
+}
+
+static void
+read_sign_in_details (GoaIdentityServiceManager  *manager,
+                      GVariant                   *details,
+                      GoaIdentitySignInFlags     *flags,
+                      char                      **domain,
+                      char                      **secret_key)
+{
+  GVariantIter  iter;
+  char          *key;
+  char          *value;
+
+  *flags = GOA_IDENTITY_SIGN_IN_FLAGS_NONE;
+  g_variant_iter_init (&iter, details);
+  while (g_variant_iter_loop (&iter, "{ss}", &key, &value))
+    {
+      if (g_strcmp0 (key, "domain") == 0)
+        *domain = g_strdup (value);
+      else if (g_strcmp0 (key, "initial-password") == 0)
+        *secret_key = g_strdup (value);
+      else if (g_strcmp0 (key, "disallow-renewal") == 0
+               && g_strcmp0 (value, "true") == 0)
+        *flags |= GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_RENEWAL;
+      else if (g_strcmp0 (key, "disallow-forwarding") == 0
+               && g_strcmp0 (value, "true") == 0)
+        *flags |= GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_FORWARDING;
+      else if (g_strcmp0 (key, "disallow-proxying") == 0
+               && g_strcmp0 (value, "true") == 0)
+        *flags |= GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_PROXYING;
+    }
+}
+
+static void
+on_realm_looked_up_for_sign_in (GoaIdentityService *self,
+                                GAsyncResult       *result,
+                                GSimpleAsyncResult *operation_result)
+{
+  UmRealmObject          *realm;
+  GoaIdentitySignInFlags  flags;
+  GError                 *error;
+  GCancellable           *cancellable;
+  const char             *identifier;
+  gconstpointer           initial_password;
+  char                   *new_identifier;
+
+  identifier = g_simple_async_result_get_source_tag (operation_result);
+  new_identifier = NULL;
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+                                             &error))
+    {
+      goa_debug ("GoaIdentityService: Could not discover realm: %s",
+                 error->message);
+      g_error_free (error);
+
+      /* let it slide, we might not need realmd for this deployment
+       */
+      realm = NULL;
+    }
+  else
+    {
+      char *user;
+      UmRealmKerberos *kerberos;
+
+      /* Rebuild the identifier using the updated realm
+       */
+
+      realm = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+
+      goa_identity_utils_split_identifier (identifier,
+                                           &user,
+                                           NULL);
+
+      kerberos = um_realm_object_peek_kerberos (realm);
+
+      if (user != NULL)
+        new_identifier = g_strdup_printf ("%s %s",
+                                          user,
+                                          um_realm_kerberos_get_realm_name (kerberos));
+
+      identifier = new_identifier;
+
+      g_free (user);
+    }
+
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+  initial_password = g_object_get_data (G_OBJECT (operation_result),
+                                        "initial-password");
+  flags = (GoaIdentitySignInFlags) g_object_get_data (G_OBJECT (operation_result),
+                                                      "flags");
+
+  sign_in (self,
+           identifier,
+           realm,
+           initial_password,
+           flags,
+           cancellable,
+           (GAsyncReadyCallback)
+           on_sign_in_done,
+           operation_result);
+
+  g_free (new_identifier);
+}
+
+static void
+on_realm_looked_up (UmRealmManager     *manager,
+                    GAsyncResult       *result,
+                    GSimpleAsyncResult *operation_result)
+{
+  GError *error;
+  GList *realms;
+
+  error = NULL;
+  realms = um_realm_manager_discover_finish (manager, result, &error);
+  if (error != NULL)
+    {
+      g_simple_async_result_take_error (operation_result, error);
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  if (realms->data == NULL)
+    g_simple_async_result_set_op_res_gpointer (operation_result, NULL, NULL);
+  else
+    g_simple_async_result_set_op_res_gpointer (operation_result,
+                                               g_object_ref (realms->data),
+                                               (GDestroyNotify)
+                                               g_free);
+  g_list_free_full (realms,
+                    (GDestroyNotify)
+                    g_object_unref);
+}
+
+static void
+on_manager_realm_added (UmRealmManager     *manager,
+                        UmRealmObject      *realm,
+                        GoaIdentityService *self)
+{
+  export_realm (self, realm);
+}
+
+static void
+on_realm_manager_ensured (GObject            *source,
+                          GAsyncResult       *result,
+                          GSimpleAsyncResult *operation_result)
+{
+  GoaIdentityService *self;
+  GError             *error;
+  GList              *realms, *node;
+
+  self = GOA_IDENTITY_SERVICE (g_async_result_get_source_object (G_ASYNC_RESULT (operation_result)));
+
+  g_clear_object (&self->priv->realm_manager);
+
+  error = NULL;
+  self->priv->realm_manager = um_realm_manager_new_finish (result, &error);
+  if (error != NULL)
+    {
+      g_simple_async_result_take_error (operation_result, error);
+    }
+  else
+    {
+      realms = um_realm_manager_get_realms (self->priv->realm_manager);
+
+      for (node = realms; node != NULL; node = node->next)
+        export_realm (self, node->data);
+
+      g_list_free (realms);
+
+      g_signal_connect (self->priv->realm_manager,
+                        "realm-added",
+                        G_CALLBACK (on_manager_realm_added),
+                        self);
+
+    }
+
+  g_simple_async_result_complete_in_idle (operation_result);
+  g_object_unref (operation_result);
+}
+
+static void
+ensure_realm_manager (GoaIdentityService  *self,
+                      GCancellable        *cancellable,
+                      GAsyncReadyCallback  callback,
+                      gpointer             user_data)
+{
+  GSimpleAsyncResult *operation_result;
+
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                callback,
+                                                user_data,
+                                                ensure_realm_manager);
+
+  g_simple_async_result_set_check_cancellable (operation_result, cancellable);
+  um_realm_manager_new (self->priv->cancellable,
+                        (GAsyncReadyCallback)
+                        on_realm_manager_ensured,
+                        operation_result);
+}
+
+static void
+on_realm_manager_ensured_for_look_up (GoaIdentityService *self,
+                                      GAsyncResult       *result,
+                                      GSimpleAsyncResult *operation_result)
+{
+  GError       *error;
+  GCancellable *cancellable;
+  const char   *domain;
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      g_simple_async_result_take_error (operation_result, error);
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  domain = g_object_get_data (G_OBJECT (operation_result), "domain");
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+  um_realm_manager_discover (self->priv->realm_manager,
+                             domain,
+                             cancellable,
+                             (GAsyncReadyCallback)
+                             on_realm_looked_up,
+                             operation_result);
+}
+
+static void
+look_up_realm (GoaIdentityService  *self,
+               const char          *identifier,
+               const char          *domain,
+               GCancellable        *cancellable,
+               GAsyncReadyCallback  callback,
+               gpointer             user_data)
+{
+  GSimpleAsyncResult *operation_result;
+  char *domain_to_look_up;
+
+  goa_debug ("GoaIdentityService: looking up realm");
+
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                callback,
+                                                user_data,
+                                                look_up_realm);
+
+  g_simple_async_result_set_check_cancellable (operation_result, cancellable);
+
+  if (domain != NULL)
+    {
+      domain_to_look_up = g_strdup (domain);
+    }
+  else
+    {
+      goa_identity_utils_split_identifier (identifier,
+                                           NULL,
+                                           &domain_to_look_up);
+    }
+
+  if (domain_to_look_up == NULL)
+    domain_to_look_up = g_strdup ("");
+
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "domain",
+                          domain_to_look_up,
+                          (GDestroyNotify)
+                          g_free);
+
+  ensure_realm_manager (self,
+                        cancellable,
+                        (GAsyncReadyCallback)
+                        on_realm_manager_ensured_for_look_up,
+                        operation_result);
+
+}
+
+static gboolean
+goa_identity_service_handle_sign_in (GoaIdentityServiceManager *manager,
+                                     GDBusMethodInvocation     *invocation,
+                                     const char                *identifier,
+                                     GVariant                  *details)
+{
+  GoaIdentityService     *self = GOA_IDENTITY_SERVICE (manager);
+  GSimpleAsyncResult     *operation_result;
+  GoaIdentitySignInFlags  flags;
+  char                   *domain;
+  char                   *secret_key;
+  gconstpointer           initial_password;
+  GCancellable           *cancellable;
+
+  domain = NULL;
+  secret_key = NULL;
+  initial_password = NULL;
+
+  read_sign_in_details (manager, details, &flags, &domain, &secret_key);
+
+  if (secret_key != NULL)
+    {
+      GcrSecretExchange *secret_exchange;
+
+      secret_exchange = g_hash_table_lookup (self->priv->key_holders,
+                                             g_dbus_method_invocation_get_sender (invocation));
+
+      if (secret_exchange == NULL)
+        {
+          g_free (secret_key);
+          g_dbus_method_invocation_return_error (invocation,
+                                                 GOA_IDENTITY_MANAGER_ERROR,
+                                                 GOA_IDENTITY_MANAGER_ERROR_ACCESSING_CREDENTIALS,
+                                                 _("initial secret passed before secret key exchange"));
+          return TRUE;
+        }
+
+      gcr_secret_exchange_receive (secret_exchange, secret_key);
+      g_free (secret_key);
+
+      initial_password = gcr_secret_exchange_get_secret (secret_exchange, NULL);
+    }
+
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                (GAsyncReadyCallback)
+                                                on_sign_in_handled,
+                                                g_object_ref (invocation),
+                                                g_strdup (identifier));
+  cancellable = g_cancellable_new ();
+  g_object_set_data (G_OBJECT (operation_result),
+                     "cancellable",
+                     cancellable);
+  g_object_set_data (G_OBJECT (operation_result),
+                     "initial-password",
+                     (gpointer)
+                     initial_password);
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "domain",
+                          domain,
+                          (GDestroyNotify)
+                          g_free);
+  g_object_set_data (G_OBJECT (operation_result),
+                     "flags",
+                     GINT_TO_POINTER ((int) flags));
+  if (domain == NULL)
+    sign_in (self,
+             identifier,
+             NULL,
+             initial_password,
+             flags,
+             cancellable,
+             (GAsyncReadyCallback)
+             on_sign_in_done,
+             operation_result);
+  else
+    look_up_realm (self,
+                   identifier,
+                   domain,
+                   cancellable,
+                   (GAsyncReadyCallback)
+                   on_realm_looked_up_for_sign_in,
+                   operation_result);
+
+  g_object_unref (cancellable);
+
+  return TRUE;
+}
+
+static void
+on_sign_out_handled (GoaIdentityService    *self,
+                     GAsyncResult          *result,
+                     GDBusMethodInvocation *invocation)
+{
+  GError *error;
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    g_dbus_method_invocation_take_error (invocation, error);
+  else
+    goa_identity_service_manager_complete_sign_out (GOA_IDENTITY_SERVICE_MANAGER (self),
+                                                    invocation);
+}
+
+static void
+on_identity_signed_out (GoaIdentityManager *manager,
+                        GAsyncResult       *result,
+                        GSimpleAsyncResult *operation_result)
+{
+  GoaIdentityService *self;
+  GError             *error;
+  GoaIdentity        *identity;
+  const char         *identifier;
+  GoaObject          *object;
+
+  error = NULL;
+  goa_identity_manager_sign_identity_out_finish (manager, result, &error);
+
+  if (error != NULL)
+    {
+      goa_debug ("GoaIdentityService: Identity could not be signed out: %s",
+                 error->message);
+      g_simple_async_result_take_error (operation_result, error);
+    }
+
+  self = GOA_IDENTITY_SERVICE (g_async_result_get_source_object (G_ASYNC_RESULT (operation_result)));
+  identity = g_object_get_data (G_OBJECT (operation_result), "identity");
+
+  identifier = goa_identity_get_identifier (identity);
+  object = find_object_with_principal (self, identifier, FALSE);
+
+  if (object != NULL)
+    ensure_account_credentials (self, object);
+
+  g_simple_async_result_complete_in_idle (operation_result);
+  g_object_unref (operation_result);
+}
+
+static void
+on_got_identity_for_sign_out (GoaIdentityManager *manager,
+                              GAsyncResult       *result,
+                              GSimpleAsyncResult *operation_result)
+{
+  GError *error;
+  GoaIdentity *identity;
+
+  error = NULL;
+  identity = goa_identity_manager_get_identity_finish (manager, result, &error);
+
+  if (error != NULL)
+    {
+      goa_debug ("GoaIdentityService: Identity could not be signed out: %s",
+                 error->message);
+      return;
+    }
+
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "identity",
+                          g_object_ref (identity),
+                          (GDestroyNotify)
+                          g_object_unref);
+
+  goa_identity_manager_sign_identity_out (manager,
+                                          identity,
+                                          NULL,
+                                          (GAsyncReadyCallback)
+                                          on_identity_signed_out,
+                                          operation_result);
+}
+
+static gboolean
+goa_identity_service_handle_sign_out (GoaIdentityServiceManager *manager,
+                                      GDBusMethodInvocation     *invocation,
+                                      const char                *identifier)
+{
+  GoaIdentityService *self = GOA_IDENTITY_SERVICE (manager);
+  GSimpleAsyncResult *result;
+
+  result = g_simple_async_result_new (G_OBJECT (self),
+                                      (GAsyncReadyCallback)
+                                      on_sign_out_handled,
+                                      g_object_ref (invocation),
+                                      goa_identity_service_handle_sign_out);
+
+  goa_identity_manager_get_identity (self->priv->identity_manager,
+                                     identifier,
+                                     NULL,
+                                     (GAsyncReadyCallback)
+                                     on_got_identity_for_sign_out,
+                                     result);
+  return TRUE;
+}
+
+static void
+on_secret_keys_exchanged (GoaIdentityService *self,
+                          GAsyncResult       *result)
+{
+  GDBusMethodInvocation *invocation;
+  GError                *error;
+
+  invocation = g_simple_async_result_get_source_tag (G_SIMPLE_ASYNC_RESULT (result));
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      g_dbus_method_invocation_take_error (invocation, error);
+    }
+  else
+    {
+      const char *output_key;
+
+      output_key = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+      goa_identity_service_manager_complete_exchange_secret_keys (GOA_IDENTITY_SERVICE_MANAGER (self),
+                                                                  invocation,
+                                                                  output_key);
+    }
+}
+
+static void
+on_caller_watched (GDBusConnection    *connection,
+                   const char         *name,
+                   const char         *name_owner,
+                   GSimpleAsyncResult *operation_result)
+{
+  GoaIdentityService    *self;
+  GcrSecretExchange     *secret_exchange;
+  const char            *input_key;
+  char                  *output_key;
+
+  self = GOA_IDENTITY_SERVICE (g_async_result_get_source_object (G_ASYNC_RESULT (operation_result)));
+  input_key = g_object_get_data (G_OBJECT (operation_result), "input-key");
+
+  secret_exchange = gcr_secret_exchange_new (NULL);
+
+  if (!gcr_secret_exchange_receive (secret_exchange,
+                                    input_key))
+    {
+      g_simple_async_result_set_error (operation_result,
+                                       GCR_ERROR,
+                                       GCR_ERROR_UNRECOGNIZED,
+                                       _("Initial secret key is invalid"));
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  g_hash_table_insert (self->priv->key_holders,
+                       g_strdup (name_owner),
+                       secret_exchange);
+
+  output_key = gcr_secret_exchange_send (secret_exchange, NULL, 0);
+
+  g_simple_async_result_set_op_res_gpointer (operation_result,
+                                             output_key,
+                                             (GDestroyNotify)
+                                             g_free);
+  g_simple_async_result_complete_in_idle (operation_result);
+}
+
+static void
+on_caller_vanished (GDBusConnection    *connection,
+                    const char         *name,
+                    GSimpleAsyncResult *operation_result)
+{
+  GoaIdentityService *self;
+  GCancellable       *cancellable;
+
+  self = GOA_IDENTITY_SERVICE (g_async_result_get_source_object (G_ASYNC_RESULT (operation_result)));
+
+  cancellable = g_object_get_data (G_OBJECT (operation_result), "cancellable");
+  g_cancellable_cancel (cancellable);
+
+  g_hash_table_remove (self->priv->watched_client_connections, name);
+  g_hash_table_remove (self->priv->key_holders, name);
+
+}
+
+static gboolean
+goa_identity_service_handle_exchange_secret_keys (GoaIdentityServiceManager *manager,
+                                                  GDBusMethodInvocation     *invocation,
+                                                  const char                *input_key)
+{
+  GoaIdentityService     *self = GOA_IDENTITY_SERVICE (manager);
+  GSimpleAsyncResult     *operation_result;
+  GCancellable           *cancellable;
+  guint                   watch_id;
+  const char             *sender;
+
+  cancellable = g_cancellable_new ();
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                (GAsyncReadyCallback)
+                                                on_secret_keys_exchanged,
+                                                NULL,
+                                                g_object_ref (invocation));
+  g_simple_async_result_set_check_cancellable (operation_result, cancellable);
+  g_object_set_data (G_OBJECT (operation_result), "cancellable", cancellable);
+
+  g_object_set_data_full (G_OBJECT (operation_result),
+                          "input-key",
+                          g_strdup (input_key),
+                          (GDestroyNotify)
+                          g_free);
+  sender = g_dbus_method_invocation_get_sender (invocation);
+  watch_id = g_bus_watch_name (G_BUS_TYPE_SESSION,
+                               sender,
+                               G_BUS_NAME_WATCHER_FLAGS_NONE,
+                               (GBusNameAppearedCallback)
+                               on_caller_watched,
+                               (GBusNameVanishedCallback)
+                               on_caller_vanished,
+                               g_object_ref (operation_result),
+                               (GDestroyNotify)
+                               g_object_unref);
+  g_hash_table_insert (self->priv->watched_client_connections,
+                       g_strdup (sender),
+                       GUINT_TO_POINTER (watch_id));
+
+  return TRUE;
+}
+
+static void
+identity_service_manager_interface_init (GoaIdentityServiceManagerIface *interface)
+{
+  interface->handle_sign_in = goa_identity_service_handle_sign_in;
+  interface->handle_sign_out = goa_identity_service_handle_sign_out;
+  interface->handle_exchange_secret_keys = goa_identity_service_handle_exchange_secret_keys;
+}
+
+static void
+goa_identity_service_init (GoaIdentityService *self)
+{
+  self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+                                            GOA_TYPE_IDENTITY_SERVICE,
+                                            GoaIdentityServicePrivate);
+
+  goa_debug ("GoaIdentityService: initializing");
+  self->priv->watched_client_connections = g_hash_table_new_full (g_str_hash,
+                                                                  g_str_equal,
+                                                                  (GDestroyNotify)
+                                                                  g_free,
+                                                                  (GDestroyNotify)
+                                                                  g_bus_unwatch_name);
+
+  self->priv->key_holders = g_hash_table_new_full (g_str_hash,
+                                                   g_str_equal,
+                                                   (GDestroyNotify)
+                                                   g_free,
+                                                   (GDestroyNotify)
+                                                   g_object_unref);
+}
+
+static void
+goa_identity_service_finalize (GObject *object)
+{
+  GoaIdentityService *self;
+
+  g_return_if_fail (object != NULL);
+  g_return_if_fail (GOA_IS_IDENTITY_SERVICE (object));
+
+  goa_debug ("GoaIdentityService: finalizing");
+
+  self = GOA_IDENTITY_SERVICE (object);
+
+  goa_identity_service_deactivate (self);
+
+  g_clear_object (&self->priv->identity_manager);
+  g_clear_object (&self->priv->object_manager_server);
+  g_clear_object (&self->priv->realm_manager);
+  g_clear_object (&self->priv->watched_client_connections);
+  g_clear_object (&self->priv->key_holders);
+
+  G_OBJECT_CLASS (goa_identity_service_parent_class)->finalize (object);
+}
+
+static void
+on_identity_renewed (GoaIdentityManager *manager,
+                     GAsyncResult       *result,
+                     GoaIdentityService *self)
+{
+  GError *error;
+
+  error = NULL;
+  goa_identity_manager_renew_identity_finish (manager, result, &error);
+
+  if (error != NULL)
+    {
+      goa_debug ("GoaIdentityService: could not renew identity: %s",
+               error->message);
+      g_error_free (error);
+      return;
+    }
+
+  goa_debug ("GoaIdentityService: identity renewed");
+}
+
+static void
+on_identity_needs_renewal (GoaIdentityManager *identity_manager,
+                           GoaIdentity        *identity,
+                           GoaIdentityService *self)
+{
+  const char *principal;
+  GoaObject  *object;
+
+  principal = goa_identity_get_identifier (identity);
+
+  goa_debug ("GoaIdentityService: identity %s needs renewal", principal);
+
+  object = find_object_with_principal (self, principal, TRUE);
+
+  if (object != NULL)
+    {
+      should_ignore_object (self, object);
+      return;
+    }
+
+  goa_identity_manager_renew_identity (GOA_IDENTITY_MANAGER
+                                       (self->priv->identity_manager),
+                                       identity,
+                                       NULL,
+                                       (GAsyncReadyCallback)
+                                       on_identity_renewed,
+                                       self);
+}
+
+static void
+on_identity_signed_in (GoaIdentityManager *manager,
+                       GAsyncResult       *result,
+                       GSimpleAsyncResult *operation_result)
+{
+  GError *error;
+  GoaIdentity *identity;
+
+  error = NULL;
+  identity = goa_identity_manager_sign_identity_in_finish (manager, result, &error);
+
+  if (error != NULL)
+    {
+      goa_debug ("GoaIdentityService: could not sign in identity: %s",
+                 error->message);
+      g_simple_async_result_take_error (operation_result, error);
+    }
+  else
+    {
+      g_simple_async_result_set_op_res_gpointer (operation_result,
+                                                 g_object_ref (identity),
+                                                 (GDestroyNotify)
+                                                 g_object_unref);
+    }
+  g_simple_async_result_complete_in_idle (operation_result);
+  g_object_unref (operation_result);
+
+  goa_debug ("GoaIdentityService: identity signed in");
+}
+
+static void
+on_temporary_account_created_for_identity (GoaIdentityService *self,
+                                           GAsyncResult       *result,
+                                           GoaIdentity        *identity)
+{
+  GoaObject   *object;
+  GError      *error;
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      const char *identifier;
+
+      identifier = goa_identity_get_identifier (identity);
+      goa_debug ("Could not add temporary account for identity %s: %s",
+                 identifier,
+                 error->message);
+      g_error_free (error);
+      return;
+    }
+
+  object = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+
+  if (object != NULL)
+    ensure_account_credentials (self, object);
+}
+
+static void
+on_account_added (GoaManager         *manager,
+                  GAsyncResult       *result,
+                  GSimpleAsyncResult *operation_result)
+{
+  GoaIdentityService *self;
+  GDBusObjectManager *object_manager;
+  char *object_path;
+  GoaObject *object;
+  GError *error;
+
+  self = GOA_IDENTITY_SERVICE (g_async_result_get_source_object (G_ASYNC_RESULT (operation_result)));
+  object_path = NULL;
+  object = NULL;
+  error = NULL;
+
+  if (!goa_manager_call_add_account_finish (manager,
+                                            &object_path,
+                                            result,
+                                            &error))
+    {
+      g_simple_async_result_take_error (operation_result, error);
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  if (object_path != NULL && object_path[0] != '\0')
+    {
+      goa_debug ("Created account for identity with object path %s", object_path);
+
+      object_manager = goa_client_get_object_manager (self->priv->client);
+      object = GOA_OBJECT (g_dbus_object_manager_get_object (object_manager,
+                                                             object_path));
+      g_free (object_path);
+    }
+
+  if (object == NULL)
+    g_simple_async_result_set_op_res_gpointer (operation_result, NULL, NULL);
+  else
+    g_simple_async_result_set_op_res_gpointer (operation_result,
+                                               object,
+                                               (GDestroyNotify)
+                                               g_object_unref);
+
+  g_simple_async_result_complete_in_idle (operation_result);
+  g_object_unref (operation_result);
+}
+
+static void
+add_temporary_account (GoaIdentityService *self,
+                       GoaIdentity        *identity)
+{
+  char               *realm;
+  const char         *principal;
+  const char         *principal_for_display;
+  GSimpleAsyncResult *operation_result;
+  GVariantBuilder     credentials;
+  GVariantBuilder     details;
+
+  principal = goa_identity_get_identifier (identity);
+
+  goa_debug ("GoaIdentityService: adding temporary identity %s", principal);
+
+  /* If there's no account for this identity then create a temporary one.
+   */
+  principal_for_display = goa_identity_manager_name_identity (self->priv->identity_manager,
+                                                              identity);
+
+  realm = goa_kerberos_identity_get_realm_name (GOA_KERBEROS_IDENTITY (identity));
+
+  g_variant_builder_init (&credentials, G_VARIANT_TYPE_VARDICT);
+
+  g_variant_builder_init (&details, G_VARIANT_TYPE ("a{ss}"));
+  g_variant_builder_add (&details, "{ss}", "Realm", realm);
+  g_variant_builder_add (&details, "{ss}", "IsTemporary", "true");
+  g_variant_builder_add (&details, "{ss}", "TicketingEnabled", "true");
+
+
+  goa_debug ("GoaIdentityService: asking to sign back in");
+
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                (GAsyncReadyCallback)
+                                                on_temporary_account_created_for_identity,
+                                                identity,
+                                                add_temporary_account);
+
+  goa_manager_call_add_account (self->priv->accounts_manager,
+                                "kerberos",
+                                principal,
+                                principal_for_display,
+                                g_variant_builder_end (&credentials),
+                                g_variant_builder_end (&details),
+                                NULL,
+                                (GAsyncReadyCallback)
+                                on_account_added,
+                                operation_result);
+  g_free (realm);
+}
+
+static void
+on_identity_added (GoaIdentityManager *identity_manager,
+                   GoaIdentity        *identity,
+                   GoaIdentityService *self)
+{
+  GoaObject *object;
+  const char *identifier;
+
+  export_identity (self, identity);
+
+  identifier = goa_identity_get_identifier (identity);
+
+  look_up_realm (self, identifier, NULL, NULL, NULL, NULL);
+
+  object = find_object_with_principal (self, identifier, FALSE);
+
+  if (object == NULL)
+    add_temporary_account (self, identity);
+}
+
+static void
+on_identity_removed (GoaIdentityManager *identity_manager,
+                     GoaIdentity        *identity,
+                     GoaIdentityService *self)
+{
+  GoaObject *object;
+  const char *identifier;
+
+  identifier = goa_identity_get_identifier (identity);
+  object = find_object_with_principal (self, identifier, FALSE);
+
+  if (object != NULL)
+    ensure_account_credentials (self, object);
+
+  unexport_identity (self, identity);
+}
+
+static void
+on_identity_refreshed (GoaIdentityManager *identity_manager,
+                       GoaIdentity        *identity,
+                       GoaIdentityService *self)
+{
+  GoaObject *object;
+  const char *identifier;
+
+  identifier = goa_identity_get_identifier (identity);
+  object = find_object_with_principal (self, identifier, FALSE);
+
+  if (object == NULL)
+    add_temporary_account (self, identity);
+  else
+    ensure_account_credentials (self, object);
+}
+
+typedef struct
+{
+  GoaIdentityService *service;
+  GoaIdentity        *identity;
+  GoaIdentityInquiry *inquiry;
+  GoaIdentityQuery   *query;
+  GcrSystemPrompt    *prompt;
+  GCancellable       *cancellable;
+} SystemPromptRequest;
+
+static SystemPromptRequest *
+system_prompt_request_new (GoaIdentityService *service,
+                           GcrSystemPrompt    *prompt,
+                           GoaIdentity        *identity,
+                           GoaIdentityInquiry *inquiry,
+                           GoaIdentityQuery   *query,
+                           GCancellable       *cancellable)
+{
+  SystemPromptRequest *data;
+
+  data = g_slice_new0 (SystemPromptRequest);
+
+  data->service = service;
+  data->prompt = prompt;
+  data->identity = g_object_ref (identity);
+  data->inquiry = g_object_ref (inquiry);
+  data->query = query;
+  data->cancellable = g_object_ref (cancellable);
+
+  return data;
+}
+
+static void
+system_prompt_request_free (SystemPromptRequest *data)
+{
+  g_clear_object (&data->identity);
+  g_clear_object (&data->inquiry);
+  g_clear_object (&data->cancellable);
+  g_slice_free (SystemPromptRequest, data);
+}
+
+static void
+close_system_prompt (GoaIdentityManager  *manager,
+                     GoaIdentity         *identity,
+                     SystemPromptRequest *data)
+{
+  GError *error;
+
+  /* Only close the prompt if the identity we're
+   * waiting on got refreshed
+   */
+  if (data->identity != identity)
+    return;
+
+  g_signal_handlers_disconnect_by_func (G_OBJECT (manager),
+                                        G_CALLBACK (close_system_prompt),
+                                        data);
+  error = NULL;
+  if (!gcr_system_prompt_close (data->prompt, NULL, &error))
+    {
+      if (error != NULL)
+        {
+          goa_debug ("GoaIdentityService: could not close system prompt: %s",
+                   error->message);
+          g_error_free (error);
+        }
+    }
+}
+
+static void
+on_password_system_prompt_answered (GcrPrompt           *prompt,
+                                    GAsyncResult        *result,
+                                    SystemPromptRequest *request)
+{
+  GoaIdentityService *self = request->service;
+  GoaIdentityInquiry *inquiry = request->inquiry;
+  GoaIdentity *identity = request->identity;
+  GoaIdentityQuery *query = request->query;
+  GCancellable *cancellable = request->cancellable;
+  GError *error;
+  const char *password;
+
+  error = NULL;
+  password = gcr_prompt_password_finish (prompt, result, &error);
+
+  if (password == NULL)
+    {
+      if (error != NULL)
+        {
+          goa_debug ("GoaIdentityService: could not get password from user: %s",
+                   error->message);
+          g_error_free (error);
+        }
+      else
+        {
+          g_cancellable_cancel (cancellable);
+        }
+    }
+  else if (!g_cancellable_is_cancelled (cancellable))
+    {
+      goa_identity_inquiry_answer_query (inquiry, query, password);
+    }
+
+  close_system_prompt (self->priv->identity_manager, identity, request);
+  system_prompt_request_free (request);
+}
+
+static void
+query_user (GoaIdentityService *self,
+            GoaIdentity        *identity,
+            GoaIdentityInquiry *inquiry,
+            GoaIdentityQuery   *query,
+            GcrPrompt          *prompt,
+            GCancellable       *cancellable)
+{
+  SystemPromptRequest *request;
+  char *prompt_text;
+  GoaIdentityQueryMode query_mode;
+  char *description;
+  char *name;
+
+  g_assert (GOA_IS_KERBEROS_IDENTITY (identity));
+
+  gcr_prompt_set_title (prompt, _("Log In to Realm"));
+
+  name = goa_identity_manager_name_identity (self->priv->identity_manager, identity);
+
+  description =
+    g_strdup_printf (_("The network realm %s needs some information to sign you in."),
+                     name);
+  g_free (name);
+
+  gcr_prompt_set_description (prompt, description);
+  g_free (description);
+
+  prompt_text = goa_identity_query_get_prompt (inquiry, query);
+  gcr_prompt_set_message (prompt, prompt_text);
+  g_free (prompt_text);
+
+  request = system_prompt_request_new (self,
+                                       GCR_SYSTEM_PROMPT (prompt),
+                                       identity,
+                                       inquiry,
+                                       query,
+                                       cancellable);
+
+  g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                    "identity-refreshed",
+                    G_CALLBACK (close_system_prompt),
+                    request);
+
+  query_mode = goa_identity_query_get_mode (inquiry, query);
+
+  switch (query_mode)
+    {
+    case GOA_IDENTITY_QUERY_MODE_INVISIBLE:
+      gcr_prompt_password_async (prompt,
+                                 cancellable,
+                                 (GAsyncReadyCallback)
+                                 on_password_system_prompt_answered,
+                                 request);
+      break;
+    case GOA_IDENTITY_QUERY_MODE_VISIBLE:
+      /* FIXME: we need to either
+       * 1) add new GCR api to allow for asking questions with visible answers
+       * or
+       * 2) add a new shell D-Bus api and drop GCR
+       */
+      gcr_prompt_password_async (prompt,
+                                 cancellable,
+                                 (GAsyncReadyCallback)
+                                 on_password_system_prompt_answered,
+                                 request);
+      break;
+    }
+}
+
+typedef struct
+{
+  GoaIdentityService *service;
+  GoaIdentityInquiry *inquiry;
+  GCancellable *cancellable;
+} SystemPromptOpenRequest;
+
+static SystemPromptOpenRequest *
+system_prompt_open_request_new (GoaIdentityService *service,
+                                GoaIdentityInquiry *inquiry,
+                                GCancellable       *cancellable)
+{
+  SystemPromptOpenRequest *data;
+
+  data = g_slice_new0 (SystemPromptOpenRequest);
+
+  data->service = service;
+  data->inquiry = g_object_ref (inquiry);
+  data->cancellable = g_object_ref (cancellable);
+
+  return data;
+}
+
+static void
+system_prompt_open_request_free (SystemPromptOpenRequest *data)
+{
+  g_clear_object (&data->inquiry);
+  g_clear_object (&data->cancellable);
+  g_slice_free (SystemPromptOpenRequest, data);
+}
+
+static void
+on_system_prompt_open (GcrSystemPrompt         *system_prompt,
+                       GAsyncResult            *result,
+                       SystemPromptOpenRequest *request)
+{
+  GoaIdentityService *self = request->service;
+  GoaIdentityInquiry *inquiry = request->inquiry;
+  GCancellable *cancellable = request->cancellable;
+  GoaIdentity *identity;
+  GoaIdentityQuery *query;
+  GcrPrompt *prompt;
+  GError *error;
+  GoaIdentityInquiryIter iter;
+
+  error = NULL;
+  prompt = gcr_system_prompt_open_finish (result, &error);
+
+  if (prompt == NULL)
+    {
+      if (error != NULL)
+        {
+          goa_debug ("GoaIdentityService: could not open system prompt: %s",
+                   error->message);
+          g_error_free (error);
+        }
+      return;
+    }
+
+  identity = goa_identity_inquiry_get_identity (inquiry);
+  goa_identity_inquiry_iter_init (&iter, inquiry);
+  while ((query = goa_identity_inquiry_iter_next (&iter, inquiry)) != NULL)
+    query_user (self, identity, inquiry, query, prompt, cancellable);
+
+  system_prompt_open_request_free (request);
+}
+
+static void
+on_identity_inquiry (GoaIdentityInquiry *inquiry,
+                     GCancellable       *cancellable,
+                     GoaIdentityService *self)
+{
+  SystemPromptOpenRequest *request;
+
+  request = system_prompt_open_request_new (self, inquiry, cancellable);
+  gcr_system_prompt_open_async (-1,
+                                cancellable,
+                                (GAsyncReadyCallback)
+                                on_system_prompt_open,
+                                request);
+}
+
+static void
+cancel_sign_in (GoaIdentityManager *identity_manager,
+                GoaIdentity        *identity,
+                GSimpleAsyncResult *operation_result)
+{
+  GoaIdentity *operation_identity;
+
+  operation_identity = g_simple_async_result_get_source_tag (operation_result);
+  if (operation_identity == identity)
+    {
+      GCancellable *cancellable;
+
+      cancellable = g_object_get_data (G_OBJECT (operation_result),
+                                       "cancellable");
+      g_cancellable_cancel (cancellable);
+    }
+}
+
+static void
+sign_in (GoaIdentityService     *self,
+         const char             *identifier,
+         UmRealmObject          *realm,
+         gconstpointer           initial_password,
+         GoaIdentitySignInFlags  flags,
+         GCancellable           *cancellable,
+         GAsyncReadyCallback     callback,
+         gpointer                user_data)
+{
+  GSimpleAsyncResult *operation_result;
+
+  goa_debug ("GoaIdentityService: asking to sign in");
+
+  operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                callback,
+                                                user_data,
+                                                realm);
+  g_simple_async_result_set_check_cancellable (operation_result, cancellable);
+
+  g_object_set_data (G_OBJECT (operation_result),
+                     "cancellable",
+                     cancellable);
+  g_signal_connect_object (G_OBJECT (self->priv->identity_manager),
+                           "identity-refreshed",
+                           G_CALLBACK (cancel_sign_in),
+                           operation_result,
+                           0);
+
+  goa_identity_manager_sign_identity_in (self->priv->identity_manager,
+                                         identifier,
+                                         initial_password,
+                                         flags,
+                                         (GoaIdentityInquiryFunc)
+                                         on_identity_inquiry,
+                                         self,
+                                         cancellable,
+                                         (GAsyncReadyCallback)
+                                         on_identity_signed_in,
+                                         operation_result);
+}
+
+static void
+on_identity_expiring (GoaIdentityManager *identity_manager,
+                      GoaIdentity        *identity,
+                      GoaIdentityService *self)
+{
+  const char *principal;
+  GoaObject  *object;
+
+  principal = goa_identity_get_identifier (identity);
+
+  goa_debug ("GoaIdentityService: identity %s expiring", principal);
+
+  object = find_object_with_principal (self, principal, TRUE);
+
+  if (object == NULL)
+    return;
+
+  ensure_account_credentials (self, object);
+}
+
+static void
+on_identity_expired (GoaIdentityManager *identity_manager,
+                     GoaIdentity        *identity,
+                     GoaIdentityService *self)
+{
+  const char *principal;
+  GoaObject  *object;
+
+  principal = goa_identity_get_identifier (identity);
+
+  goa_debug ("GoaIdentityService: identity %s expired", principal);
+
+  object = find_object_with_principal (self, principal, TRUE);
+
+  if (object == NULL)
+    return;
+
+  ensure_account_credentials (self, object);
+}
+
+static void
+on_sign_out_for_account_change_done (GoaIdentityService *self,
+                                     GAsyncResult       *result)
+{
+  GError *error = NULL;
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      goa_debug ("Log out failed: %s", error->message);
+      g_error_free (error);
+    }
+  else
+    {
+      goa_debug ("Log out complete");
+    }
+}
+
+static void
+on_ticketing_done (GoaIdentityService *self,
+                   GAsyncResult       *result)
+{
+  GoaObject *object;
+
+  object = g_simple_async_result_get_source_tag (G_SIMPLE_ASYNC_RESULT (result));
+
+  ensure_account_credentials (self, object);
+}
+
+static void
+on_got_ticket (GoaTicketing       *ticketing,
+               GAsyncResult       *result,
+               GSimpleAsyncResult *operation_result)
+{
+  GoaObject          *object;
+  GoaAccount         *account;
+  GError             *error;
+  const char         *account_identity;
+
+  object = g_simple_async_result_get_source_tag (operation_result);
+  account = goa_object_peek_account (object);
+  account_identity = goa_account_get_identity (account);
+
+  error = NULL;
+  if (!goa_ticketing_call_get_ticket_finish (ticketing,
+                                             result,
+                                             &error))
+    {
+      goa_debug ("GoaIdentityService: could not get ticket for account %s: %s",
+                 account_identity,
+                 error->message);
+      g_error_free (error);
+
+      g_simple_async_result_complete_in_idle (operation_result);
+      g_object_unref (operation_result);
+      return;
+    }
+
+  goa_debug ("GoaIdentityService: got ticket for account %s",
+             account_identity);
+  g_simple_async_result_complete_in_idle (operation_result);
+  g_object_unref (operation_result);
+}
+
+static void
+on_account_interface_added (GDBusObjectManager *manager,
+                            GoaObject          *object,
+                            GDBusInterface     *interface,
+                            GoaIdentityService *self)
+{
+  GoaAccount         *account;
+  GoaTicketing       *ticketing;
+  GDBusInterfaceInfo *info;
+  const char         *provider_type;
+
+  account = goa_object_peek_account (object);
+
+  if (account == NULL)
+    return;
+
+  provider_type = goa_account_get_provider_type (account);
+
+  if (g_strcmp0 (provider_type, "kerberos") != 0)
+    return;
+
+  info = g_dbus_interface_get_info (interface);
+
+  if (g_strcmp0 (info->name, "org.gnome.OnlineAccounts.Ticketing") != 0)
+    return;
+
+  ticketing = goa_object_peek_ticketing (object);
+
+  if (ticketing != NULL)
+    {
+
+      GSimpleAsyncResult *operation_result;
+
+      operation_result = g_simple_async_result_new (G_OBJECT (self),
+                                                    (GAsyncReadyCallback)
+                                                    on_ticketing_done,
+                                                    NULL,
+                                                    object);
+      /* Ticketing interface is present, sign in if not already
+       * signed in.
+       */
+      goa_ticketing_call_get_ticket (ticketing,
+                                     NULL,
+                                     (GAsyncReadyCallback)
+                                     on_got_ticket,
+                                     operation_result);
+      return;
+    }
+}
+
+static void
+on_account_interface_removed (GDBusObjectManager *manager,
+                              GoaObject          *object,
+                              GDBusInterface     *interface,
+                              GoaIdentityService *self)
+{
+  GoaAccount         *account;
+  GoaTicketing       *ticketing;
+  GDBusInterfaceInfo *info;
+  const char         *provider_type;
+  const char         *account_identity;
+  GSimpleAsyncResult *result;
+
+  account = goa_object_peek_account (object);
+
+  if (account == NULL)
+    return;
+
+  provider_type = goa_account_get_provider_type (account);
+
+  if (g_strcmp0 (provider_type, "kerberos") != 0)
+    return;
+
+  info = g_dbus_interface_get_info (interface);
+
+  if (g_strcmp0 (info->name, "org.gnome.OnlineAccounts.Ticketing") != 0)
+    return;
+
+  ticketing = goa_object_peek_ticketing (object);
+
+  if (ticketing != NULL)
+    return;
+
+  /* Ticketing interface is gone, sign out if not already
+   * signed out. Also, since the user is playing around
+   * with the account make it permanent.
+   */
+  goa_account_set_is_temporary (account, FALSE);
+
+  account_identity = goa_account_get_identity (account);
+
+  goa_debug ("Kerberos account %s was disabled and should now be signed out", account_identity);
+
+  result = g_simple_async_result_new (G_OBJECT (self),
+                                      (GAsyncReadyCallback)
+                                      on_sign_out_for_account_change_done,
+                                      NULL,
+                                      on_account_interface_removed);
+
+  goa_identity_manager_get_identity (self->priv->identity_manager,
+                                     account_identity,
+                                     NULL,
+                                     (GAsyncReadyCallback)
+                                     on_got_identity_for_sign_out,
+                                     result);
+}
+
+static void
+on_account_removed (GoaClient          *client,
+                    GoaObject          *object,
+                    GoaIdentityService *self)
+{
+  GSimpleAsyncResult *result;
+  GoaAccount         *account;
+  const char         *provider_type;
+  const char         *account_identity;
+
+  account = goa_object_peek_account (object);
+
+  if (account == NULL)
+    return;
+
+  provider_type = goa_account_get_provider_type (account);
+
+  if (g_strcmp0 (provider_type, "kerberos") != 0)
+    return;
+
+  account_identity = goa_account_get_identity (account);
+
+  goa_debug ("Kerberos account %s removed and should now be signed out", account_identity);
+
+  result = g_simple_async_result_new (G_OBJECT (self),
+                                      (GAsyncReadyCallback)
+                                      on_sign_out_for_account_change_done,
+                                      NULL,
+                                      on_account_removed);
+
+  goa_identity_manager_get_identity (self->priv->identity_manager,
+                                     account_identity,
+                                     NULL,
+                                     (GAsyncReadyCallback)
+                                     on_got_identity_for_sign_out,
+                                     result);
+}
+
+static void
+on_identities_listed (GoaIdentityManager *manager,
+                      GAsyncResult       *result,
+                      GoaIdentityService *self)
+{
+  GError *error = NULL;
+  GList *identities, *node;
+
+  g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                    "identity-added",
+                    G_CALLBACK (on_identity_added),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                    "identity-removed",
+                    G_CALLBACK (on_identity_removed),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                    "identity-refreshed",
+                    G_CALLBACK (on_identity_refreshed),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                    "identity-needs-renewal",
+                    G_CALLBACK (on_identity_needs_renewal),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                    "identity-expiring",
+                    G_CALLBACK (on_identity_expiring),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                    "identity-expired",
+                    G_CALLBACK (on_identity_expired),
+                    self);
+
+  g_signal_connect (G_OBJECT (self->priv->client),
+                    "account-removed",
+                    G_CALLBACK (on_account_removed),
+                    self);
+
+  identities = goa_identity_manager_list_identities_finish (manager, result, &error);
+
+  if (identities == NULL)
+    {
+      if (error != NULL)
+        {
+          goa_warning ("Could not list identities: %s", error->message);
+          g_error_free (error);
+        }
+      return;
+    }
+
+  for (node = identities; node != NULL; node = node->next)
+    {
+      GoaIdentity *identity = node->data;
+      const char  *principal;
+      GoaObject   *object;
+
+      export_identity (self, identity);
+
+      principal = goa_identity_get_identifier (identity);
+
+      look_up_realm (self, principal, NULL, NULL, NULL, NULL);
+
+      object = find_object_with_principal (self, principal, TRUE);
+
+      if (object == NULL)
+        add_temporary_account (self, identity);
+      else
+        g_object_unref (object);
+    }
+}
+
+static void
+ensure_credentials_for_accounts (GoaIdentityService *self)
+{
+  GDBusObjectManager *object_manager;
+  GList      *accounts;
+  GList      *node;
+
+  object_manager = goa_client_get_object_manager (self->priv->client);
+
+  g_signal_connect (G_OBJECT (object_manager),
+                    "interface-added",
+                    G_CALLBACK (on_account_interface_added),
+                    self);
+  g_signal_connect (G_OBJECT (object_manager),
+                    "interface-removed",
+                    G_CALLBACK (on_account_interface_removed),
+                    self);
+
+  accounts = goa_client_get_accounts (self->priv->client);
+
+  for (node = accounts; node != NULL; node = node->next)
+    {
+      GoaObject *object = GOA_OBJECT (node->data);
+      GoaAccount *account;
+      GoaTicketing *ticketing;
+      const char *provider_type;
+
+      account = goa_object_peek_account (object);
+
+      if (account == NULL)
+        continue;
+
+      provider_type = goa_account_get_provider_type (account);
+
+      if (g_strcmp0 (provider_type, "kerberos") != 0)
+        continue;
+
+      ticketing = goa_object_peek_ticketing (object);
+
+      if (ticketing == NULL)
+        continue;
+
+      ensure_account_credentials (self, object);
+    }
+}
+
+static void
+on_got_client (GoaClient          *client,
+               GAsyncResult       *result,
+               GoaIdentityService *self)
+{
+  GError *error;
+
+  error = NULL;
+
+  self->priv->client = goa_client_new_finish (result, &error);
+
+  if (self->priv->client == NULL)
+    {
+      goa_warning ("Could not create client: %s", error->message);
+      return;
+    }
+
+  self->priv->accounts_manager = goa_client_get_manager (client);
+
+  self->priv->identity_manager = goa_kerberos_identity_manager_new (NULL, &error);
+
+  if (self->priv->identity_manager == NULL)
+    {
+      goa_warning ("Could not create identity manager: %s", error->message);
+      return;
+    }
+
+  goa_identity_manager_list_identities (self->priv->identity_manager,
+                                        NULL,
+                                        (GAsyncReadyCallback)
+                                        on_identities_listed,
+                                        self);
+
+  ensure_credentials_for_accounts (self);
+}
+
+static void
+on_session_bus_acquired (GDBusConnection    *connection,
+                         const char         *unique_name,
+                         GoaIdentityService *self)
+{
+  goa_debug ("GoaIdentityService: Connected to session bus");
+
+  if (self->priv->connection == NULL)
+  {
+    self->priv->connection = g_object_ref (connection);
+
+    g_dbus_object_manager_server_set_connection (self->priv->object_manager_server,
+                                                 self->priv->connection);
+
+    goa_client_new (NULL,
+                    (GAsyncReadyCallback)
+                    on_got_client,
+                    self);
+  }
+}
+
+static void
+on_name_acquired (GDBusConnection    *connection,
+                  const char         *name,
+                  GoaIdentityService *self)
+{
+  if (g_strcmp0 (name, "org.gnome.Identity") == 0)
+    goa_debug ("GoaIdentityService: Acquired name org.gnome.Identity");
+}
+
+static void
+on_name_lost (GDBusConnection    *connection,
+              const char         *name,
+              GoaIdentityService *self)
+{
+  if (g_strcmp0 (name, "org.gnome.Identity") == 0)
+    goa_debug ("GoaIdentityService: Lost name org.gnome.Identity");
+}
+
+static void
+on_realm_manager_ensured_for_auto_discovery (GoaIdentityService *self,
+                                             GAsyncResult       *result)
+{
+  GError *error;
+
+  error = NULL;
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), &error))
+    {
+      goa_debug ("GoaIdentityService: could not auto-discover available realms: %s",
+                 error->message);
+      return;
+    }
+
+  goa_debug ("GoaIdentityService: auto-discovering available realms");
+
+  /* Trigger realm-added signal for all discovered realms */
+  um_realm_manager_discover (self->priv->realm_manager,
+                             "",
+                             self->priv->cancellable,
+                             NULL,
+                             NULL);
+}
+
+static void
+on_realmd_appeared (GDBusConnection    *connection,
+                    const gchar        *name,
+                    const gchar        *name_owner,
+                    GoaIdentityService *self)
+{
+  ensure_realm_manager (self,
+                        NULL,
+                        (GAsyncReadyCallback)
+                        on_realm_manager_ensured_for_auto_discovery,
+                        NULL);
+}
+
+static void
+on_realmd_disappeared (GDBusConnection    *connection,
+                       const gchar        *name,
+                       GoaIdentityService *self)
+{
+  if (self->priv->realm_manager)
+    {
+      g_signal_handlers_disconnect_by_func (self->priv->realm_manager,
+                                            on_manager_realm_added,
+                                            self);
+      g_clear_object (&self->priv->realm_manager);
+    }
+}
+
+gboolean
+goa_identity_service_activate (GoaIdentityService   *self,
+                               GError              **error)
+{
+  GoaIdentityServiceObjectSkeleton *object;
+
+  g_return_val_if_fail (GOA_IS_IDENTITY_SERVICE (self), FALSE);
+
+  goa_debug ("GoaIdentityService: Activating identity service");
+
+  self->priv->cancellable = g_cancellable_new ();
+
+  self->priv->object_manager_server =
+    g_dbus_object_manager_server_new ("/org/gnome/Identity");
+
+  object = goa_identity_service_object_skeleton_new ("/org/gnome/Identity/Manager");
+  goa_identity_service_object_skeleton_set_manager (object,
+                                                    GOA_IDENTITY_SERVICE_MANAGER (self));
+
+  g_dbus_object_manager_server_export (self->priv->object_manager_server,
+                                       G_DBUS_OBJECT_SKELETON (object));
+  g_object_unref (object);
+
+  self->priv->bus_id = g_bus_own_name (G_BUS_TYPE_SESSION,
+                                       "org.gnome.Identity",
+                                       G_BUS_NAME_OWNER_FLAGS_ALLOW_REPLACEMENT |
+                                       G_BUS_NAME_OWNER_FLAGS_REPLACE,
+                                       (GBusAcquiredCallback) on_session_bus_acquired,
+                                       (GBusNameAcquiredCallback) on_name_acquired,
+                                       (GBusNameVanishedCallback) on_name_lost,
+                                       self,
+                                       NULL);
+
+  self->priv->realmd_watch = g_bus_watch_name (G_BUS_TYPE_SYSTEM,
+                                               "org.freedesktop.realmd",
+                                               G_BUS_NAME_WATCHER_FLAGS_AUTO_START,
+                                               (GBusNameAppearedCallback)
+                                               on_realmd_appeared,
+                                               (GBusNameVanishedCallback)
+                                               on_realmd_disappeared,
+                                               self,
+                                               NULL);
+
+  return TRUE;
+}
+
+void
+goa_identity_service_deactivate (GoaIdentityService *self)
+{
+  goa_debug ("GoaIdentityService: Deactivating identity service");
+
+  if (self->priv->realmd_watch == 0)
+    g_bus_unwatch_name (self->priv->realmd_watch);
+
+  if (self->priv->identity_manager != NULL)
+    {
+      g_signal_handlers_disconnect_by_func (self, on_identity_needs_renewal, self);
+      g_signal_handlers_disconnect_by_func (self, on_identity_expiring, self);
+      g_signal_handlers_disconnect_by_func (self, on_identity_expired, self);
+      g_clear_object (&self->priv->identity_manager);
+    }
+
+  g_clear_object (&self->priv->object_manager_server);
+  g_clear_object (&self->priv->connection);
+  g_clear_object (&self->priv->client);
+  g_clear_object (&self->priv->cancellable);
+}
+
+static void
+goa_identity_service_class_init (GoaIdentityServiceClass *service_class)
+{
+  GObjectClass *object_class = G_OBJECT_CLASS (service_class);
+
+  object_class->finalize = goa_identity_service_finalize;
+
+  goa_identity_utils_register_error_domain (GOA_IDENTITY_ERROR, GOA_TYPE_IDENTITY_ERROR);
+  goa_identity_utils_register_error_domain (GOA_IDENTITY_MANAGER_ERROR, GOA_TYPE_IDENTITY_MANAGER_ERROR);
+
+  g_type_class_add_private (service_class, sizeof (GoaIdentityServicePrivate));
+}
+
+GoaIdentityService *
+goa_identity_service_new (void)
+{
+  GObject *object;
+
+  object = g_object_new (GOA_TYPE_IDENTITY_SERVICE,
+                         NULL);
+
+  return GOA_IDENTITY_SERVICE (object);
+}
diff --git a/src/goaidentity/goaidentityservice.h b/src/goaidentity/goaidentityservice.h
new file mode 100644
index 0000000..5bbe5f5
--- /dev/null
+++ b/src/goaidentity/goaidentityservice.h
@@ -0,0 +1,61 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_IDENTITY_SERVICE_H__
+#define __GOA_IDENTITY_SERVICE_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include "org.gnome.Identity.h"
+
+G_BEGIN_DECLS
+#define GOA_TYPE_IDENTITY_SERVICE           (goa_identity_service_get_type ())
+#define GOA_IDENTITY_SERVICE(obj)           (G_TYPE_CHECK_INSTANCE_CAST (obj, GOA_TYPE_IDENTITY_SERVICE, GoaIdentityService))
+#define GOA_IDENTITY_SERVICE_CLASS(cls)     (G_TYPE_CHECK_CLASS_CAST (cls, GOA_TYPE_IDENTITY_SERVICE, GoaIdentityServiceClass))
+#define GOA_IS_IDENTITY_SERVICE(obj)        (G_TYPE_CHECK_INSTANCE_TYPE (obj, GOA_TYPE_IDENTITY_SERVICE))
+#define GOA_IS_IDENTITY_SERVICE_CLASS(obj)  (G_TYPE_CHECK_CLASS_TYPE (obj, GOA_TYPE_IDENTITY_SERVICE))
+#define GOA_IDENTITY_SERVICE_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), GOA_TYPE_IDENTITY_SERVICE, GoaIdentityServiceClass))
+typedef struct _GoaIdentityService GoaIdentityService;
+typedef struct _GoaIdentityServiceClass GoaIdentityServiceClass;
+typedef struct _GoaIdentityServicePrivate GoaIdentityServicePrivate;
+
+struct _GoaIdentityService
+{
+  GoaIdentityServiceManagerSkeleton  parent_instance;
+  GoaIdentityServicePrivate         *priv;
+};
+
+struct _GoaIdentityServiceClass
+{
+  GoaIdentityServiceManagerSkeletonClass  parent_class;
+};
+
+GType goa_identity_service_get_type (void);
+GoaIdentityService *goa_identity_service_new (void);
+gboolean goa_identity_service_activate   (GoaIdentityService  *service,
+                                          GError             **error);
+void     goa_identity_service_deactivate (GoaIdentityService  *service);
+
+G_END_DECLS
+#endif /* __GOA_IDENTITY_SERVICE_H__ */
diff --git a/src/goaidentity/goaidentityutils.c b/src/goaidentity/goaidentityutils.c
new file mode 100644
index 0000000..0536f80
--- /dev/null
+++ b/src/goaidentity/goaidentityutils.c
@@ -0,0 +1,218 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#include "config.h"
+
+#include "goaidentityutils.h"
+#include "goalogging.h"
+
+#include <string.h>
+
+#include <glib/gi18n.h>
+#include <glib/gstdio.h>
+#include <gio/gio.h>
+
+void
+goa_identity_utils_split_identifier (const char  *identifier,
+                                     char       **user,
+                                     char       **domain)
+{
+  char **components;
+
+  if (user != NULL)
+    *user = NULL;
+
+  if (domain != NULL)
+    *domain = NULL;
+
+  components = g_strsplit (identifier, "@", -1);
+
+  if (components[0] != NULL)
+    {
+      if (user != NULL)
+        *user = g_strdup (components[0]);
+
+      if (components[1] != NULL && domain != NULL)
+        *domain = g_strdup (components[1]);
+    }
+
+  g_strfreev (components);
+}
+
+char *
+goa_identity_utils_escape_object_path (const char *data,
+                                       gsize       length)
+{
+  const char *p;
+  char *object_path;
+  GString *string;
+
+  g_return_val_if_fail (data != NULL, NULL);
+
+  string = g_string_sized_new ((length + 1) * 6);
+
+  for (p = data; *p != '\0'; p++)
+    {
+      guchar character;
+
+      character = (guchar) * p;
+
+      if (((character >= ((guchar) 'a')) &&
+           (character <= ((guchar) 'z'))) ||
+          ((character >= ((guchar) 'A')) &&
+           (character <= ((guchar) 'Z'))) ||
+          ((character >= ((guchar) '0')) && (character <= ((guchar) '9'))))
+        {
+          g_string_append_c (string, (char) character);
+          continue;
+        }
+
+      g_string_append_printf (string, "_%x_", character);
+    }
+
+  object_path = string->str;
+
+  g_string_free (string, FALSE);
+
+  return object_path;
+}
+
+static char *
+dashed_string_to_studly_caps (const char *dashed_string)
+{
+  char *studly_string;;
+  size_t studly_string_length;
+  size_t i;
+
+  i = 0;
+
+  studly_string = g_strdup (dashed_string);
+  studly_string_length = strlen (studly_string);
+
+  studly_string[i] = g_ascii_toupper (studly_string[i]);
+  i++;
+
+  while (i < studly_string_length)
+    {
+      if (studly_string[i] == '-' || studly_string[i] == '_')
+        {
+          g_memmove (studly_string + i,
+                     studly_string + i + 1,
+                     studly_string_length - i - 1);
+          studly_string_length--;
+          if (g_ascii_isalpha (studly_string[i]))
+            studly_string[i] = g_ascii_toupper (studly_string[i]);
+        }
+      i++;
+    }
+  studly_string[studly_string_length] = '\0';
+
+  return studly_string;
+}
+
+static char *
+dashed_string_to_dbus_error_string (const char *dashed_string,
+                                    const char *old_prefix,
+                                    const char *new_prefix,
+                                    const char *suffix)
+{
+  char *studly_suffix;
+  char *dbus_error_string;
+  size_t dbus_error_string_length;
+  size_t i;
+
+  i = 0;
+
+  if (g_str_has_prefix (dashed_string, old_prefix) &&
+      (dashed_string[strlen (old_prefix)] == '-' ||
+       dashed_string[strlen (old_prefix)] == '_'))
+    dashed_string += strlen (old_prefix) + 1;
+
+  studly_suffix = dashed_string_to_studly_caps (suffix);
+  dbus_error_string =
+    g_strdup_printf ("%s.%s.%s", new_prefix, dashed_string, studly_suffix);
+  g_free (studly_suffix);
+  i += strlen (new_prefix) + 1;
+
+  dbus_error_string_length = strlen (dbus_error_string);
+
+  dbus_error_string[i] = g_ascii_toupper (dbus_error_string[i]);
+  i++;
+
+  while (i < dbus_error_string_length)
+    {
+      if (dbus_error_string[i] == '_' || dbus_error_string[i] == '-')
+        {
+          dbus_error_string[i] = '.';
+
+          if (g_ascii_isalpha (dbus_error_string[i + 1]))
+            dbus_error_string[i + 1] = g_ascii_toupper (dbus_error_string[i + 1]);
+        }
+
+      i++;
+    }
+
+  return dbus_error_string;
+}
+
+void
+goa_identity_utils_register_error_domain (GQuark error_domain,
+                                          GType  error_enum)
+{
+  const char *error_domain_string;
+  char *type_name;
+  GType type;
+  GTypeClass *type_class;
+  GEnumClass *enum_class;
+  guint i;
+
+  error_domain_string = g_quark_to_string (error_domain);
+  type_name = dashed_string_to_studly_caps (error_domain_string);
+  type = g_type_from_name (type_name);
+  type_class = g_type_class_ref (type);
+
+  if (type_class == NULL)
+    {
+      goa_warning ("GoaIdentityUtils: Could not identity type %s", type_name);
+      return;
+    }
+
+  enum_class = G_ENUM_CLASS (type_class);
+
+  for (i = 0; i < enum_class->n_values; i++)
+    {
+      char *dbus_error_string;
+
+      dbus_error_string = dashed_string_to_dbus_error_string (error_domain_string,
+                                                              "goa",
+                                                              "org.gnome",
+                                                              enum_class->values[i].
+                                                              value_nick);
+
+      goa_debug ("GoaIdentityUtils: Registering dbus error %s", dbus_error_string);
+      g_dbus_error_register_error (error_domain,
+                                   enum_class->values[i].value, dbus_error_string);
+      g_free (dbus_error_string);
+    }
+
+  g_type_class_unref (type_class);
+}
diff --git a/src/goaidentity/goaidentityutils.h b/src/goaidentity/goaidentityutils.h
new file mode 100644
index 0000000..49b037d
--- /dev/null
+++ b/src/goaidentity/goaidentityutils.h
@@ -0,0 +1,41 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_IDENTITY_UTILS_H__
+#define __GOA_IDENTITY_UTILS_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+G_BEGIN_DECLS
+
+void goa_identity_utils_split_identifier (const char  *identifier,
+                                          char       **user,
+                                          char       **domain);
+char *goa_identity_utils_escape_object_path (const char *data,
+                                             gsize       length);
+void goa_identity_utils_register_error_domain (GQuark error_domain,
+                                               GType  error_enum);
+
+G_END_DECLS
+#endif /* __GOA_IDENTITY_UTILS_H__ */
diff --git a/src/goaidentity/goakerberosidentity.c b/src/goaidentity/goakerberosidentity.c
new file mode 100644
index 0000000..bcb7c0b
--- /dev/null
+++ b/src/goaidentity/goakerberosidentity.c
@@ -0,0 +1,1518 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Author: Ray Strode
+ */
+
+#include "config.h"
+
+#include "goaidentity.h"
+#include "goakerberosidentity.h"
+#include "goaalarm.h"
+#include "goalogging.h"
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <string.h>
+#include <glib/gi18n.h>
+#include <gio/gio.h>
+
+typedef enum
+{
+  VERIFICATION_LEVEL_UNVERIFIED,
+  VERIFICATION_LEVEL_ERROR,
+  VERIFICATION_LEVEL_EXISTS,
+  VERIFICATION_LEVEL_SIGNED_IN
+} VerificationLevel;
+
+struct _GoaKerberosIdentityPrivate
+{
+  krb5_context kerberos_context;
+  krb5_ccache  credentials_cache;
+
+  GBytes *raw_credentials;
+
+  char *identifier;
+  guint identifier_idle_id;
+
+  krb5_timestamp expiration_time;
+  guint          expiration_time_idle_id;
+
+  GoaAlarm     *expiration_alarm;
+  GCancellable *expiration_alarm_cancellable;
+
+  GoaAlarm     *expiring_alarm;
+  GCancellable *expiring_alarm_cancellable;
+
+  GoaAlarm     *renewal_alarm;
+  GCancellable *renewal_alarm_cancellable;
+
+  VerificationLevel cached_verification_level;
+  guint             is_signed_in_idle_id;
+};
+
+enum
+{
+  EXPIRING,
+  EXPIRED,
+  UNEXPIRED,
+  NEEDS_RENEWAL,
+  NEEDS_REFRESH,
+  NUMBER_OF_SIGNALS,
+};
+
+enum
+{
+  PROP_0,
+  PROP_IDENTIFIER,
+  PROP_IS_SIGNED_IN,
+  PROP_EXPIRATION_TIMESTAMP
+};
+
+static guint signals[NUMBER_OF_SIGNALS] = { 0 };
+
+static void identity_interface_init (GoaIdentityInterface *interface);
+static void initable_interface_init (GInitableIface *interface);
+static void reset_alarms (GoaKerberosIdentity *self);
+static void clear_alarms (GoaKerberosIdentity *self);
+static gboolean goa_kerberos_identity_is_signed_in (GoaIdentity *identity);
+static GBytes *goa_kerberos_identity_get_credentials (GoaIdentity *identity);
+static void set_error_from_krb5_error_code (GoaKerberosIdentity  *self,
+                                            GError              **error,
+                                            gint                  code,
+                                            krb5_error_code       error_code,
+                                            const char           *format,
+                                            ...);
+
+G_LOCK_DEFINE_STATIC (identity_lock);
+
+G_DEFINE_TYPE_WITH_CODE (GoaKerberosIdentity,
+                         goa_kerberos_identity,
+                         G_TYPE_OBJECT,
+                         G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
+                                                initable_interface_init)
+                         G_IMPLEMENT_INTERFACE (GOA_TYPE_IDENTITY,
+                                                identity_interface_init));
+static void
+goa_kerberos_identity_dispose (GObject *object)
+{
+  GoaKerberosIdentity *self = GOA_KERBEROS_IDENTITY (object);
+
+  G_LOCK (identity_lock);
+  clear_alarms (self);
+
+  g_clear_object (&self->priv->renewal_alarm);
+  g_clear_object (&self->priv->expiring_alarm);
+  g_clear_object (&self->priv->expiration_alarm);
+  G_UNLOCK (identity_lock);
+
+  if (self->priv->expiration_time_idle_id != 0)
+    g_source_remove (self->priv->expiration_time_idle_id);
+
+  G_OBJECT_CLASS (goa_kerberos_identity_parent_class)->dispose (object);
+
+}
+
+static void
+goa_kerberos_identity_finalize (GObject *object)
+{
+  GoaKerberosIdentity *self = GOA_KERBEROS_IDENTITY (object);
+
+  g_free (self->priv->identifier);
+
+  if (self->priv->credentials_cache != NULL)
+    krb5_cc_close (self->priv->kerberos_context, self->priv->credentials_cache);
+
+  g_clear_pointer (&self->priv->raw_credentials, (GDestroyNotify) g_bytes_unref);
+
+  G_OBJECT_CLASS (goa_kerberos_identity_parent_class)->finalize (object);
+}
+
+static void
+goa_kerberos_identity_get_property (GObject    *object,
+                                    guint       property_id,
+                                    GValue     *value,
+                                    GParamSpec *param_spec)
+{
+  GoaKerberosIdentity *self = GOA_KERBEROS_IDENTITY (object);
+
+  switch (property_id)
+    {
+    case PROP_IDENTIFIER:
+      G_LOCK (identity_lock);
+      g_value_set_string (value, self->priv->identifier);
+      G_UNLOCK (identity_lock);
+      break;
+    case PROP_IS_SIGNED_IN:
+      g_value_set_boolean (value,
+                           goa_kerberos_identity_is_signed_in (GOA_IDENTITY (self)));
+      break;
+    case PROP_EXPIRATION_TIMESTAMP:
+      G_LOCK (identity_lock);
+      g_value_set_int64 (value, (gint64) self->priv->expiration_time);
+      G_UNLOCK (identity_lock);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, param_spec);
+      break;
+    }
+}
+
+static void
+goa_kerberos_identity_class_init (GoaKerberosIdentityClass *klass)
+{
+  GObjectClass *object_class;
+
+  object_class = G_OBJECT_CLASS (klass);
+
+  object_class->dispose = goa_kerberos_identity_dispose;
+  object_class->finalize = goa_kerberos_identity_finalize;
+  object_class->get_property = goa_kerberos_identity_get_property;
+
+  g_type_class_add_private (klass, sizeof (GoaKerberosIdentityPrivate));
+
+  signals[EXPIRING] = g_signal_new ("expiring",
+                                    G_TYPE_FROM_CLASS (klass),
+                                    G_SIGNAL_RUN_LAST,
+                                    0,
+                                    NULL,
+                                    NULL,
+                                    NULL,
+                                    G_TYPE_NONE,
+                                    0);
+  signals[EXPIRED] = g_signal_new ("expired",
+                                   G_TYPE_FROM_CLASS (klass),
+                                   G_SIGNAL_RUN_LAST,
+                                   0,
+                                   NULL,
+                                   NULL,
+                                   NULL,
+                                   G_TYPE_NONE,
+                                   0);
+  signals[UNEXPIRED] = g_signal_new ("unexpired",
+                                     G_TYPE_FROM_CLASS (klass),
+                                     G_SIGNAL_RUN_LAST,
+                                     0,
+                                     NULL,
+                                     NULL,
+                                     NULL,
+                                     G_TYPE_NONE,
+                                     0);
+  signals[NEEDS_RENEWAL] = g_signal_new ("needs-renewal",
+                                         G_TYPE_FROM_CLASS (klass),
+                                         G_SIGNAL_RUN_LAST,
+                                         0,
+                                         NULL,
+                                         NULL,
+                                         NULL,
+                                         G_TYPE_NONE,
+                                         0);
+  signals[NEEDS_REFRESH] = g_signal_new ("needs-refresh",
+                                         G_TYPE_FROM_CLASS (klass),
+                                         G_SIGNAL_RUN_LAST,
+                                         0,
+                                         NULL,
+                                         NULL,
+                                         NULL,
+                                         G_TYPE_NONE,
+                                         0);
+
+  g_object_class_override_property (object_class, PROP_IDENTIFIER, "identifier");
+  g_object_class_override_property (object_class, PROP_IS_SIGNED_IN, "is-signed-in");
+  g_object_class_override_property (object_class,
+                                    PROP_EXPIRATION_TIMESTAMP,
+                                    "expiration-timestamp");
+
+}
+
+static char *
+get_identifier (GoaKerberosIdentity  *self,
+                GError              **error)
+{
+  krb5_principal principal;
+  krb5_error_code error_code;
+  char *unparsed_name;
+  char *identifier;
+
+  if (self->priv->credentials_cache == NULL)
+    return NULL;
+
+  error_code = krb5_cc_get_principal (self->priv->kerberos_context,
+                                      self->priv->credentials_cache,
+                                      &principal);
+
+  if (error_code != 0)
+    {
+      if (error_code == KRB5_CC_END)
+        {
+          set_error_from_krb5_error_code (self,
+                                          error,
+                                          GOA_IDENTITY_ERROR_CREDENTIALS_UNAVAILABLE,
+                                          error_code,
+                                          _
+                                          ("Could not find identity in credential cache: %k"));
+        }
+      else
+        {
+          set_error_from_krb5_error_code (self,
+                                          error,
+                                          GOA_IDENTITY_ERROR_ENUMERATING_CREDENTIALS,
+                                          error_code,
+                                          _
+                                          ("Could not find identity in credential cache: %k"));
+        }
+      return NULL;
+    }
+
+  error_code = krb5_unparse_name_flags (self->priv->kerberos_context,
+                                        principal,
+                                        0,
+                                        &unparsed_name);
+
+  if (error_code != 0)
+    {
+      const char *error_message;
+
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+      goa_debug ("GoaKerberosIdentity: Error parsing principal identity name: %s",
+               error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+      return NULL;
+    }
+
+  identifier = g_strdup (unparsed_name);
+  krb5_free_unparsed_name (self->priv->kerberos_context, unparsed_name);
+
+  return identifier;
+}
+
+static void
+goa_kerberos_identity_init (GoaKerberosIdentity *self)
+{
+  self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+                                            GOA_TYPE_KERBEROS_IDENTITY,
+                                            GoaKerberosIdentityPrivate);
+  self->priv->expiration_alarm = goa_alarm_new ();
+  self->priv->expiring_alarm = goa_alarm_new ();
+  self->priv->renewal_alarm = goa_alarm_new ();
+}
+
+static void
+set_error_from_krb5_error_code (GoaKerberosIdentity  *self,
+                                GError              **error,
+                                gint                  code,
+                                krb5_error_code       error_code,
+                                const char           *format,
+                                ...)
+{
+  const char *error_message;
+  char *literal_message;
+  char *expanded_format;
+  va_list args;
+  char **chunks;
+
+  error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+  chunks = g_strsplit (format, "%k", -1);
+  expanded_format = g_strjoinv (error_message, chunks);
+  g_strfreev (chunks);
+  krb5_free_error_message (self->priv->kerberos_context, error_message);
+
+  va_start (args, format);
+  literal_message = g_strdup_vprintf (expanded_format, args);
+  va_end (args);
+
+  g_set_error_literal (error, GOA_IDENTITY_ERROR, code, literal_message);
+  g_free (literal_message);
+}
+
+char *
+goa_kerberos_identity_get_principal_name (GoaKerberosIdentity *self)
+{
+  krb5_principal principal;
+  krb5_error_code error_code;
+  char *unparsed_name;
+  char *principal_name;
+  int flags;
+
+  if (self->priv->identifier == NULL)
+    return NULL;
+
+  error_code = krb5_parse_name (self->priv->kerberos_context,
+                                self->priv->identifier,
+                                &principal);
+
+  if (error_code != 0)
+    {
+      const char *error_message;
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+      goa_debug
+        ("GoaKerberosIdentity: Error parsing identity %s into kerberos principal: %s",
+         self->priv->identifier, error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+      return NULL;
+    }
+
+  flags = KRB5_PRINCIPAL_UNPARSE_DISPLAY;
+  error_code = krb5_unparse_name_flags (self->priv->kerberos_context,
+                                        principal, flags, &unparsed_name);
+
+  if (error_code != 0)
+    {
+      const char *error_message;
+
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+      goa_debug ("GoaKerberosIdentity: Error parsing principal identity name: %s",
+               error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+      return NULL;
+    }
+
+  principal_name = g_strdup (unparsed_name);
+  krb5_free_unparsed_name (self->priv->kerberos_context, unparsed_name);
+
+  return principal_name;
+}
+
+char *
+goa_kerberos_identity_get_realm_name (GoaKerberosIdentity *self)
+{
+  krb5_principal principal;
+  krb5_error_code error_code;
+  krb5_data *realm;
+  char *realm_name;
+
+  if (self->priv->identifier == NULL)
+    return NULL;
+
+  error_code = krb5_parse_name (self->priv->kerberos_context,
+                                self->priv->identifier, &principal);
+
+  if (error_code != 0)
+    {
+      const char *error_message;
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+      goa_debug
+        ("GoaKerberosIdentity: Error parsing identity %s into kerberos principal: %s",
+         self->priv->identifier, error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+      return NULL;
+    }
+
+  realm = krb5_princ_realm (self->priv->kerberos_context, principal);
+  realm_name = g_strndup (realm->data, realm->length);
+  krb5_free_principal (self->priv->kerberos_context, principal);
+
+  return realm_name;
+}
+
+static const char *
+goa_kerberos_identity_get_identifier (GoaIdentity *identity)
+{
+  GoaKerberosIdentity *self = GOA_KERBEROS_IDENTITY (identity);
+
+  return self->priv->identifier;
+}
+
+static gboolean
+credentials_validate_existence (GoaKerberosIdentity *self,
+                                krb5_principal principal, krb5_creds * credentials)
+{
+  /* Checks if default principal associated with the cache has a valid
+   * ticket granting ticket in the passed in credentials
+   */
+
+  if (krb5_is_config_principal (self->priv->kerberos_context, credentials->server))
+    return FALSE;
+
+  /* looking for the krbtgt / REALM pair, so it should be exactly 2 items */
+  if (krb5_princ_size (self->priv->kerberos_context, credentials->server) != 2)
+    return FALSE;
+
+  if (!krb5_realm_compare (self->priv->kerberos_context,
+                           credentials->server, principal))
+    {
+      /* credentials are from some other realm */
+      return FALSE;
+    }
+
+  if (strncmp (credentials->server->data[0].data,
+               KRB5_TGS_NAME, credentials->server->data[0].length) != 0)
+    {
+      /* credentials aren't for ticket granting */
+      return FALSE;
+    }
+
+  if (credentials->server->data[1].length != principal->realm.length ||
+      memcmp (credentials->server->data[1].data,
+              principal->realm.data, principal->realm.length) != 0)
+    {
+      /* credentials are for some other realm */
+      return FALSE;
+    }
+
+  return TRUE;
+}
+
+static krb5_timestamp
+get_current_time (GoaKerberosIdentity *self)
+{
+  krb5_timestamp current_time;
+  krb5_error_code error_code;
+
+  error_code = krb5_timeofday (self->priv->kerberos_context, &current_time);
+
+  if (error_code != 0)
+    {
+      const char *error_message;
+
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+      goa_debug ("GoaKerberosIdentity: Error getting current time: %s", error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+      return 0;
+    }
+
+  return current_time;
+}
+
+typedef struct
+{
+  GoaKerberosIdentity *self;
+  guint *idle_id;
+  const char *property_name;
+} NotifyRequest;
+
+static void
+clear_idle_id (NotifyRequest *request)
+{
+  *request->idle_id = 0;
+  g_slice_free (NotifyRequest, request);
+}
+
+static gboolean
+on_notify_queued (NotifyRequest *request)
+{
+  g_object_notify (G_OBJECT (request->self), request->property_name);
+
+  return FALSE;
+}
+
+static void
+queue_notify (GoaKerberosIdentity *self,
+              guint               *idle_id,
+              const char          *property_name)
+{
+  NotifyRequest *request;
+
+  if (*idle_id != 0)
+    {
+      return;
+    }
+
+  request = g_slice_new0 (NotifyRequest);
+  request->self = self;
+  request->idle_id = idle_id;
+  request->property_name = property_name;
+
+  *idle_id = g_idle_add_full (G_PRIORITY_DEFAULT_IDLE,
+                              (GSourceFunc)
+                              on_notify_queued,
+                              request,
+                              (GDestroyNotify)
+                              clear_idle_id);
+}
+
+static void
+set_expiration_time (GoaKerberosIdentity *self,
+                     krb5_timestamp       expiration_time)
+{
+  if (self->priv->expiration_time != expiration_time)
+    {
+      self->priv->expiration_time = expiration_time;
+      queue_notify (self,
+                    &self->priv->expiration_time_idle_id,
+                    "expiration-timestamp");
+    }
+}
+
+static gboolean
+credentials_are_expired (GoaKerberosIdentity *self,
+                         krb5_creds          *credentials)
+{
+  krb5_timestamp current_time;
+
+  current_time = get_current_time (self);
+
+  set_expiration_time (self, MAX (credentials->times.endtime,
+                                  self->priv->expiration_time));
+
+  if (credentials->times.endtime <= current_time)
+    {
+      return TRUE;
+    }
+
+  return FALSE;
+}
+
+static VerificationLevel
+verify_identity (GoaKerberosIdentity  *self,
+                 GError              **error)
+{
+  krb5_principal principal;
+  krb5_cc_cursor cursor;
+  krb5_creds credentials;
+  krb5_error_code error_code;
+  VerificationLevel verification_level;
+
+  set_expiration_time (self, 0);
+
+  if (self->priv->credentials_cache == NULL)
+    return VERIFICATION_LEVEL_UNVERIFIED;
+
+  error_code = krb5_cc_get_principal (self->priv->kerberos_context,
+                                      self->priv->credentials_cache,
+                                      &principal);
+
+  if (error_code != 0)
+    {
+      if (error_code == KRB5_CC_END || error_code == KRB5_FCC_NOFILE)
+        return VERIFICATION_LEVEL_UNVERIFIED;
+
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_NOT_FOUND,
+                                      error_code,
+                                      _("Could not find identity in "
+                                        "credential cache: %k"));
+      return VERIFICATION_LEVEL_ERROR;
+    }
+
+  error_code = krb5_cc_start_seq_get (self->priv->kerberos_context,
+                                      self->priv->credentials_cache, &cursor);
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_CREDENTIALS_UNAVAILABLE,
+                                      error_code,
+                                      _("Could not find identity "
+                                        "credentials in cache: %k"));
+
+      verification_level = VERIFICATION_LEVEL_ERROR;
+      goto out;
+    }
+
+  verification_level = VERIFICATION_LEVEL_UNVERIFIED;
+
+  error_code = krb5_cc_next_cred (self->priv->kerberos_context,
+                                  self->priv->credentials_cache,
+                                  &cursor,
+                                  &credentials);
+
+  while (error_code == 0)
+    {
+      if (credentials_validate_existence (self, principal, &credentials))
+        {
+          if (!credentials_are_expired (self, &credentials))
+            verification_level = VERIFICATION_LEVEL_SIGNED_IN;
+          else
+            verification_level = VERIFICATION_LEVEL_EXISTS;
+        }
+
+      error_code = krb5_cc_next_cred (self->priv->kerberos_context,
+                                      self->priv->credentials_cache,
+                                      &cursor,
+                                      &credentials);
+    }
+
+  if (error_code != KRB5_CC_END)
+    {
+      verification_level = VERIFICATION_LEVEL_ERROR;
+
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_ENUMERATING_CREDENTIALS,
+                                      error_code,
+                                      _("Could not sift through identity "
+                                        "credentials in cache: %k"));
+      goto out;
+    }
+
+  error_code = krb5_cc_end_seq_get (self->priv->kerberos_context,
+                                    self->priv->credentials_cache,
+                                    &cursor);
+
+  if (error_code != 0)
+    {
+      verification_level = VERIFICATION_LEVEL_ERROR;
+
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_ENUMERATING_CREDENTIALS,
+                                      error_code,
+                                      _("Could not finish up sifting through "
+                                        "identity credentials in cache: %k"));
+      goto out;
+    }
+out:
+  krb5_free_principal (self->priv->kerberos_context, principal);
+  return verification_level;
+}
+
+static gboolean
+goa_kerberos_identity_is_signed_in (GoaIdentity *identity)
+{
+  GoaKerberosIdentity *self = GOA_KERBEROS_IDENTITY (identity);
+  gboolean is_signed_in = FALSE;
+
+  G_LOCK (identity_lock);
+  if (self->priv->cached_verification_level == VERIFICATION_LEVEL_SIGNED_IN)
+    is_signed_in = TRUE;
+  G_UNLOCK (identity_lock);
+
+  return is_signed_in;
+}
+
+static GBytes *
+goa_kerberos_identity_get_credentials (GoaIdentity *identity)
+{
+  GoaKerberosIdentity *self = GOA_KERBEROS_IDENTITY (identity);
+  GBytes *credentials;
+
+  credentials = NULL;
+
+  G_LOCK (identity_lock);
+  if (self->priv->raw_credentials != NULL)
+    credentials = g_bytes_new (g_bytes_get_data (self->priv->raw_credentials,
+                                                 NULL),
+                               g_bytes_get_size (self->priv->raw_credentials));
+  G_UNLOCK (identity_lock);
+
+  return credentials;
+}
+
+static void
+identity_interface_init (GoaIdentityInterface *interface)
+{
+  interface->get_identifier = goa_kerberos_identity_get_identifier;
+  interface->is_signed_in = goa_kerberos_identity_is_signed_in;
+  interface->get_credentials = goa_kerberos_identity_get_credentials;
+}
+
+static void
+on_expiration_alarm_fired (GoaAlarm            *alarm,
+                           GoaKerberosIdentity *self)
+{
+  g_return_if_fail (GOA_IS_ALARM (alarm));
+  g_return_if_fail (GOA_IS_KERBEROS_IDENTITY (self));
+
+  goa_debug ("GoaKerberosIdentity: expiration alarm fired for identity %s",
+             goa_identity_get_identifier (GOA_IDENTITY (self)));
+  g_signal_emit (G_OBJECT (self), signals[NEEDS_REFRESH], 0);
+}
+
+static void
+on_expiration_alarm_rearmed (GoaAlarm            *alarm,
+                             GoaKerberosIdentity *self)
+{
+  g_return_if_fail (GOA_IS_ALARM (alarm));
+  g_return_if_fail (GOA_IS_KERBEROS_IDENTITY (self));
+
+  goa_debug ("GoaKerberosIdentity: expiration alarm rearmed");
+  g_signal_emit (G_OBJECT (self), signals[NEEDS_REFRESH], 0);
+}
+
+static void
+on_renewal_alarm_rearmed (GoaAlarm            *alarm,
+                          GoaKerberosIdentity *self)
+{
+  g_return_if_fail (GOA_IS_ALARM (alarm));
+  g_return_if_fail (GOA_IS_KERBEROS_IDENTITY (self));
+
+  goa_debug ("GoaKerberosIdentity: renewal alarm rearmed");
+}
+
+static void
+on_renewal_alarm_fired (GoaAlarm            *alarm,
+                        GoaKerberosIdentity *self)
+{
+  g_return_if_fail (GOA_IS_ALARM (alarm));
+  g_return_if_fail (GOA_IS_KERBEROS_IDENTITY (self));
+
+  g_clear_object (&self->priv->renewal_alarm_cancellable);
+
+  if (self->priv->cached_verification_level == VERIFICATION_LEVEL_SIGNED_IN)
+    {
+      goa_debug ("GoaKerberosIdentity: renewal alarm fired for signed-in identity");
+      g_signal_emit (G_OBJECT (self), signals[NEEDS_RENEWAL], 0);
+    }
+}
+
+static void
+on_expiring_alarm_rearmed (GoaAlarm            *alarm,
+                           GoaKerberosIdentity *self)
+{
+  g_return_if_fail (GOA_IS_ALARM (alarm));
+  g_return_if_fail (GOA_IS_KERBEROS_IDENTITY (self));
+
+  goa_debug ("GoaKerberosIdentity: expiring alarm rearmed");
+}
+
+static void
+on_expiring_alarm_fired (GoaAlarm            *alarm,
+                         GoaKerberosIdentity *self)
+{
+  g_return_if_fail (GOA_IS_ALARM (alarm));
+  g_return_if_fail (GOA_IS_KERBEROS_IDENTITY (self));
+
+  g_clear_object (&self->priv->expiring_alarm_cancellable);
+
+  if (self->priv->cached_verification_level == VERIFICATION_LEVEL_SIGNED_IN)
+    {
+      goa_debug ("GoaKerberosIdentity: expiring alarm fired for signed-in identity");
+      g_signal_emit (G_OBJECT (self), signals[EXPIRING], 0);
+    }
+}
+
+static void
+set_alarm (GoaKerberosIdentity  *self,
+           GoaAlarm             *alarm,
+           GDateTime            *alarm_time,
+           GCancellable        **cancellable)
+{
+  GDateTime *old_alarm_time;
+
+  G_LOCK (identity_lock);
+  old_alarm_time = goa_alarm_get_time (alarm);
+  if (old_alarm_time == NULL || !g_date_time_equal (alarm_time, old_alarm_time))
+    {
+      GCancellable *new_cancellable;
+
+      new_cancellable = g_cancellable_new ();
+      goa_alarm_set_time (alarm, alarm_time, new_cancellable);
+      g_date_time_unref (alarm_time);
+
+      g_clear_object (cancellable);
+      *cancellable = new_cancellable;
+    }
+  G_UNLOCK (identity_lock);
+
+}
+
+static void
+disconnect_alarm_signals (GoaKerberosIdentity *self)
+{
+  g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->renewal_alarm),
+                                        G_CALLBACK (on_renewal_alarm_fired),
+                                        self);
+  g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->renewal_alarm),
+                                        G_CALLBACK (on_renewal_alarm_rearmed),
+                                        self);
+  g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->expiring_alarm),
+                                        G_CALLBACK (on_expiring_alarm_fired),
+                                        self);
+  g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->expiration_alarm),
+                                        G_CALLBACK (on_expiration_alarm_rearmed),
+                                        self);
+  g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->expiration_alarm),
+                                        G_CALLBACK (on_expiration_alarm_fired),
+                                        self);
+  g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->expiring_alarm),
+                                        G_CALLBACK (on_expiring_alarm_rearmed),
+                                        self);
+}
+
+static void
+connect_alarm_signals (GoaKerberosIdentity *self)
+{
+  g_signal_connect (G_OBJECT (self->priv->renewal_alarm),
+                    "fired",
+                    G_CALLBACK (on_renewal_alarm_fired),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->renewal_alarm),
+                    "rearmed",
+                    G_CALLBACK (on_renewal_alarm_rearmed),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->expiring_alarm),
+                    "fired",
+                    G_CALLBACK (on_expiring_alarm_fired),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->expiring_alarm),
+                    "rearmed",
+                    G_CALLBACK (on_expiring_alarm_rearmed),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->expiration_alarm),
+                    "fired",
+                    G_CALLBACK (on_expiration_alarm_fired),
+                    self);
+  g_signal_connect (G_OBJECT (self->priv->expiration_alarm),
+                    "rearmed",
+                    G_CALLBACK (on_expiration_alarm_rearmed),
+                    self);
+}
+
+static void
+reset_alarms (GoaKerberosIdentity *self)
+{
+  GDateTime *now;
+  GDateTime *expiration_time;
+  GDateTime *expiring_time;
+  GDateTime *renewal_time;
+  GTimeSpan time_span_until_expiration;
+
+  now = g_date_time_new_now_local ();
+  expiration_time = g_date_time_new_from_unix_local (self->priv->expiration_time);
+  time_span_until_expiration = g_date_time_difference (expiration_time, now);
+
+  /* Let the user reauthenticate 10 min before expiration */
+  expiring_time = g_date_time_add_minutes (expiration_time, -10);
+
+  /* Try to quietly auto-renew halfway through so in ideal configurations
+   * the ticket is never more than halfway to expired
+   */
+  renewal_time = g_date_time_add (expiration_time,
+                                  -(time_span_until_expiration / 2));
+
+  disconnect_alarm_signals (self);
+
+  set_alarm (self,
+             self->priv->renewal_alarm,
+             renewal_time, &self->priv->renewal_alarm_cancellable);
+  set_alarm (self,
+             self->priv->expiring_alarm,
+             expiring_time, &self->priv->expiring_alarm_cancellable);
+  set_alarm (self,
+             self->priv->expiration_alarm,
+             expiration_time, &self->priv->expiration_alarm_cancellable);
+
+  connect_alarm_signals (self);
+}
+
+static void
+cancel_and_clear_cancellable (GCancellable **cancellable)
+{
+  if (cancellable == NULL)
+    return;
+
+  if (!g_cancellable_is_cancelled (*cancellable))
+    g_cancellable_cancel (*cancellable);
+
+  g_clear_object (cancellable);
+}
+
+static void
+clear_alarms (GoaKerberosIdentity *self)
+{
+  cancel_and_clear_cancellable (&self->priv->renewal_alarm_cancellable);
+  cancel_and_clear_cancellable (&self->priv->expiring_alarm_cancellable);
+  cancel_and_clear_cancellable (&self->priv->expiration_alarm_cancellable);
+}
+
+static void
+fetch_raw_credentials (GoaKerberosIdentity *self)
+{
+  const char *cache_path;
+  char       *contents;
+  gsize       length;
+  GError     *error;
+
+  cache_path = krb5_cc_get_name (self->priv->kerberos_context,
+                                 self->priv->credentials_cache);
+
+  if (cache_path == NULL)
+    return;
+
+  /* see goakerberosidentitymanager.c (monitor_credentials_cache)
+   * for why we do this
+   */
+  if (cache_path[0] == ':')
+    cache_path++;
+
+  error = NULL;
+  if (!g_file_get_contents (cache_path, &contents, &length, &error))
+    {
+      goa_debug ("GoaKerberosIdentity: could not read credentials file: %s",
+                 error->message);
+      g_error_free (error);
+      return;
+    }
+
+  g_clear_pointer (&self->priv->raw_credentials, (GDestroyNotify) g_bytes_unref);
+  self->priv->raw_credentials = g_bytes_new_take (contents, length);
+}
+
+static gboolean
+goa_kerberos_identity_initable_init (GInitable     *initable,
+                                     GCancellable  *cancellable,
+                                     GError       **error)
+{
+  GoaKerberosIdentity *self = GOA_KERBEROS_IDENTITY (initable);
+  GError *verification_error;
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return FALSE;
+
+  if (self->priv->identifier == NULL)
+    {
+      self->priv->identifier = get_identifier (self, error);
+
+      if (self->priv->identifier != NULL)
+        queue_notify (self, &self->priv->identifier_idle_id, "identifier");
+    }
+
+  verification_error = NULL;
+  self->priv->cached_verification_level =
+    verify_identity (self, &verification_error);
+
+  switch (self->priv->cached_verification_level)
+    {
+    case VERIFICATION_LEVEL_EXISTS:
+    case VERIFICATION_LEVEL_SIGNED_IN:
+      reset_alarms (self);
+
+      fetch_raw_credentials (self);
+
+      queue_notify (self, &self->priv->is_signed_in_idle_id, "is-signed-in");
+      return TRUE;
+
+    case VERIFICATION_LEVEL_UNVERIFIED:
+      return TRUE;
+
+    case VERIFICATION_LEVEL_ERROR:
+      if (verification_error != NULL)
+        {
+          g_propagate_error (error, verification_error);
+          return FALSE;
+        }
+    default:
+      g_set_error (error,
+                   GOA_IDENTITY_ERROR,
+                   GOA_IDENTITY_ERROR_VERIFYING,
+                   _("No associated identification found"));
+      return FALSE;
+
+    }
+}
+
+static void
+initable_interface_init (GInitableIface *interface)
+{
+  interface->init = goa_kerberos_identity_initable_init;
+}
+
+typedef struct
+{
+  GoaKerberosIdentity    *identity;
+  GoaIdentityInquiryFunc  inquiry_func;
+  gpointer                inquiry_data;
+  GDestroyNotify          destroy_notify;
+  GCancellable           *cancellable;
+} SignInOperation;
+
+static krb5_error_code
+on_kerberos_inquiry (krb5_context      kerberos_context,
+                     SignInOperation  *operation,
+                     const char       *name,
+                     const char       *banner,
+                     int               number_of_prompts,
+                     krb5_prompt       prompts[])
+{
+  GoaIdentityInquiry *inquiry;
+  krb5_error_code error_code;
+
+  inquiry = goa_kerberos_identity_inquiry_new (operation->identity,
+                                               name,
+                                               banner,
+                                               prompts,
+                                               number_of_prompts);
+
+  operation->inquiry_func (inquiry,
+                           operation->cancellable,
+                           operation->inquiry_data);
+
+  if (!goa_identity_inquiry_is_complete (inquiry))
+    g_cancellable_cancel (operation->cancellable);
+
+  if (g_cancellable_is_cancelled (operation->cancellable))
+    error_code = KRB5_LIBOS_PWDINTR;
+  else
+    error_code = 0;
+
+  g_object_unref (inquiry);
+
+  return error_code;
+}
+
+static gboolean
+create_credential_cache (GoaKerberosIdentity  *self,
+                         GError              **error)
+{
+  krb5_ccache      default_cache;
+  const char      *cache_type;
+  krb5_error_code  error_code;
+
+  error_code = krb5_cc_default (self->priv->kerberos_context, &default_cache);
+
+  if (error_code == 0)
+    {
+      cache_type = krb5_cc_get_type (self->priv->kerberos_context, default_cache);
+
+      error_code = krb5_cc_new_unique (self->priv->kerberos_context,
+                                       cache_type,
+                                       NULL,
+                                       &self->priv->credentials_cache);
+    }
+
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_ALLOCATING_CREDENTIALS,
+                                      error_code,
+                                      _("Could not create credential cache: %k"));
+
+      return FALSE;
+    }
+
+  return TRUE;
+}
+
+static gboolean
+goa_kerberos_identity_update_credentials (GoaKerberosIdentity  *self,
+                                          krb5_principal        principal,
+                                          krb5_creds           *new_credentials,
+                                          GError              **error)
+{
+  krb5_error_code   error_code;
+
+  if (self->priv->credentials_cache == NULL)
+    {
+      if (!create_credential_cache (self, error))
+        {
+          krb5_free_cred_contents (self->priv->kerberos_context, new_credentials);
+          goto out;
+        }
+    }
+
+  error_code = krb5_cc_initialize (self->priv->kerberos_context,
+                                   self->priv->credentials_cache,
+                                   principal);
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_ALLOCATING_CREDENTIALS,
+                                      error_code,
+                                      _("Could not initialize credentials "
+                                        "cache: %k"));
+
+      krb5_free_cred_contents (self->priv->kerberos_context, new_credentials);
+      goto out;
+    }
+
+  g_clear_pointer (&self->priv->raw_credentials, (GDestroyNotify) g_bytes_unref);
+
+  error_code = krb5_cc_store_cred (self->priv->kerberos_context,
+                                   self->priv->credentials_cache,
+                                   new_credentials);
+
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_SAVING_CREDENTIALS,
+                                      error_code,
+                                      _("Could not store new credentials in "
+                                        "credentials cache: %k"));
+
+      krb5_free_cred_contents (self->priv->kerberos_context, new_credentials);
+      goto out;
+    }
+  krb5_free_cred_contents (self->priv->kerberos_context, new_credentials);
+
+  fetch_raw_credentials (self);
+
+  return TRUE;
+out:
+  return FALSE;
+}
+
+static SignInOperation *
+sign_in_operation_new (GoaKerberosIdentity    *identity,
+                       GoaIdentityInquiryFunc  inquiry_func,
+                       gpointer                inquiry_data,
+                       GDestroyNotify          destroy_notify,
+                       GCancellable           *cancellable)
+{
+  SignInOperation *operation;
+
+  operation = g_slice_new0 (SignInOperation);
+  operation->identity = g_object_ref (identity);
+  operation->inquiry_func = inquiry_func;
+  operation->inquiry_data = inquiry_data;
+  operation->destroy_notify = destroy_notify;
+
+  if (cancellable == NULL)
+    operation->cancellable = g_cancellable_new ();
+  else
+    operation->cancellable = g_object_ref (cancellable);
+
+  return operation;
+}
+
+static void
+sign_in_operation_free (SignInOperation *operation)
+{
+  g_object_unref (operation->identity);
+  g_object_unref (operation->cancellable);
+
+  g_slice_free (SignInOperation, operation);
+}
+
+gboolean
+goa_kerberos_identity_sign_in (GoaKerberosIdentity     *self,
+                               const char              *principal_name,
+                               gconstpointer            initial_password,
+                               GoaIdentitySignInFlags   flags,
+                               GoaIdentityInquiryFunc   inquiry_func,
+                               gpointer                 inquiry_data,
+                               GDestroyNotify           destroy_notify,
+                               GCancellable            *cancellable,
+                               GError                 **error)
+{
+  SignInOperation *operation;
+  krb5_principal principal;
+  krb5_error_code error_code;
+  krb5_creds new_credentials;
+  krb5_get_init_creds_opt *options;
+  krb5_deltat start_time;
+  char *service_name;
+  gboolean signed_in;
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return FALSE;
+
+  error_code = krb5_get_init_creds_opt_alloc (self->priv->kerberos_context,
+                                              &options);
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_ALLOCATING_CREDENTIALS,
+                                      error_code, "%k");
+      if (destroy_notify)
+        destroy_notify (inquiry_data);
+      return FALSE;
+    }
+
+  signed_in = FALSE;
+
+  operation = sign_in_operation_new (self,
+                                     inquiry_func,
+                                     inquiry_data,
+                                     destroy_notify,
+                                     cancellable);
+
+  if (g_strcmp0 (self->priv->identifier, principal_name) != 0)
+    {
+      g_free (self->priv->identifier);
+      self->priv->identifier = g_strdup (principal_name);
+    }
+
+  error_code = krb5_parse_name (self->priv->kerberos_context,
+                                principal_name,
+                                &principal);
+
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_PARSING_IDENTIFIER,
+                                      error_code,
+                                      "%k");
+      if (destroy_notify)
+        destroy_notify (inquiry_data);
+      return FALSE;
+    }
+
+  if ((flags & GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_FORWARDING) == 0)
+    krb5_get_init_creds_opt_set_forwardable (options, TRUE);
+
+  if ((flags & GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_PROXYING) == 0)
+    krb5_get_init_creds_opt_set_proxiable (options, TRUE);
+
+  if ((flags & GOA_IDENTITY_SIGN_IN_FLAGS_DISALLOW_RENEWAL) == 0)
+    krb5_get_init_creds_opt_set_renew_life (options, G_MAXINT);
+
+  /* Poke glibc in case the network changed
+   */
+  res_init ();
+
+  start_time = 0;
+  service_name = NULL;
+  error_code = krb5_get_init_creds_password (self->priv->kerberos_context,
+                                             &new_credentials,
+                                             principal,
+                                             (char *)
+                                             initial_password,
+                                             (krb5_prompter_fct)
+                                             on_kerberos_inquiry,
+                                             operation,
+                                             start_time,
+                                             service_name,
+                                             options);
+
+  if (error_code == KRB5_LIBOS_PWDINTR)
+    g_cancellable_cancel (operation->cancellable);
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    {
+      if (destroy_notify)
+        destroy_notify (inquiry_data);
+      sign_in_operation_free (operation);
+
+      krb5_free_principal (self->priv->kerberos_context, principal);
+      goto done;
+    }
+
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_AUTHENTICATION_FAILED,
+                                      error_code,
+                                      "%k");
+      if (destroy_notify)
+        destroy_notify (inquiry_data);
+      sign_in_operation_free (operation);
+
+      krb5_free_principal (self->priv->kerberos_context, principal);
+      goto done;
+    }
+
+  if (destroy_notify)
+    destroy_notify (inquiry_data);
+  sign_in_operation_free (operation);
+
+  if (!goa_kerberos_identity_update_credentials (self,
+                                                 principal,
+                                                 &new_credentials,
+                                                 error))
+    {
+      krb5_free_principal (self->priv->kerberos_context, principal);
+      goto done;
+    }
+  krb5_free_principal (self->priv->kerberos_context, principal);
+
+  goa_debug ("GoaKerberosIdentity: identity signed in");
+  signed_in = TRUE;
+done:
+
+  return signed_in;
+}
+
+static void
+update_identifier (GoaKerberosIdentity *self, GoaKerberosIdentity *new_identity)
+{
+  char *new_identifier;
+
+  new_identifier = get_identifier (self, NULL);
+  if (g_strcmp0 (self->priv->identifier, new_identifier) != 0)
+    {
+      g_free (self->priv->identifier);
+      self->priv->identifier = new_identifier;
+      queue_notify (self, &self->priv->identifier_idle_id, "identifier");
+    }
+  else
+    {
+      g_free (new_identifier);
+    }
+}
+
+void
+goa_kerberos_identity_update (GoaKerberosIdentity *self,
+                              GoaKerberosIdentity *new_identity)
+{
+  VerificationLevel verification_level;
+
+  if (self->priv->credentials_cache != NULL)
+    krb5_cc_close (self->priv->kerberos_context, self->priv->credentials_cache);
+
+  krb5_cc_dup (new_identity->priv->kerberos_context,
+               new_identity->priv->credentials_cache,
+               &self->priv->credentials_cache);
+
+  G_LOCK (identity_lock);
+  update_identifier (self, new_identity);
+  G_UNLOCK (identity_lock);
+
+  verification_level = verify_identity (self, NULL);
+
+  if (verification_level == VERIFICATION_LEVEL_SIGNED_IN)
+    reset_alarms (self);
+  else
+    clear_alarms (self);
+
+  if (verification_level != self->priv->cached_verification_level)
+    {
+      if (self->priv->cached_verification_level == VERIFICATION_LEVEL_SIGNED_IN &&
+          verification_level == VERIFICATION_LEVEL_EXISTS)
+        {
+
+          G_LOCK (identity_lock);
+          self->priv->cached_verification_level = verification_level;
+          G_UNLOCK (identity_lock);
+
+          g_signal_emit (G_OBJECT (self), signals[EXPIRED], 0);
+        }
+      else if (self->priv->cached_verification_level == VERIFICATION_LEVEL_EXISTS &&
+               verification_level == VERIFICATION_LEVEL_SIGNED_IN)
+        {
+
+          G_LOCK (identity_lock);
+          self->priv->cached_verification_level = verification_level;
+          G_UNLOCK (identity_lock);
+
+          g_signal_emit (G_OBJECT (self), signals[UNEXPIRED], 0);
+        }
+      else
+        {
+          G_LOCK (identity_lock);
+          self->priv->cached_verification_level = verification_level;
+          G_UNLOCK (identity_lock);
+        }
+      queue_notify (self, &self->priv->is_signed_in_idle_id, "is-signed-in");
+    }
+}
+
+gboolean
+goa_kerberos_identity_renew (GoaKerberosIdentity *self, GError **error)
+{
+  krb5_error_code error_code = 0;
+  krb5_principal principal;
+  krb5_creds new_credentials;
+  gboolean renewed = FALSE;
+  char *name = NULL;
+
+  if (self->priv->credentials_cache == NULL)
+    {
+      g_set_error (error,
+                   GOA_IDENTITY_ERROR,
+                   GOA_IDENTITY_ERROR_CREDENTIALS_UNAVAILABLE,
+                   _("Could not renew identitys: Not signed in"));
+      goto out;
+    }
+
+  error_code = krb5_cc_get_principal (self->priv->kerberos_context,
+                                      self->priv->credentials_cache, &principal);
+
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_CREDENTIALS_UNAVAILABLE,
+                                      error_code, _("Could not renew identity: %k"));
+      goto out;
+    }
+
+  name = goa_kerberos_identity_get_principal_name (self);
+
+  error_code = krb5_get_renewed_creds (self->priv->kerberos_context,
+                                       &new_credentials,
+                                       principal,
+                                       self->priv->credentials_cache, NULL);
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_RENEWING,
+                                      error_code,
+                                      _
+                                      ("Could not get new credentials to renew identity %s: %k"),
+                                      name);
+      krb5_free_principal (self->priv->kerberos_context, principal);
+      goto out;
+    }
+
+  if (!goa_kerberos_identity_update_credentials (self,
+                                                 principal,
+                                                 &new_credentials,
+                                                 error))
+    {
+      krb5_free_principal (self->priv->kerberos_context, principal);
+      goto out;
+    }
+
+  goa_debug ("GoaKerberosIdentity: identity %s renewed", name);
+  renewed = TRUE;
+out:
+  g_free (name);
+
+  return renewed;
+}
+
+gboolean
+goa_kerberos_identity_erase (GoaKerberosIdentity *self, GError **error)
+{
+  krb5_error_code error_code = 0;
+
+  if (self->priv->credentials_cache != NULL)
+    {
+      error_code = krb5_cc_destroy (self->priv->kerberos_context,
+                                    self->priv->credentials_cache);
+      self->priv->credentials_cache = NULL;
+    }
+
+  if (error_code != 0)
+    {
+      set_error_from_krb5_error_code (self,
+                                      error,
+                                      GOA_IDENTITY_ERROR_REMOVING_CREDENTIALS,
+                                      error_code, _("Could not erase identity: %k"));
+      return FALSE;
+    }
+
+  return TRUE;
+}
+
+GoaIdentity *
+goa_kerberos_identity_new (krb5_context context, krb5_ccache cache, GError **error)
+{
+  GoaKerberosIdentity *self;
+
+  self = GOA_KERBEROS_IDENTITY (g_object_new (GOA_TYPE_KERBEROS_IDENTITY, NULL));
+
+  krb5_cc_dup (context, cache, &self->priv->credentials_cache);
+  self->priv->kerberos_context = context;
+
+  error = NULL;
+  if (!g_initable_init (G_INITABLE (self), NULL, error))
+    {
+      g_object_unref (self);
+      return NULL;
+    }
+
+  return GOA_IDENTITY (self);
+}
diff --git a/src/goaidentity/goakerberosidentity.h b/src/goaidentity/goakerberosidentity.h
new file mode 100644
index 0000000..73681b0
--- /dev/null
+++ b/src/goaidentity/goakerberosidentity.h
@@ -0,0 +1,89 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_KERBEROS_IDENTITY_H__
+#define __GOA_KERBEROS_IDENTITY_H__
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include <krb5.h>
+#include "goakerberosidentityinquiry.h"
+
+G_BEGIN_DECLS
+#define GOA_TYPE_KERBEROS_IDENTITY             (goa_kerberos_identity_get_type ())
+#define GOA_KERBEROS_IDENTITY(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GOA_TYPE_KERBEROS_IDENTITY, GoaKerberosIdentity))
+#define GOA_KERBEROS_IDENTITY_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GOA_TYPE_KERBEROS_IDENTITY, GoaKerberosIdentityClass))
+#define GOA_IS_KERBEROS_IDENTITY(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GOA_TYPE_KERBEROS_IDENTITY))
+#define GOA_IS_KERBEROS_IDENTITY_CLASS(klass)  (G_TYPE_CHECK_CLASS_TYPE ((klass), GOA_TYPE_KERBEROS_IDENTITY))
+#define GOA_KERBEROS_IDENTITY_GET_CLASS(obj)   (G_TYPE_INSTANCE_GET_CLASS((obj), GOA_TYPE_KERBEROS_IDENTITY, GoaKerberosIdentityClass))
+typedef struct _GoaKerberosIdentity GoaKerberosIdentity;
+typedef struct _GoaKerberosIdentityClass GoaKerberosIdentityClass;
+typedef struct _GoaKerberosIdentityPrivate GoaKerberosIdentityPrivate;
+typedef enum _GoaKerberosIdentityDescriptionLevel
+  GoaKerberosIdentityDescriptionLevel;
+
+enum _GoaKerberosIdentityDescriptionLevel
+{
+  GOA_KERBEROS_IDENTITY_DESCRIPTION_REALM,
+  GOA_KERBEROS_IDENTITY_DESCRIPTION_USERNAME_AND_REALM,
+  GOA_KERBEROS_IDENTITY_DESCRIPTION_USERNAME_ROLE_AND_REALM
+};
+
+struct _GoaKerberosIdentity
+{
+  GObject parent;
+
+  GoaKerberosIdentityPrivate *priv;
+};
+
+struct _GoaKerberosIdentityClass
+{
+  GObjectClass parent_class;
+};
+
+GType goa_kerberos_identity_get_type (void);
+
+GoaIdentity *goa_kerberos_identity_new (krb5_context   kerberos_context,
+                                        krb5_ccache    cache,
+                                        GError       **error);
+
+gboolean goa_kerberos_identity_sign_in (GoaKerberosIdentity     *self,
+                                        const char              *principal_name,
+                                        gconstpointer            initial_password,
+                                        GoaIdentitySignInFlags   flags,
+                                        GoaIdentityInquiryFunc   inquiry_func,
+                                        gpointer                 inquiry_data,
+                                        GDestroyNotify           destroy_notify,
+                                        GCancellable            *cancellable,
+                                        GError                 **error);
+void goa_kerberos_identity_update (GoaKerberosIdentity *identity,
+                                   GoaKerberosIdentity *new_identity);
+gboolean goa_kerberos_identity_renew (GoaKerberosIdentity  *self,
+                                      GError              **error);
+gboolean goa_kerberos_identity_erase (GoaKerberosIdentity *self,
+                                      GError              **error);
+
+char *goa_kerberos_identity_get_principal_name (GoaKerberosIdentity *self);
+char *goa_kerberos_identity_get_realm_name     (GoaKerberosIdentity *self);
+G_END_DECLS
+#endif /* __GOA_KERBEROS_IDENTITY_H__ */
diff --git a/src/goaidentity/goakerberosidentityinquiry.c b/src/goaidentity/goakerberosidentityinquiry.c
new file mode 100644
index 0000000..323a0c3
--- /dev/null
+++ b/src/goaidentity/goakerberosidentityinquiry.c
@@ -0,0 +1,375 @@
+/* -*- Mode: C; tab-width: 8; ident-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Author: Ray Strode
+ */
+
+#include "config.h"
+
+#include "goakerberosidentityinquiry.h"
+#include "goaidentityinquiryprivate.h"
+#include "goalogging.h"
+
+#include <string.h>
+#include <glib/gi18n.h>
+#include <gio/gio.h>
+
+struct _GoaKerberosIdentityInquiryPrivate
+{
+  GoaIdentity *identity;
+  char *name;
+  char *banner;
+  GList *queries;
+  int number_of_queries;
+  int number_of_unanswered_queries;
+};
+
+typedef struct
+{
+  GoaIdentityInquiry *inquiry;
+  krb5_prompt *kerberos_prompt;
+  gboolean is_answered;
+} GoaKerberosIdentityQuery;
+
+static void identity_inquiry_interface_init (GoaIdentityInquiryInterface *
+                                             interface);
+static void initable_interface_init (GInitableIface *interface);
+
+G_DEFINE_TYPE_WITH_CODE (GoaKerberosIdentityInquiry,
+                         goa_kerberos_identity_inquiry,
+                         G_TYPE_OBJECT,
+                         G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
+                                                initable_interface_init)
+                         G_IMPLEMENT_INTERFACE (GOA_TYPE_IDENTITY_INQUIRY,
+                                                identity_inquiry_interface_init));
+
+static gboolean
+goa_kerberos_identity_inquiry_initable_init (GInitable * initable,
+                                             GCancellable *cancellable,
+                                             GError ** error)
+{
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    {
+      return FALSE;
+    }
+
+  return TRUE;
+}
+
+static void
+initable_interface_init (GInitableIface *interface)
+{
+  interface->init = goa_kerberos_identity_inquiry_initable_init;
+}
+
+static GoaKerberosIdentityQuery *
+goa_kerberos_identity_query_new (GoaIdentityInquiry * inquiry,
+                                 krb5_prompt * kerberos_prompt)
+{
+  GoaKerberosIdentityQuery *query;
+
+  query = g_slice_new (GoaKerberosIdentityQuery);
+  query->inquiry = inquiry;
+  query->kerberos_prompt = kerberos_prompt;
+  query->is_answered = FALSE;
+
+  return query;
+}
+
+static void
+goa_kerberos_identity_query_free (GoaKerberosIdentityQuery *query)
+{
+  g_slice_free (GoaKerberosIdentityQuery, query);
+}
+
+static void
+goa_kerberos_identity_inquiry_dispose (GObject *object)
+{
+  GoaKerberosIdentityInquiry *self = GOA_KERBEROS_IDENTITY_INQUIRY (object);
+
+  g_clear_object (&self->priv->identity);
+  g_clear_pointer (&self->priv->name, (GDestroyNotify) g_free);
+  g_clear_pointer (&self->priv->banner, (GDestroyNotify) g_free);
+
+  g_list_foreach (self->priv->queries,
+                  (GFunc) goa_kerberos_identity_query_free, NULL);
+  g_clear_pointer (&self->priv->queries, (GDestroyNotify) g_list_free);
+}
+
+static void
+goa_kerberos_identity_inquiry_finalize (GObject *object)
+{
+  G_OBJECT_CLASS (goa_kerberos_identity_inquiry_parent_class)->finalize (object);
+}
+
+static void
+goa_kerberos_identity_inquiry_class_init (GoaKerberosIdentityInquiryClass *klass)
+{
+  GObjectClass *object_class;
+
+  object_class = G_OBJECT_CLASS (klass);
+
+  object_class->dispose = goa_kerberos_identity_inquiry_dispose;
+  object_class->finalize = goa_kerberos_identity_inquiry_finalize;
+
+  g_type_class_add_private (klass, sizeof (GoaKerberosIdentityInquiryPrivate));
+}
+
+static void
+goa_kerberos_identity_inquiry_init (GoaKerberosIdentityInquiry *self)
+{
+  self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+                                            GOA_TYPE_KERBEROS_IDENTITY_INQUIRY,
+                                            GoaKerberosIdentityInquiryPrivate);
+}
+
+GoaIdentityInquiry *
+goa_kerberos_identity_inquiry_new (GoaKerberosIdentity * identity,
+                                   const char *name,
+                                   const char *banner,
+                                   krb5_prompt prompts[], int number_of_prompts)
+{
+  GObject *object;
+  GoaIdentityInquiry *inquiry;
+  GoaKerberosIdentityInquiry *self;
+  GError *error;
+  int i;
+
+  g_return_val_if_fail (GOA_IS_KERBEROS_IDENTITY (identity), NULL);
+  g_return_val_if_fail (number_of_prompts > 0, NULL);
+
+  object = g_object_new (GOA_TYPE_KERBEROS_IDENTITY_INQUIRY, NULL);
+
+  inquiry = GOA_IDENTITY_INQUIRY (object);
+  self = GOA_KERBEROS_IDENTITY_INQUIRY (object);
+
+  /* FIXME: make these construct properties */
+  self->priv->identity = g_object_ref (identity);
+  self->priv->name = g_strdup (name);
+  self->priv->banner = g_strdup (banner);
+
+  self->priv->number_of_queries = 0;
+  for (i = 0; i < number_of_prompts; i++)
+    {
+      GoaKerberosIdentityQuery *query;
+
+      query = goa_kerberos_identity_query_new (inquiry, &prompts[i]);
+
+      self->priv->queries = g_list_prepend (self->priv->queries, query);
+      self->priv->number_of_queries++;
+    }
+  self->priv->queries = g_list_reverse (self->priv->queries);
+
+  self->priv->number_of_unanswered_queries = self->priv->number_of_queries;
+
+  error = NULL;
+  if (!g_initable_init (G_INITABLE (self), NULL, &error))
+    {
+      goa_debug ("%s", error->message);
+      g_error_free (error);
+      g_object_unref (self);
+      return NULL;
+    }
+
+  return inquiry;
+}
+
+static GoaIdentity *
+goa_kerberos_identity_inquiry_get_identity (GoaIdentityInquiry *inquiry)
+{
+  GoaKerberosIdentityInquiry *self;
+
+  g_return_val_if_fail (GOA_IS_KERBEROS_IDENTITY_INQUIRY (inquiry), NULL);
+
+  self = GOA_KERBEROS_IDENTITY_INQUIRY (inquiry);
+
+  return self->priv->identity;
+}
+
+static char *
+goa_kerberos_identity_inquiry_get_name (GoaIdentityInquiry *inquiry)
+{
+  GoaKerberosIdentityInquiry *self;
+
+  g_return_val_if_fail (GOA_IS_KERBEROS_IDENTITY_INQUIRY (inquiry), NULL);
+
+  self = GOA_KERBEROS_IDENTITY_INQUIRY (inquiry);
+
+  return g_strdup (self->priv->name);
+}
+
+static char *
+goa_kerberos_identity_inquiry_get_banner (GoaIdentityInquiry *inquiry)
+{
+  GoaKerberosIdentityInquiry *self;
+
+  g_return_val_if_fail (GOA_IS_KERBEROS_IDENTITY_INQUIRY (inquiry), NULL);
+
+  self = GOA_KERBEROS_IDENTITY_INQUIRY (inquiry);
+
+  return g_strdup (self->priv->banner);
+}
+
+static gboolean
+goa_kerberos_identity_inquiry_is_complete (GoaIdentityInquiry *inquiry)
+{
+  GoaKerberosIdentityInquiry *self;
+
+  g_return_val_if_fail (GOA_IS_KERBEROS_IDENTITY_INQUIRY (inquiry), FALSE);
+
+  self = GOA_KERBEROS_IDENTITY_INQUIRY (inquiry);
+
+  return self->priv->number_of_unanswered_queries == 0;
+}
+
+static void
+goa_kerberos_identity_inquiry_mark_query_answered (GoaKerberosIdentityInquiry * self,
+                                                   GoaKerberosIdentityQuery * query)
+{
+  if (query->is_answered)
+    {
+      return;
+    }
+
+  query->is_answered = TRUE;
+  self->priv->number_of_unanswered_queries--;
+
+  if (self->priv->number_of_unanswered_queries == 0)
+    {
+      _goa_identity_inquiry_emit_complete (GOA_IDENTITY_INQUIRY (self));
+    }
+}
+
+static void
+goa_kerberos_identity_inquiry_answer_query (GoaIdentityInquiry * inquiry,
+                                            GoaIdentityQuery *query,
+                                            const char *answer)
+{
+  GoaKerberosIdentityInquiry *self;
+  GoaKerberosIdentityQuery *kerberos_query = (GoaKerberosIdentityQuery *) query;
+
+  g_return_if_fail (GOA_IS_KERBEROS_IDENTITY_INQUIRY (inquiry));
+  g_return_if_fail (inquiry == kerberos_query->inquiry);
+  g_return_if_fail (!goa_kerberos_identity_inquiry_is_complete (inquiry));
+
+  self = GOA_KERBEROS_IDENTITY_INQUIRY (inquiry);
+
+  inquiry = kerberos_query->inquiry;
+
+  strncpy (kerberos_query->kerberos_prompt->reply->data,
+           answer, kerberos_query->kerberos_prompt->reply->length);
+  kerberos_query->kerberos_prompt->reply->length =
+    (unsigned int) strlen (kerberos_query->kerberos_prompt->reply->data);
+
+  goa_kerberos_identity_inquiry_mark_query_answered (self, kerberos_query);
+}
+
+static void
+goa_kerberos_identity_inquiry_iter_init (GoaIdentityInquiryIter * iter,
+                                         GoaIdentityInquiry * inquiry)
+{
+  GoaKerberosIdentityInquiry *self = GOA_KERBEROS_IDENTITY_INQUIRY (inquiry);
+
+  iter->data = self->priv->queries;
+}
+
+static GoaIdentityQuery *
+goa_kerberos_identity_inquiry_iter_next (GoaIdentityInquiryIter * iter,
+                                         GoaIdentityInquiry * inquiry)
+{
+  GoaIdentityQuery *query;
+  GList *node;
+
+  node = iter->data;
+
+  if (node == NULL)
+    {
+      return NULL;
+    }
+
+  query = (GoaIdentityQuery *) node->data;
+
+  node = node->next;
+
+  iter->data = node;
+
+  return query;
+}
+
+static GoaIdentityQueryMode
+goa_kerberos_identity_query_get_mode (GoaIdentityInquiry * inquiry,
+                                      GoaIdentityQuery * query)
+{
+  GoaKerberosIdentityQuery *kerberos_query = (GoaKerberosIdentityQuery *) query;
+
+  g_return_val_if_fail (GOA_IS_KERBEROS_IDENTITY_INQUIRY (inquiry),
+                        GOA_KERBEROS_IDENTITY_QUERY_MODE_INVISIBLE);
+  g_return_val_if_fail (inquiry == kerberos_query->inquiry,
+                        GOA_KERBEROS_IDENTITY_QUERY_MODE_INVISIBLE);
+
+  if (kerberos_query->kerberos_prompt->hidden)
+    {
+      return GOA_KERBEROS_IDENTITY_QUERY_MODE_INVISIBLE;
+    }
+  else
+    {
+      return GOA_KERBEROS_IDENTITY_QUERY_MODE_VISIBLE;
+    }
+}
+
+static char *
+goa_kerberos_identity_query_get_prompt (GoaIdentityInquiry * inquiry,
+                                        GoaIdentityQuery * query)
+{
+  GoaKerberosIdentityQuery *kerberos_query = (GoaKerberosIdentityQuery *) query;
+
+  g_return_val_if_fail (GOA_IS_KERBEROS_IDENTITY_INQUIRY (inquiry),
+                        GOA_KERBEROS_IDENTITY_QUERY_MODE_INVISIBLE);
+  g_return_val_if_fail (inquiry == kerberos_query->inquiry, NULL);
+
+  return g_strdup (kerberos_query->kerberos_prompt->prompt);
+}
+
+static gboolean
+goa_kerberos_identity_query_is_answered (GoaIdentityInquiry * inquiry,
+                                         GoaIdentityQuery * query)
+{
+  GoaKerberosIdentityQuery *kerberos_query = (GoaKerberosIdentityQuery *) query;
+
+  g_return_val_if_fail (GOA_IS_KERBEROS_IDENTITY_INQUIRY (inquiry),
+                        GOA_KERBEROS_IDENTITY_QUERY_MODE_INVISIBLE);
+  g_return_val_if_fail (inquiry == kerberos_query->inquiry, FALSE);
+
+  return kerberos_query->is_answered;
+}
+
+static void
+identity_inquiry_interface_init (GoaIdentityInquiryInterface *interface)
+{
+  interface->get_identity = goa_kerberos_identity_inquiry_get_identity;
+  interface->get_name = goa_kerberos_identity_inquiry_get_name;
+  interface->get_banner = goa_kerberos_identity_inquiry_get_banner;
+  interface->is_complete = goa_kerberos_identity_inquiry_is_complete;
+  interface->answer_query = goa_kerberos_identity_inquiry_answer_query;
+  interface->iter_init = goa_kerberos_identity_inquiry_iter_init;
+  interface->iter_next = goa_kerberos_identity_inquiry_iter_next;
+  interface->get_mode = goa_kerberos_identity_query_get_mode;
+  interface->get_prompt = goa_kerberos_identity_query_get_prompt;
+  interface->is_answered = goa_kerberos_identity_query_is_answered;
+}
diff --git a/src/goaidentity/goakerberosidentityinquiry.h b/src/goaidentity/goakerberosidentityinquiry.h
new file mode 100644
index 0000000..d6c7d7c
--- /dev/null
+++ b/src/goaidentity/goakerberosidentityinquiry.h
@@ -0,0 +1,73 @@
+/* -*- Mode: C; tab-width: 8; ident-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_KERBEROS_IDENTITY_INQUIRY_H__
+#define __GOA_KERBEROS_IDENTITY_INQUIRY_H__
+
+#include <stdint.h>
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include "goaidentityinquiry.h"
+#include "goakerberosidentity.h"
+
+G_BEGIN_DECLS
+#define GOA_TYPE_KERBEROS_IDENTITY_INQUIRY             (goa_kerberos_identity_inquiry_get_type ())
+#define GOA_KERBEROS_IDENTITY_INQUIRY(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GOA_TYPE_KERBEROS_IDENTITY_INQUIRY, GoaKerberosIdentityInquiry))
+#define GOA_KERBEROS_IDENTITY_INQUIRY_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GOA_TYPE_KERBEROS_IDENTITY_INQUIRY, GoaKerberosIdentityInquiryClass))
+#define GOA_IS_KERBEROS_IDENTITY_INQUIRY(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GOA_TYPE_KERBEROS_IDENTITY_INQUIRY))
+#define GOA_IS_KERBEROS_IDENTITY_INQUIRY_CLASS(klass)  (G_TYPE_CHECK_CLASS_TYPE ((klass), GOA_TYPE_KERBEROS_IDENTITY_INQUIRY))
+#define GOA_KERBEROS_IDENTITY_INQUIRY_GET_CLASS(obj)   (G_TYPE_INSTANCE_GET_CLASS((obj), GOA_TYPE_KERBEROS_IDENTITY_INQUIRY, GoaKerberosIdentityInquiryClass))
+typedef struct _GoaKerberosIdentity GoaKerberosIdentity;
+typedef struct _GoaKerberosIdentityInquiry GoaKerberosIdentityInquiry;
+typedef struct _GoaKerberosIdentityInquiryClass GoaKerberosIdentityInquiryClass;
+typedef struct _GoaKerberosIdentityInquiryPrivate GoaKerberosIdentityInquiryPrivate;
+typedef struct _GoaKerberosIdentityInquiryIter GoaKerberosIdentityInquiryIter;
+
+typedef enum
+{
+  GOA_KERBEROS_IDENTITY_QUERY_MODE_INVISIBLE,
+  GOA_KERBEROS_IDENTITY_QUERY_MODE_VISIBLE
+} GoaKerberosIdentityQueryMode;
+
+struct _GoaKerberosIdentityInquiry
+{
+  GObject parent;
+
+  GoaKerberosIdentityInquiryPrivate *priv;
+};
+
+struct _GoaKerberosIdentityInquiryClass
+{
+  GObjectClass parent_class;
+};
+
+GType goa_kerberos_identity_inquiry_get_type (void);
+
+GoaIdentityInquiry *goa_kerberos_identity_inquiry_new (GoaKerberosIdentity *identity,
+                                                       const char          *name,
+                                                       const char          *banner,
+                                                       krb5_prompt          prompts[],
+                                                       int                  number_of_prompts);
+
+#endif /* __GOA_KERBEROS_IDENTITY_INQUIRY_H__ */
diff --git a/src/goaidentity/goakerberosidentitymanager.c b/src/goaidentity/goakerberosidentitymanager.c
new file mode 100644
index 0000000..80a8e8a
--- /dev/null
+++ b/src/goaidentity/goakerberosidentitymanager.c
@@ -0,0 +1,1617 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#include "config.h"
+
+#include "goakerberosidentitymanager.h"
+#include "goaidentitymanager.h"
+#include "goaidentitymanagerprivate.h"
+#include "goakerberosidentity.h"
+#include "goalogging.h"
+
+#include <fcntl.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <glib/gi18n.h>
+#include <glib/gstdio.h>
+#include <gio/gio.h>
+
+#include <krb5.h>
+
+struct _GoaKerberosIdentityManagerPrivate
+{
+  GHashTable *identities;
+  GHashTable *expired_identities;
+  GHashTable *identities_by_realm;
+  GAsyncQueue *pending_operations;
+  GCancellable *scheduler_cancellable;
+
+  krb5_context kerberos_context;
+  GFileMonitor *credentials_cache_monitor;
+  gulong credentials_cache_changed_signal_id;
+  char *credentials_cache_type;
+
+  GMutex scheduler_job_lock;
+  GCond scheduler_job_unblocked;
+  gboolean is_blocking_scheduler_job;
+
+  volatile int pending_refresh_count;
+};
+
+typedef enum
+{
+  OPERATION_TYPE_REFRESH,
+  OPERATION_TYPE_GET_IDENTITY,
+  OPERATION_TYPE_LIST,
+  OPERATION_TYPE_RENEW,
+  OPERATION_TYPE_SIGN_IN,
+  OPERATION_TYPE_SIGN_OUT,
+  OPERATION_TYPE_STOP_JOB
+} OperationType;
+
+typedef struct
+{
+  GCancellable *cancellable;
+  GoaKerberosIdentityManager *manager;
+  OperationType type;
+  GSimpleAsyncResult *result;
+  GIOSchedulerJob *job;
+  union
+  {
+    GoaIdentity *identity;
+    struct
+    {
+      const char *identifier;
+      gconstpointer initial_password;
+      GoaIdentitySignInFlags sign_in_flags;
+      GoaIdentityInquiry *inquiry;
+      GoaIdentityInquiryFunc inquiry_func;
+      gpointer inquiry_data;
+      GMutex inquiry_lock;
+      GCond inquiry_finished_condition;
+      volatile gboolean is_inquiring;
+    };
+  };
+} Operation;
+
+typedef struct
+{
+  GoaKerberosIdentityManager *manager;
+  GoaIdentity *identity;
+} IdentitySignalWork;
+
+static GoaIdentityManager *goa_kerberos_identity_manager_singleton;
+
+static void identity_manager_interface_init (GoaIdentityManagerInterface *
+                                             interface);
+static void initable_interface_init (GInitableIface *interface);
+
+static void on_identity_expired (GoaIdentity                *identity,
+                                 GoaKerberosIdentityManager *self);
+
+G_DEFINE_TYPE_WITH_CODE (GoaKerberosIdentityManager,
+                         goa_kerberos_identity_manager,
+                         G_TYPE_OBJECT,
+                         G_IMPLEMENT_INTERFACE (GOA_TYPE_IDENTITY_MANAGER,
+                                                identity_manager_interface_init)
+                         G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
+                                                initable_interface_init));
+
+static Operation *
+operation_new (GoaKerberosIdentityManager *self,
+               GCancellable               *cancellable,
+               OperationType               type,
+               GSimpleAsyncResult         *result)
+{
+  Operation *operation;
+
+  operation = g_slice_new (Operation);
+
+  operation->manager = self;
+  operation->type = type;
+
+  if (cancellable == NULL)
+    cancellable = g_cancellable_new ();
+  else
+    g_object_ref (cancellable);
+  operation->cancellable = cancellable;
+
+  if (result != NULL)
+    g_object_ref (result);
+  operation->result = result;
+
+  operation->identity = NULL;
+
+  return operation;
+}
+
+static void
+operation_free (Operation *operation)
+{
+  g_clear_object (&operation->cancellable);
+
+  if (operation->type != OPERATION_TYPE_SIGN_IN &&
+      operation->type != OPERATION_TYPE_GET_IDENTITY)
+    g_clear_object (&operation->identity);
+  else
+    g_clear_pointer (&operation->identifier, g_free);
+
+  g_clear_object (&operation->result);
+
+  g_slice_free (Operation, operation);
+}
+
+static void
+schedule_refresh (GoaKerberosIdentityManager *self)
+{
+  Operation *operation;
+
+  g_atomic_int_inc (&self->priv->pending_refresh_count);
+
+  operation = operation_new (self, NULL, OPERATION_TYPE_REFRESH, NULL);
+  g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static IdentitySignalWork *
+identity_signal_work_new (GoaKerberosIdentityManager *self,
+                          GoaIdentity                *identity)
+{
+  IdentitySignalWork *work;
+
+  work = g_slice_new (IdentitySignalWork);
+  work->manager = self;
+  work->identity = g_object_ref (identity);
+
+  return work;
+}
+
+static void
+identity_signal_work_free (IdentitySignalWork *work)
+{
+  g_object_unref (work->identity);
+  g_slice_free (IdentitySignalWork, work);
+}
+
+static void
+on_identity_expired (GoaIdentity                *identity,
+                     GoaKerberosIdentityManager *self)
+{
+  _goa_identity_manager_emit_identity_expired (GOA_IDENTITY_MANAGER (self),
+                                               identity);
+}
+
+static void
+on_identity_unexpired (GoaIdentity                *identity,
+                       GoaKerberosIdentityManager *self)
+{
+  goa_debug ("GoaKerberosIdentityManager: identity unexpired");
+  /* If an identity is now unexpired, that means some sort of weird
+   * clock skew happened and we should just do a full refresh, since it's
+   * probably affected more than one identity
+   */
+  schedule_refresh (self);
+}
+
+static void
+on_identity_expiring (GoaIdentity                *identity,
+                      GoaKerberosIdentityManager *self)
+{
+  goa_debug ("GoaKerberosIdentityManager: identity about to expire");
+  _goa_identity_manager_emit_identity_expiring (GOA_IDENTITY_MANAGER (self),
+                                                identity);
+}
+
+static void
+on_identity_needs_renewal (GoaIdentity                *identity,
+                           GoaKerberosIdentityManager *self)
+{
+  goa_debug ("GoaKerberosIdentityManager: identity needs renewal");
+  _goa_identity_manager_emit_identity_needs_renewal (GOA_IDENTITY_MANAGER (self),
+                                                     identity);
+}
+
+static void
+on_identity_needs_refresh (GoaIdentity                *identity,
+                           GoaKerberosIdentityManager *self)
+{
+  goa_debug ("GoaKerberosIdentityManager: needs refresh");
+  schedule_refresh (self);
+}
+
+static void
+watch_for_identity_expiration (GoaKerberosIdentityManager *self,
+                               GoaIdentity                *identity)
+{
+  g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                        G_CALLBACK (on_identity_expired),
+                                        self);
+  g_signal_connect (G_OBJECT (identity),
+                    "expired",
+                    G_CALLBACK (on_identity_expired),
+                    self);
+
+  g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                        G_CALLBACK (on_identity_unexpired),
+                                        self);
+  g_signal_connect (G_OBJECT (identity),
+                    "unexpired",
+                    G_CALLBACK (on_identity_unexpired),
+                    self);
+
+  g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                        G_CALLBACK (on_identity_expiring),
+                                        self);
+  g_signal_connect (G_OBJECT (identity),
+                    "expiring",
+                    G_CALLBACK (on_identity_expiring),
+                    self);
+
+  g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                        G_CALLBACK (on_identity_needs_renewal),
+                                        self);
+  g_signal_connect (G_OBJECT (identity),
+                    "needs-renewal",
+                    G_CALLBACK (on_identity_needs_renewal),
+                    self);
+
+  g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                        G_CALLBACK (on_identity_needs_refresh),
+                                        self);
+  g_signal_connect (G_OBJECT (identity),
+                    "needs-refresh",
+                    G_CALLBACK (on_identity_needs_refresh),
+                    self);
+}
+
+static void
+do_identity_signal_added_work (IdentitySignalWork *work)
+{
+  GoaKerberosIdentityManager *self = work->manager;
+  GoaIdentity *identity = work->identity;
+
+  watch_for_identity_expiration (self, identity);
+  _goa_identity_manager_emit_identity_added (GOA_IDENTITY_MANAGER (self), identity);
+}
+
+static void
+do_identity_signal_removed_work (IdentitySignalWork *work)
+{
+  GoaKerberosIdentityManager *self = work->manager;
+  GoaIdentity *identity = work->identity;
+
+  _goa_identity_manager_emit_identity_removed (GOA_IDENTITY_MANAGER (self),
+                                               identity);
+}
+
+static void
+do_identity_signal_renamed_work (IdentitySignalWork *work)
+{
+  GoaKerberosIdentityManager *self = work->manager;
+  GoaIdentity *identity = work->identity;
+
+  _goa_identity_manager_emit_identity_renamed (GOA_IDENTITY_MANAGER (self),
+                                               identity);
+}
+
+static void
+do_identity_signal_refreshed_work (IdentitySignalWork *work)
+{
+  GoaKerberosIdentityManager *self = work->manager;
+  GoaIdentity *identity = work->identity;
+
+  watch_for_identity_expiration (self, identity);
+  _goa_identity_manager_emit_identity_refreshed (GOA_IDENTITY_MANAGER (self),
+                                                 identity);
+}
+
+static void
+remove_identity (GoaKerberosIdentityManager *self,
+                 Operation                  *operation,
+                 GoaIdentity                *identity)
+{
+
+  IdentitySignalWork *work;
+  const char *identifier;
+  char *name;
+  GList *other_identities = NULL;
+
+  identifier = goa_identity_get_identifier (identity);
+  name = goa_kerberos_identity_get_realm_name (GOA_KERBEROS_IDENTITY (identity));
+
+  if (name != NULL)
+    {
+      other_identities = g_hash_table_lookup (self->priv->identities_by_realm, name);
+      g_hash_table_remove (self->priv->identities_by_realm, name);
+
+      other_identities = g_list_remove (other_identities, identity);
+    }
+
+
+  if (other_identities != NULL)
+    {
+      g_hash_table_replace (self->priv->identities_by_realm,
+                            g_strdup (name), other_identities);
+    }
+  g_free (name);
+
+  work = identity_signal_work_new (self, identity);
+  g_hash_table_remove (self->priv->expired_identities, identifier);
+  g_hash_table_remove (self->priv->identities, identifier);
+
+  g_io_scheduler_job_send_to_mainloop (operation->job,
+                                       (GSourceFunc)
+                                       do_identity_signal_removed_work,
+                                       work,
+                                       (GDestroyNotify) identity_signal_work_free);
+  /* If there's only one identity for this realm now, then we can
+   * rename that identity to just the realm name
+   */
+  if (other_identities != NULL && other_identities->next == NULL)
+    {
+      GoaIdentity *other_identity = other_identities->data;
+
+      work = identity_signal_work_new (self, other_identity);
+
+      g_io_scheduler_job_send_to_mainloop (operation->job,
+                                           (GSourceFunc)
+                                           do_identity_signal_renamed_work,
+                                           work,
+                                           (GDestroyNotify)
+                                           identity_signal_work_free);
+    }
+}
+
+static void
+drop_stale_identities (GoaKerberosIdentityManager *self,
+                       Operation                  *operation,
+                       GHashTable                 *known_identities)
+{
+  GList *stale_identity_ids;
+  GList *node;
+
+  stale_identity_ids = g_hash_table_get_keys (self->priv->identities);
+
+  node = stale_identity_ids;
+  while (node != NULL)
+    {
+      GoaIdentity *identity;
+      const char *identifier = node->data;
+
+      identity = g_hash_table_lookup (known_identities, identifier);
+      if (identity == NULL)
+        {
+          identity = g_hash_table_lookup (self->priv->identities, identifier);
+
+          if (identity != NULL)
+            {
+              remove_identity (self, operation, identity);
+            }
+        }
+      node = node->next;
+    }
+  g_list_free (stale_identity_ids);
+}
+
+static void
+update_identity (GoaKerberosIdentityManager *self,
+                 Operation                  *operation,
+                 GoaIdentity                *identity,
+                 GoaIdentity                *new_identity)
+{
+
+  goa_kerberos_identity_update (GOA_KERBEROS_IDENTITY (identity),
+                                GOA_KERBEROS_IDENTITY (new_identity));
+
+  if (goa_identity_is_signed_in (identity))
+    {
+      IdentitySignalWork *work;
+
+      /* if it's not expired, send out a refresh signal */
+      goa_debug ("GoaKerberosIdentityManager: identity '%s' refreshed",
+               goa_identity_get_identifier (identity));
+
+      work = identity_signal_work_new (self, identity);
+      g_io_scheduler_job_send_to_mainloop (operation->job,
+                                           (GSourceFunc)
+                                           do_identity_signal_refreshed_work,
+                                           work,
+                                           (GDestroyNotify)
+                                           identity_signal_work_free);
+    }
+}
+
+static void
+add_identity (GoaKerberosIdentityManager *self,
+              Operation                  *operation,
+              GoaIdentity                *identity,
+              const char                 *identifier)
+{
+  IdentitySignalWork *work;
+
+  g_hash_table_replace (self->priv->identities,
+                        g_strdup (identifier), g_object_ref (identity));
+
+  if (!goa_identity_is_signed_in (identity))
+    {
+      g_hash_table_replace (self->priv->expired_identities,
+                            g_strdup (identifier), identity);
+    }
+
+  work = identity_signal_work_new (self, identity);
+  g_io_scheduler_job_send_to_mainloop (operation->job,
+                                       (GSourceFunc)
+                                       do_identity_signal_added_work,
+                                       work,
+                                       (GDestroyNotify) identity_signal_work_free);
+}
+
+static void
+refresh_identity (GoaKerberosIdentityManager *self,
+                  Operation                  *operation,
+                  GHashTable                 *refreshed_identities,
+                  GoaIdentity                *identity)
+{
+  const char *identifier;
+  GoaIdentity *old_identity;
+
+  identifier = goa_identity_get_identifier (identity);
+
+  if (identifier == NULL)
+    {
+      return;
+    }
+  old_identity = g_hash_table_lookup (self->priv->identities, identifier);
+
+  if (old_identity != NULL)
+    {
+      goa_debug ("GoaKerberosIdentityManager: refreshing identity '%s'", identifier);
+      update_identity (self, operation, old_identity, identity);
+
+      /* Reuse the old identity, so any object data set up on it doesn't
+       * disappear spurriously
+       */
+      identifier = goa_identity_get_identifier (old_identity);
+      identity = old_identity;
+    }
+  else
+    {
+      goa_debug ("GoaKerberosIdentityManager: adding new identity '%s'", identifier);
+      add_identity (self, operation, identity, identifier);
+    }
+
+  /* Track refreshed identities so we can emit removals when we're done fully
+   * enumerating the collection of credential caches
+   */
+  g_hash_table_replace (refreshed_identities,
+                        g_strdup (identifier),
+                        g_object_ref (identity));
+}
+
+static gboolean
+refresh_identities (GoaKerberosIdentityManager *self,
+                    Operation                  *operation)
+{
+  krb5_error_code error_code;
+  krb5_ccache cache;
+  krb5_cccol_cursor cursor;
+  const char *error_message;
+  GHashTable *refreshed_identities;
+
+  /* If we have more refreshes queued up, don't bother doing this one
+   */
+  if (!g_atomic_int_dec_and_test (&self->priv->pending_refresh_count))
+    {
+      return FALSE;
+    }
+
+  goa_debug ("GoaKerberosIdentityManager: Refreshing identities");
+  refreshed_identities = g_hash_table_new_full (g_str_hash,
+                                                g_str_equal,
+                                                (GDestroyNotify)
+                                                g_free,
+                                                (GDestroyNotify) g_object_unref);
+  error_code = krb5_cccol_cursor_new (self->priv->kerberos_context, &cursor);
+
+  if (error_code != 0)
+    {
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+      goa_debug ("GoaKerberosIdentityManager:         Error looking up available credential caches: %s",
+                 error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+      goto done;
+    }
+
+  error_code = krb5_cccol_cursor_next (self->priv->kerberos_context, cursor, &cache);
+
+  while (error_code == 0 && cache != NULL)
+    {
+      GoaIdentity *identity;
+
+      identity = goa_kerberos_identity_new (self->priv->kerberos_context,
+                                            cache, NULL);
+
+      if (identity != NULL)
+        {
+          refresh_identity (self, operation, refreshed_identities, identity);
+        }
+
+      krb5_cc_close (self->priv->kerberos_context, cache);
+      error_code = krb5_cccol_cursor_next (self->priv->kerberos_context,
+                                           cursor, &cache);
+    }
+
+  if (error_code != 0)
+    {
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+      goa_debug ("GoaKerberosIdentityManager:         Error iterating over available credential caches: %s",
+                 error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+    }
+
+  krb5_cccol_cursor_free (self->priv->kerberos_context, &cursor);
+done:
+  drop_stale_identities (self, operation, refreshed_identities);
+  g_hash_table_unref (refreshed_identities);
+
+  return TRUE;
+}
+
+static int
+identity_sort_func (GoaIdentity *a,
+                    GoaIdentity *b)
+{
+  return g_strcmp0 (goa_identity_get_identifier (a),
+                    goa_identity_get_identifier (b));
+}
+
+static void
+free_identity_list (GList *list)
+{
+  g_list_foreach (list, (GFunc) g_object_unref, NULL);
+  g_list_free (list);
+}
+
+static void
+list_identities (GoaKerberosIdentityManager *self,
+                 Operation                  *operation)
+{
+  GList *identities;
+
+  goa_debug ("GoaKerberosIdentityManager: Listing identities");
+  identities = g_hash_table_get_values (self->priv->identities);
+
+  identities = g_list_sort (identities, (GCompareFunc) identity_sort_func);
+
+  g_list_foreach (identities, (GFunc) g_object_ref, NULL);
+  g_simple_async_result_set_op_res_gpointer (operation->result,
+                                             identities,
+                                             (GDestroyNotify) free_identity_list);
+}
+
+static void
+renew_identity (GoaKerberosIdentityManager *self,
+                Operation                  *operation)
+{
+  GError *error;
+  gboolean was_renewed;
+  char *identity_name;
+
+  identity_name =
+    goa_kerberos_identity_get_principal_name (GOA_KERBEROS_IDENTITY
+                                              (operation->identity));
+  goa_debug ("GoaKerberosIdentityManager: renewing identity %s", identity_name);
+  g_free (identity_name);
+
+  error = NULL;
+  was_renewed =
+    goa_kerberos_identity_renew (GOA_KERBEROS_IDENTITY (operation->identity),
+                                 &error);
+
+  if (!was_renewed)
+    {
+      goa_debug ("GoaKerberosIdentityManager: could not renew identity: %s",
+               error->message);
+
+      g_simple_async_result_set_from_error (operation->result, error);
+    }
+
+  g_simple_async_result_set_op_res_gboolean (operation->result, was_renewed);
+}
+
+static void
+do_identity_inquiry (Operation *operation)
+{
+  if (operation->inquiry_func == NULL)
+    {
+      return;
+    }
+
+  operation->inquiry_func (operation->inquiry,
+                           operation->cancellable,
+                           operation->inquiry_data);
+}
+
+static void
+stop_waiting_on_inquiry (Operation *operation)
+{
+  g_mutex_lock (&operation->inquiry_lock);
+  if (operation->is_inquiring)
+    {
+      operation->is_inquiring = FALSE;
+      g_cond_signal (&operation->inquiry_finished_condition);
+    }
+  g_mutex_unlock (&operation->inquiry_lock);
+}
+
+static void
+on_kerberos_identity_inquiry_complete (GoaIdentityInquiry *inquiry,
+                                       Operation          *operation)
+{
+  stop_waiting_on_inquiry (operation);
+}
+
+static void
+start_inquiry (Operation          *operation,
+               GoaIdentityInquiry *inquiry)
+{
+  operation->is_inquiring = TRUE;
+
+  g_signal_connect (G_OBJECT (inquiry),
+                    "complete",
+                    G_CALLBACK (on_kerberos_identity_inquiry_complete),
+                    operation);
+
+  operation->inquiry = inquiry;
+  g_io_scheduler_job_send_to_mainloop (operation->job,
+                                       (GSourceFunc)
+                                       do_identity_inquiry,
+                                       operation, (GDestroyNotify) NULL);
+}
+
+static void
+wait_for_inquiry_to_complete (Operation                  *operation,
+                              GoaKerberosIdentityInquiry *inquiry)
+{
+  g_mutex_lock (&operation->inquiry_lock);
+  while (operation->is_inquiring)
+    g_cond_wait (&operation->inquiry_finished_condition,
+                 &operation->inquiry_lock);
+  g_mutex_unlock (&operation->inquiry_lock);
+}
+
+static void
+on_sign_in_operation_cancelled (GCancellable *cancellable,
+                                Operation    *operation)
+{
+  stop_waiting_on_inquiry (operation);
+}
+
+static void
+on_kerberos_identity_inquiry (GoaKerberosIdentityInquiry *inquiry,
+                              GCancellable               *cancellable,
+                              Operation                  *operation)
+{
+  gulong handler_id;
+
+  start_inquiry (operation, GOA_IDENTITY_INQUIRY (inquiry));
+
+  handler_id = g_cancellable_connect (cancellable,
+                                      G_CALLBACK (on_sign_in_operation_cancelled),
+                                      operation, NULL);
+
+  if ((operation->cancellable == NULL) ||
+      !g_cancellable_is_cancelled (operation->cancellable))
+    wait_for_inquiry_to_complete (operation, inquiry);
+
+  g_cancellable_disconnect (cancellable, handler_id);
+}
+
+static void
+get_identity (GoaKerberosIdentityManager *self,
+              Operation                  *operation)
+{
+  GoaIdentity *identity;
+
+  goa_debug ("GoaKerberosIdentityManager: get identity %s", operation->identifier);
+  identity = g_hash_table_lookup (self->priv->identities, operation->identifier);
+
+  if (identity == NULL)
+    {
+      g_simple_async_result_set_error (operation->result,
+                                       GOA_IDENTITY_MANAGER_ERROR,
+                                       GOA_IDENTITY_MANAGER_ERROR_IDENTITY_NOT_FOUND,
+                                       _("Could not find identity"));
+      g_simple_async_result_set_op_res_gpointer (operation->result, NULL, NULL);
+
+      return;
+    }
+
+  g_simple_async_result_set_op_res_gpointer (operation->result,
+                                             g_object_ref (identity),
+                                             (GDestroyNotify) g_object_unref);
+}
+
+static void
+sign_in_identity (GoaKerberosIdentityManager *self,
+                  Operation                  *operation)
+{
+  GoaIdentity *identity;
+  GError *error;
+  krb5_error_code error_code;
+
+  goa_debug ("GoaKerberosIdentityManager: signing in identity %s",
+             operation->identifier);
+  error = NULL;
+  identity = g_hash_table_lookup (self->priv->identities, operation->identifier);
+  if (identity == NULL)
+    {
+      krb5_ccache credentials_cache;
+
+      if (g_strcmp0 (self->priv->credentials_cache_type, "FILE") == 0)
+        {
+          krb5_ccache default_cache;
+
+          error_code = krb5_cc_default (self->priv->kerberos_context, &default_cache);
+
+          if (error_code == 0)
+            krb5_cc_dup (self->priv->kerberos_context, default_cache, &credentials_cache);
+        }
+      else
+        {
+          error_code = krb5_cc_new_unique (self->priv->kerberos_context,
+                                           self->priv->credentials_cache_type,
+                                           NULL,
+                                           &credentials_cache);
+        }
+
+      if (error_code != 0)
+        {
+          const char *error_message;
+
+          error_message =
+            krb5_get_error_message (self->priv->kerberos_context, error_code);
+          goa_debug ("GoaKerberosIdentityManager:         Error creating new cache for identity credentials: %s",
+                     error_message);
+          krb5_free_error_message (self->priv->kerberos_context, error_message);
+
+          g_simple_async_result_set_error (operation->result,
+                                           GOA_IDENTITY_MANAGER_ERROR,
+                                           GOA_IDENTITY_MANAGER_ERROR_CREATING_IDENTITY,
+                                           _("Could not create credential cache for identity"));
+          g_simple_async_result_set_op_res_gpointer (operation->result, NULL, NULL);
+
+        }
+      else
+        {
+          identity = goa_kerberos_identity_new (self->priv->kerberos_context,
+                                                credentials_cache,
+                                                &error);
+          if (identity == NULL)
+            {
+              krb5_cc_close (self->priv->kerberos_context, credentials_cache);
+              g_simple_async_result_take_error (operation->result, error);
+              g_simple_async_result_set_op_res_gpointer (operation->result,
+                                                         NULL,
+                                                         NULL);
+              return;
+            }
+        }
+    }
+
+  g_hash_table_replace (self->priv->identities,
+                        g_strdup (operation->identifier),
+                        g_object_ref (identity));
+
+  if (!goa_kerberos_identity_sign_in (GOA_KERBEROS_IDENTITY (identity),
+                                      operation->identifier,
+                                      operation->initial_password,
+                                      operation->sign_in_flags,
+                                      (GoaIdentityInquiryFunc)
+                                      on_kerberos_identity_inquiry,
+                                      operation,
+                                      NULL,
+                                      operation->cancellable,
+                                      &error))
+    {
+      g_simple_async_result_set_from_error (operation->result, error);
+      g_simple_async_result_set_op_res_gpointer (operation->result,
+                                                 NULL,
+                                                 NULL);
+
+    }
+  else
+    {
+      g_simple_async_result_set_op_res_gpointer (operation->result,
+                                                 g_object_ref (identity),
+                                                 (GDestroyNotify)
+                                                 g_object_unref);
+    }
+}
+
+static void
+sign_out_identity (GoaKerberosIdentityManager *self,
+                   Operation                  *operation)
+{
+  GError *error;
+  gboolean was_signed_out;
+  char *identity_name;
+
+  identity_name =
+    goa_kerberos_identity_get_principal_name (GOA_KERBEROS_IDENTITY
+                                              (operation->identity));
+  goa_debug ("GoaKerberosIdentityManager: signing out identity %s", identity_name);
+  g_free (identity_name);
+
+  error = NULL;
+  was_signed_out =
+    goa_kerberos_identity_erase (GOA_KERBEROS_IDENTITY (operation->identity),
+                                 &error);
+
+  if (!was_signed_out)
+    {
+      goa_debug ("GoaKerberosIdentityManager: could not sign out identity: %s",
+               error->message);
+      g_error_free (error);
+    }
+}
+
+static void
+block_scheduler_job (GoaKerberosIdentityManager *self)
+{
+  g_mutex_lock (&self->priv->scheduler_job_lock);
+  while (self->priv->is_blocking_scheduler_job)
+    g_cond_wait (&self->priv->scheduler_job_unblocked,
+                 &self->priv->scheduler_job_lock);
+  self->priv->is_blocking_scheduler_job = TRUE;
+  g_mutex_unlock (&self->priv->scheduler_job_lock);
+}
+
+static void
+stop_blocking_scheduler_job (GoaKerberosIdentityManager *self)
+{
+  g_mutex_lock (&self->priv->scheduler_job_lock);
+  self->priv->is_blocking_scheduler_job = FALSE;
+  g_cond_signal (&self->priv->scheduler_job_unblocked);
+  g_mutex_unlock (&self->priv->scheduler_job_lock);
+}
+
+static void
+wait_for_scheduler_job_to_become_unblocked (GoaKerberosIdentityManager *self)
+{
+  g_mutex_lock (&self->priv->scheduler_job_lock);
+  while (self->priv->is_blocking_scheduler_job)
+    g_cond_wait (&self->priv->scheduler_job_unblocked,
+                 &self->priv->scheduler_job_lock);
+  g_mutex_unlock (&self->priv->scheduler_job_lock);
+}
+
+static void
+on_job_cancelled (GCancellable               *cancellable,
+                  GoaKerberosIdentityManager *self)
+{
+  Operation *operation;
+  operation = operation_new (self, cancellable, OPERATION_TYPE_STOP_JOB, NULL);
+  g_async_queue_push (self->priv->pending_operations, operation);
+
+  stop_blocking_scheduler_job (self);
+}
+
+static gboolean
+on_job_scheduled (GIOSchedulerJob            *job,
+                  GCancellable               *cancellable,
+                  GoaKerberosIdentityManager *self)
+{
+  GAsyncQueue *pending_operations;
+
+  g_assert (cancellable != NULL);
+
+  g_cancellable_connect (cancellable, G_CALLBACK (on_job_cancelled), self, NULL);
+
+  /* Take ownership of queue, since we may out live the identity manager */
+  pending_operations = g_async_queue_ref (self->priv->pending_operations);
+  while (!g_cancellable_is_cancelled (cancellable))
+    {
+      Operation *operation;
+      gboolean processed_operation;
+      GError *error = NULL;
+
+      operation = g_async_queue_pop (pending_operations);
+
+      if (operation->result != NULL &&
+          g_cancellable_set_error_if_cancelled (operation->cancellable,
+                                                &error))
+        {
+          g_simple_async_result_take_error (operation->result, error);
+          g_simple_async_result_complete_in_idle (operation->result);
+          g_object_unref (operation->result);
+          operation->result = NULL;
+          continue;
+        }
+
+      operation->job = job;
+
+      switch (operation->type)
+        {
+        case OPERATION_TYPE_STOP_JOB:
+          /* do nothing, loop will exit next iteration since cancellable
+           * is cancelled
+           */
+          g_assert (g_cancellable_is_cancelled (cancellable));
+          operation_free (operation);
+          continue;
+        case OPERATION_TYPE_REFRESH:
+          processed_operation = refresh_identities (operation->manager, operation);
+          break;
+        case OPERATION_TYPE_GET_IDENTITY:
+          get_identity (operation->manager, operation);
+          processed_operation = TRUE;
+          break;
+        case OPERATION_TYPE_LIST:
+          list_identities (operation->manager, operation);
+          processed_operation = TRUE;
+
+          /* We want to block refreshes (and their associated "added"
+           * and "removed" signals) until the caller has had
+           * a chance to look at the batch of
+           * results we already processed
+           */
+          g_assert (operation->result != NULL);
+
+          goa_debug
+            ("GoaKerberosIdentityManager:         Blocking until identities list processed");
+          block_scheduler_job (self);
+          g_object_weak_ref (G_OBJECT (operation->result),
+                             (GWeakNotify) stop_blocking_scheduler_job, self);
+          goa_debug ("GoaKerberosIdentityManager:         Continuing");
+          break;
+        case OPERATION_TYPE_SIGN_IN:
+          sign_in_identity (operation->manager, operation);
+          processed_operation = TRUE;
+          break;
+        case OPERATION_TYPE_SIGN_OUT:
+          sign_out_identity (operation->manager, operation);
+          processed_operation = TRUE;
+          break;
+        case OPERATION_TYPE_RENEW:
+          renew_identity (operation->manager, operation);
+          processed_operation = TRUE;
+          break;
+        }
+
+      operation->job = NULL;
+
+      if (operation->result != NULL)
+        {
+          g_simple_async_result_complete_in_idle (operation->result);
+          g_object_unref (operation->result);
+          operation->result = NULL;
+        }
+      operation_free (operation);
+
+      wait_for_scheduler_job_to_become_unblocked (self);
+
+      /* Don't bother saying "Waiting for next operation" if this operation
+       * was a no-op, since the debug spew probably already says the message
+       */
+      if (processed_operation)
+        goa_debug ("GoaKerberosIdentityManager: Waiting for next operation");
+    }
+
+  g_async_queue_unref (pending_operations);
+
+  return FALSE;
+}
+
+static void
+goa_kerberos_identity_manager_get_identity (GoaIdentityManager   *manager,
+                                            const char           *identifier,
+                                            GCancellable         *cancellable,
+                                            GAsyncReadyCallback   callback,
+                                            gpointer              user_data)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (manager);
+  GSimpleAsyncResult *result;
+  Operation *operation;
+
+  result = g_simple_async_result_new (G_OBJECT (self),
+                                      callback,
+                                      user_data,
+                                      goa_kerberos_identity_manager_get_identity);
+  operation = operation_new (self, cancellable, OPERATION_TYPE_GET_IDENTITY, result);
+  g_object_unref (result);
+
+  operation->identifier = g_strdup (identifier);
+
+  g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static GoaIdentity *
+goa_kerberos_identity_manager_get_identity_finish (GoaIdentityManager  *self,
+                                                   GAsyncResult        *result,
+                                                   GError             **error)
+{
+  GoaIdentity *identity;
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+                                             error))
+    return NULL;
+
+  identity =
+    g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+
+  return identity;
+}
+
+static void
+goa_kerberos_identity_manager_list_identities (GoaIdentityManager  *manager,
+                                               GCancellable        *cancellable,
+                                               GAsyncReadyCallback  callback,
+                                               gpointer             user_data)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (manager);
+  GSimpleAsyncResult         *result;
+  Operation                  *operation;
+
+  result = g_simple_async_result_new (G_OBJECT (self),
+                                      callback,
+                                      user_data,
+                                      goa_kerberos_identity_manager_list_identities);
+
+  operation = operation_new (self, cancellable, OPERATION_TYPE_LIST, result);
+  g_object_unref (result);
+
+  g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static GList *
+goa_kerberos_identity_manager_list_identities_finish (GoaIdentityManager  *manager,
+                                                      GAsyncResult        *result,
+                                                      GError             **error)
+{
+  GList *identities;
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+                                             error))
+    return NULL;
+
+  identities =
+    g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+
+  return identities;
+
+}
+
+static void
+goa_kerberos_identity_manager_renew_identity (GoaIdentityManager  *manager,
+                                              GoaIdentity         *identity,
+                                              GCancellable        *cancellable,
+                                              GAsyncReadyCallback  callback,
+                                              gpointer             user_data)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (manager);
+  GSimpleAsyncResult *result;
+  Operation *operation;
+
+  result = g_simple_async_result_new (G_OBJECT (self),
+                                      callback,
+                                      user_data,
+                                      goa_kerberos_identity_manager_renew_identity);
+  operation = operation_new (self, cancellable, OPERATION_TYPE_RENEW, result);
+  g_object_unref (result);
+
+  operation->identity = g_object_ref (identity);
+
+  g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static void
+goa_kerberos_identity_manager_renew_identity_finish (GoaIdentityManager  *self,
+                                                     GAsyncResult        *result,
+                                                     GError             **error)
+{
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+                                             error))
+    return;
+}
+
+static void
+goa_kerberos_identity_manager_sign_identity_in (GoaIdentityManager     *manager,
+                                                const char             *identifier,
+                                                gconstpointer           initial_password,
+                                                GoaIdentitySignInFlags  flags,
+                                                GoaIdentityInquiryFunc  inquiry_func,
+                                                gpointer                inquiry_data,
+                                                GCancellable           *cancellable,
+                                                GAsyncReadyCallback     callback,
+                                                gpointer                user_data)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (manager);
+  GSimpleAsyncResult *result;
+  Operation *operation;
+
+  result = g_simple_async_result_new (G_OBJECT (self),
+                                      callback,
+                                      user_data,
+                                      goa_kerberos_identity_manager_sign_identity_in);
+  operation = operation_new (self, cancellable, OPERATION_TYPE_SIGN_IN, result);
+  g_object_unref (result);
+
+  operation->identifier = g_strdup (identifier);
+  /* Not duped. Caller is responsible for ensuring it stays alive
+   * for duration of operation
+   */
+  operation->initial_password = initial_password;
+  operation->sign_in_flags = flags;
+  operation->inquiry_func = inquiry_func;
+  operation->inquiry_data = inquiry_data;
+  g_mutex_init (&operation->inquiry_lock);
+  g_cond_init (&operation->inquiry_finished_condition);
+  operation->is_inquiring = FALSE;
+
+  g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static GoaIdentity *
+goa_kerberos_identity_manager_sign_identity_in_finish (GoaIdentityManager  *self,
+                                                       GAsyncResult        *result,
+                                                       GError             **error)
+{
+  GoaIdentity *identity;
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), error))
+    return NULL;
+
+  identity =
+    g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+
+  return identity;
+}
+
+static void
+goa_kerberos_identity_manager_sign_identity_out (GoaIdentityManager  *manager,
+                                                 GoaIdentity         *identity,
+                                                 GCancellable        *cancellable,
+                                                 GAsyncReadyCallback  callback,
+                                                 gpointer             user_data)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (manager);
+  GSimpleAsyncResult *result;
+  Operation *operation;
+
+  result = g_simple_async_result_new (G_OBJECT (self),
+                                      callback,
+                                      user_data,
+                                      goa_kerberos_identity_manager_sign_identity_out);
+  operation = operation_new (self, cancellable, OPERATION_TYPE_SIGN_OUT, result);
+  g_object_unref (result);
+
+  operation->identity = g_object_ref (identity);
+
+  g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static void
+goa_kerberos_identity_manager_sign_identity_out_finish (GoaIdentityManager  *self,
+                                                        GAsyncResult        *result,
+                                                        GError             **error)
+{
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), error))
+    return;
+
+  return;
+}
+
+static char *
+goa_kerberos_identity_manager_name_identity (GoaIdentityManager *manager,
+                                             GoaIdentity        *identity)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (manager);
+  char *name;
+  GList *other_identities;
+  gboolean other_identity_needs_rename;
+
+  name = goa_kerberos_identity_get_realm_name (GOA_KERBEROS_IDENTITY (identity));
+
+  if (name == NULL)
+    return NULL;
+
+  other_identities = g_hash_table_lookup (self->priv->identities_by_realm, name);
+
+  /* If there was already exactly one identity for this realm before,
+   * then it was going by just the realm name, so we need to rename it
+   * to use the full principle name
+   */
+  if (other_identities != NULL &&
+      other_identities->next == NULL && other_identities->data != identity)
+    other_identity_needs_rename = TRUE;
+
+  other_identities = g_list_remove (other_identities, identity);
+  other_identities = g_list_prepend (other_identities, identity);
+
+  g_hash_table_replace (self->priv->identities_by_realm,
+                        g_strdup (name),
+                        other_identities);
+
+  if (other_identities->next != NULL)
+    {
+      g_free (name);
+      name = goa_kerberos_identity_get_principal_name (GOA_KERBEROS_IDENTITY (identity));
+
+      if (other_identity_needs_rename)
+        {
+          GoaIdentity *other_identity = other_identities->next->data;
+
+          _goa_identity_manager_emit_identity_renamed (GOA_IDENTITY_MANAGER (self),
+                                                       other_identity);
+        }
+    }
+
+  return name;
+}
+
+static void
+identity_manager_interface_init (GoaIdentityManagerInterface *interface)
+{
+  interface->get_identity = goa_kerberos_identity_manager_get_identity;
+  interface->get_identity_finish = goa_kerberos_identity_manager_get_identity_finish;
+  interface->list_identities = goa_kerberos_identity_manager_list_identities;
+  interface->list_identities_finish = goa_kerberos_identity_manager_list_identities_finish;
+  interface->sign_identity_in = goa_kerberos_identity_manager_sign_identity_in;
+  interface->sign_identity_in_finish = goa_kerberos_identity_manager_sign_identity_in_finish;
+  interface->sign_identity_out = goa_kerberos_identity_manager_sign_identity_out;
+  interface->sign_identity_out_finish = goa_kerberos_identity_manager_sign_identity_out_finish;
+  interface->renew_identity = goa_kerberos_identity_manager_renew_identity;
+  interface->renew_identity_finish = goa_kerberos_identity_manager_renew_identity_finish;
+  interface->name_identity = goa_kerberos_identity_manager_name_identity;
+}
+
+static void
+on_credentials_cache_changed (GFileMonitor               *monitor,
+                              GFile                      *file,
+                              GFile                      *other_file,
+                              GFileMonitorEvent          *event_type,
+                              GoaKerberosIdentityManager *self)
+{
+  schedule_refresh (self);
+}
+
+static gboolean
+monitor_credentials_cache (GoaKerberosIdentityManager  *self,
+                           GError                     **error)
+{
+  krb5_ccache default_cache;
+  const char *cache_type;
+  const char *cache_path;
+  GFile *file;
+  GFileMonitor *monitor;
+  krb5_error_code error_code;
+  GError *monitoring_error;
+
+  error_code = krb5_cc_default (self->priv->kerberos_context, &default_cache);
+
+  if (error_code != 0)
+    {
+      const char *error_message;
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+      g_set_error_literal (error,
+                           GOA_IDENTITY_MANAGER_ERROR,
+                           GOA_IDENTITY_MANAGER_ERROR_ACCESSING_CREDENTIALS,
+                           error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+
+      return FALSE;
+    }
+
+  cache_type = krb5_cc_get_type (self->priv->kerberos_context, default_cache);
+  g_assert (cache_type != NULL);
+
+  if (strcmp (cache_type, "FILE") != 0 && strcmp (cache_type, "DIR") != 0)
+    {
+      g_set_error (error,
+                   GOA_IDENTITY_MANAGER_ERROR,
+                   GOA_IDENTITY_MANAGER_ERROR_UNSUPPORTED_CREDENTIALS,
+                   "Only 'FILE' and 'DIR' credential cache types are really supported, not '%s'",
+                   cache_type);
+      return FALSE;
+    }
+
+  g_free (self->priv->credentials_cache_type);
+  self->priv->credentials_cache_type = g_strdup (cache_type);
+
+  /* If we're using a FILE type credential cache, then the
+   * default cache file is the only cache we care about,
+   * and its path is what we want to monitor.
+   *
+   * If we're using a DIR type credential cache, then the default
+   * cache file is one of many possible cache files, all in the
+   * same directory.  We want to monitor that directory.
+   */
+  cache_path = krb5_cc_get_name (self->priv->kerberos_context, default_cache);
+
+  /* The cache name might have a : in front of it.
+   * See goakerberosidentity.c (fetch_raw_credentials) for similar code
+   * FIXME: figure out if that behavior is by design, or some
+   * odd bug.
+   */
+  if (cache_path[0] == ':')
+    cache_path++;
+
+  file = g_file_new_for_path (cache_path);
+
+  monitoring_error = NULL;
+  if (strcmp (cache_type, "FILE") == 0)
+    {
+      monitor = g_file_monitor_file (file,
+                                     G_FILE_MONITOR_NONE,
+                                     NULL,
+                                     &monitoring_error);
+    }
+  else if (strcmp (cache_type, "DIR") == 0)
+    {
+      GFile *directory;
+
+      directory = g_file_get_parent (file);
+      monitor = g_file_monitor_directory (directory,
+                                          G_FILE_MONITOR_NONE,
+                                          NULL,
+                                          &monitoring_error);
+      g_object_unref (directory);
+
+    }
+  else
+    {
+      g_assert_not_reached ();
+    }
+  g_object_unref (file);
+
+  if (monitor == NULL)
+    {
+      g_propagate_error (error, monitoring_error);
+      return FALSE;
+    }
+
+  self->priv->credentials_cache_changed_signal_id =
+    g_signal_connect (G_OBJECT (monitor), "changed",
+                      G_CALLBACK (on_credentials_cache_changed), self);
+  self->priv->credentials_cache_monitor = monitor;
+
+  return TRUE;
+}
+
+static void
+stop_watching_credentials_cache (GoaKerberosIdentityManager *self)
+{
+  if (!g_file_monitor_is_cancelled (self->priv->credentials_cache_monitor))
+    g_file_monitor_cancel (self->priv->credentials_cache_monitor);
+
+  g_object_unref (self->priv->credentials_cache_monitor);
+  self->priv->credentials_cache_monitor = NULL;
+}
+
+static gboolean
+goa_kerberos_identity_manager_initable_init (GInitable     *initable,
+                                             GCancellable  *cancellable,
+                                             GError       **error)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (initable);
+  krb5_error_code error_code;
+  GError *monitoring_error;
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return FALSE;
+
+  error_code = krb5_init_context (&self->priv->kerberos_context);
+
+  if (error_code != 0)
+    {
+      const char *error_message;
+      error_message =
+        krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+      g_set_error_literal (error,
+                           GOA_IDENTITY_MANAGER_ERROR,
+                           GOA_IDENTITY_MANAGER_ERROR_INITIALIZING, error_message);
+      krb5_free_error_message (self->priv->kerberos_context, error_message);
+
+      return FALSE;
+    }
+
+  monitoring_error = NULL;
+  if (!monitor_credentials_cache (self, &monitoring_error))
+    {
+      goa_warning ("GoaKerberosIdentityManager: Could not monitor credentials: %s",
+                   monitoring_error->message);
+      g_error_free (monitoring_error);
+    }
+
+  schedule_refresh (self);
+
+  return TRUE;
+}
+
+static void
+initable_interface_init (GInitableIface *interface)
+{
+  interface->init = goa_kerberos_identity_manager_initable_init;
+}
+
+static void
+goa_kerberos_identity_manager_init (GoaKerberosIdentityManager *self)
+{
+  self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+                                            GOA_TYPE_KERBEROS_IDENTITY_MANAGER,
+                                            GoaKerberosIdentityManagerPrivate);
+  self->priv->identities = g_hash_table_new_full (g_str_hash,
+                                                  g_str_equal,
+                                                  (GDestroyNotify)
+                                                  g_free,
+                                                  (GDestroyNotify) g_object_unref);
+  self->priv->expired_identities = g_hash_table_new_full (g_str_hash,
+                                                          g_str_equal,
+                                                          (GDestroyNotify)
+                                                          g_free, NULL);
+
+  self->priv->identities_by_realm = g_hash_table_new_full (g_str_hash,
+                                                           g_str_equal,
+                                                           (GDestroyNotify)
+                                                           g_free, NULL);
+  self->priv->pending_operations = g_async_queue_new ();
+
+  g_mutex_init (&self->priv->scheduler_job_lock);
+  g_cond_init (&self->priv->scheduler_job_unblocked);
+
+  self->priv->scheduler_cancellable = g_cancellable_new ();
+  g_io_scheduler_push_job ((GIOSchedulerJobFunc)
+                           on_job_scheduled,
+                           self,
+                           NULL,
+                           G_PRIORITY_DEFAULT,
+                           self->priv->scheduler_cancellable);
+
+}
+
+static void
+cancel_pending_operations (GoaKerberosIdentityManager *self)
+{
+  Operation *operation;
+
+  operation = g_async_queue_try_pop (self->priv->pending_operations);
+  while (operation != NULL)
+    {
+      g_cancellable_cancel (operation->cancellable);
+      operation_free (operation);
+      operation = g_async_queue_try_pop (self->priv->pending_operations);
+    }
+}
+
+static void
+goa_kerberos_identity_manager_dispose (GObject *object)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (object);
+
+  if (self->priv->identities_by_realm != NULL)
+    {
+      g_hash_table_unref (self->priv->identities_by_realm);
+      self->priv->identities_by_realm = NULL;
+    }
+
+  if (self->priv->expired_identities != NULL)
+    {
+      g_hash_table_unref (self->priv->expired_identities);
+      self->priv->expired_identities = NULL;
+    }
+
+  if (self->priv->identities != NULL)
+    {
+      g_hash_table_unref (self->priv->identities);
+      self->priv->identities = NULL;
+    }
+
+  if (self->priv->credentials_cache_monitor != NULL)
+    stop_watching_credentials_cache (self);
+
+  if (self->priv->pending_operations != NULL)
+    cancel_pending_operations (self);
+
+  if (self->priv->scheduler_cancellable != NULL)
+    {
+      if (!g_cancellable_is_cancelled (self->priv->scheduler_cancellable))
+        {
+          g_cancellable_cancel (self->priv->scheduler_cancellable);
+        }
+
+      g_clear_object (&self->priv->scheduler_cancellable);
+    }
+
+  /* Note, other thread may still be holding a local reference to queue
+   * while it shuts down from cancelled scheduler_cancellable above
+   */
+  if (self->priv->pending_operations != NULL)
+    {
+      g_async_queue_unref (self->priv->pending_operations);
+      self->priv->pending_operations = NULL;
+    }
+
+  G_OBJECT_CLASS (goa_kerberos_identity_manager_parent_class)->dispose (object);
+}
+
+static void
+goa_kerberos_identity_manager_finalize (GObject *object)
+{
+  GoaKerberosIdentityManager *self = GOA_KERBEROS_IDENTITY_MANAGER (object);
+
+  g_free (self->priv->credentials_cache_type);
+
+  g_cond_clear (&self->priv->scheduler_job_unblocked);
+  krb5_free_context (self->priv->kerberos_context);
+
+  G_OBJECT_CLASS (goa_kerberos_identity_manager_parent_class)->finalize (object);
+}
+
+static void
+goa_kerberos_identity_manager_class_init (GoaKerberosIdentityManagerClass *klass)
+{
+  GObjectClass *object_class = G_OBJECT_CLASS (klass);
+
+  object_class->dispose = goa_kerberos_identity_manager_dispose;
+  object_class->finalize = goa_kerberos_identity_manager_finalize;
+
+  g_type_class_add_private (klass, sizeof (GoaKerberosIdentityManagerPrivate));
+}
+
+GoaIdentityManager *
+goa_kerberos_identity_manager_new (GCancellable * cancellable, GError ** error)
+{
+  if (goa_kerberos_identity_manager_singleton == NULL)
+    {
+      GObject *object;
+
+      object = g_object_new (GOA_TYPE_KERBEROS_IDENTITY_MANAGER, NULL);
+
+      goa_kerberos_identity_manager_singleton = GOA_IDENTITY_MANAGER (object);
+      g_object_add_weak_pointer (object,
+                                 (gpointer *) &
+                                 goa_kerberos_identity_manager_singleton);
+
+      error = NULL;
+      if (!g_initable_init (G_INITABLE (object), cancellable, error))
+        {
+          g_object_unref (object);
+          return NULL;
+        }
+
+    }
+  else
+    {
+      if (g_cancellable_set_error_if_cancelled (cancellable, error))
+        return NULL;
+      g_object_ref (goa_kerberos_identity_manager_singleton);
+    }
+
+  return goa_kerberos_identity_manager_singleton;
+}
diff --git a/src/goaidentity/goakerberosidentitymanager.h b/src/goaidentity/goakerberosidentitymanager.h
new file mode 100644
index 0000000..c087667
--- /dev/null
+++ b/src/goaidentity/goakerberosidentitymanager.h
@@ -0,0 +1,61 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GOA_KERBEROS_IDENTITY_MANAGER_H__
+#define __GOA_KERBEROS_IDENTITY_MANAGER_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include "goaidentitymanager.h"
+#include "goakerberosidentity.h"
+
+G_BEGIN_DECLS
+#define GOA_TYPE_KERBEROS_IDENTITY_MANAGER           (goa_kerberos_identity_manager_get_type ())
+#define GOA_KERBEROS_IDENTITY_MANAGER(obj)           (G_TYPE_CHECK_INSTANCE_CAST (obj, GOA_TYPE_KERBEROS_IDENTITY_MANAGER, GoaKerberosIdentityManager))
+#define GOA_KERBEROS_IDENTITY_MANAGER_CLASS(cls)     (G_TYPE_CHECK_CLASS_CAST (cls, GOA_TYPE_KERBEROS_IDENTITY_MANAGER, GoaKerberosIdentityManagerClass))
+#define GOA_IS_KERBEROS_IDENTITY_MANAGER(obj)        (G_TYPE_CHECK_INSTANCE_TYPE (obj, GOA_TYPE_KERBEROS_IDENTITY_MANAGER))
+#define GOA_IS_KERBEROS_IDENTITY_MANAGER_CLASS(obj)  (G_TYPE_CHECK_CLASS_TYPE (obj, GOA_TYPE_KERBEROS_IDENTITY_MANAGER))
+#define GOA_KERBEROS_IDENTITY_MANAGER_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), GOA_TYPE_KERBEROS_IDENTITY_MANAGER, GoaKerberosIdentityManagerClass))
+typedef struct _GoaKerberosIdentityManager GoaKerberosIdentityManager;
+typedef struct _GoaKerberosIdentityManagerClass GoaKerberosIdentityManagerClass;
+typedef struct _GoaKerberosIdentityManagerPrivate GoaKerberosIdentityManagerPrivate;
+struct _GoaKerberosIdentityManager
+{
+  GObject parent_instance;
+  GoaKerberosIdentityManagerPrivate *priv;
+};
+
+struct _GoaKerberosIdentityManagerClass
+{
+  GObjectClass parent_class;
+};
+
+GType goa_kerberos_identity_manager_get_type (void);
+GoaIdentityManager *goa_kerberos_identity_manager_new (GCancellable  *cancellable,
+                                                       GError       **error);
+
+void goa_kerberos_identity_manager_start_test (GoaKerberosIdentityManager  *manager,
+                                               GError                     **error);
+G_END_DECLS
+#endif /* __GOA_KERBEROS_IDENTITY_MANAGER_H__ */
diff --git a/src/goaidentity/org.freedesktop.realmd.xml b/src/goaidentity/org.freedesktop.realmd.xml
new file mode 100644
index 0000000..557de5c
--- /dev/null
+++ b/src/goaidentity/org.freedesktop.realmd.xml
@@ -0,0 +1,666 @@
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd";>
+<node name="/">
+
+	<!--
+	  org.freedesktop.realmd.Provider:
+	  @short_description: a realm provider
+
+	  Various realm providers represent different software implementations
+	  that provide access to realms or domains.
+
+	  This interface is implemented by individual providers, but is
+	  aggregated globally at the system bus name
+	  <literal>org.freedesktop.realmd</literal>
+	  with the object path <literal>/org/freedesktop/realmd</literal>
+	-->
+	<interface name="org.freedesktop.realmd.Provider">
+
+		<!--
+		  Name: the name of the provider
+
+		  The name of the provider. This is not normally displayed
+		  to the user, but may be useful for diagnostics or debugging.
+		-->
+		<property name="Name" type="s" access="read"/>
+
+		<!--
+		  Version: the version of the provider
+
+		  The version of the provider. This is not normally used in
+		  logic, but may be useful for diagnostics or debugging.
+		-->
+		<property name="Version" type="s" access="read"/>
+
+		<!--
+		  Realms: a list of realms
+
+		  A list of known, enrolled or discovered realms. All realms
+		  that this provider knows about are listed here. As realms
+		  are discovered they are added to this list.
+
+		  Each realm is represented by the DBus object path of the
+		  realm object.
+		-->
+		<property name="Realms" type="ao" access="read"/>
+
+		<!--
+		  Discover:
+		  @string: an input string to discover realms for
+		  @options: options for the discovery operation
+		  @relevance: the relevance of the returned results
+		  @realm: a list of realms discovered
+
+		  Discover realms for the given string. The input @string is
+		  usually a domain or realm name, perhaps typed by a user. If
+		  an empty string is provided the realm provider should try to
+		  discover a default realm if possible (eg: from DHCP).
+
+		  @options can contain, but is not limited to, the following values:
+		  <itemizedlist>
+		    <listitem><para><literal>operation</literal>: a string
+		      identifier chosen by the client, which can then later be
+		      passed to org.freedesktop.realmd.Service.Cancel() in order
+		      to cancel the operation</para></listitem>
+		  </itemizedlist>
+
+		  The @relevance returned can be used to rank results from
+		  different discover calls to different providers. Implementors
+		  should return a positive number if the provider highly
+		  recommends that the realms be handled by this provider,
+		  or a zero if it can possibly handle the realms. Negative
+		  should be returned if no realms are found.
+
+		  This method does not return an error when no realms are
+		  discovered. It simply returns an @realm list.
+
+		  To see diagnostic information about the discovery process
+		  connect to the org.freedesktop.realmd.Service::Diagnostics
+		  signal.
+
+		  This method requires authorization for the PolicyKit action
+		  called <literal>org.freedesktop.realmd.discover-realm</literal>.
+
+		  In addition to common DBus error results, this method may
+		  return:
+		  <itemizedlist>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
+		      may be returned if the discovery could not be run for some reason.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
+		      returned if the operation was cancelled.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
+		      returned if the calling client is not permitted to perform a discovery
+		      operation.</para></listitem>
+		  </itemizedlist>
+		-->
+		<method name="Discover">
+			<arg name="string" type="s" direction="in"/>
+			<arg name="options" type="a{sv}" direction="in"/>
+			<arg name="relevance" type="i" direction="out"/>
+			<arg name="realm" type="ao" direction="out"/>
+		</method>
+
+	</interface>
+
+	<!--
+	  org.freedesktop.realmd.Service:
+	  @short_description: the realmd service
+
+	  Global calls for managing the realmd service. Usually you'll want
+	  to use #org.freedesktop.realmd.Provider instead.
+
+	  This interface is implemented by the realmd service, and is always
+	  available at the object path <literal>/org/freedesktop/realmd</literal>
+
+	  The service also implements the
+	  <literal>org.freedesktop.DBus.ObjectManager</literal> interface which
+	  makes it easy to retrieve all realmd objects and properties in one go.
+	-->
+	<interface name="org.freedesktop.realmd.Service">
+
+		<!--
+		  Cancel:
+		  @operation: the operation to cancel
+
+		  Cancel a realmd operation. To be able to cancel an operation
+		  pass a uniquely chosen <literal>operation</literal> string
+		  identifier as an option in the methods <literal>options</literal>
+		  argument.
+
+		  These operation string identifiers should be unique per client
+		  calling the realmd service.
+
+		  It is not guaranteed that the service can or will cancel the
+		  operation. For example the operation may have already completed
+		  by the time this method is handled. The caller of the operation
+		  method will receive a
+		  <literal>org.freedesktop.realmd.Error.Cancelled</literal>
+		  if the operation was cancelled.
+		-->
+		<method name="Cancel">
+			<arg name="operation" type="s" direction="in"/>
+		</method>
+
+		<!--
+		  SetLocale:
+		  @locale: the locale for the client
+
+		  Set the language @locale for the client. This locale is used
+		  for error messages. The locale is used until the next time
+		  this method is called, the client disconnects, or the client
+		  calls #org.freedesktop.realmd.Service.Release().
+		-->
+		<method name="SetLocale">
+			<arg name="locale" type="s" direction="in"/>
+		</method>
+
+		<!--
+		  Diagnostics:
+		  @data: diagnostic data
+		  @operation: the operation this data resulted from
+
+		  This signal is fired when diagnostics result from an operation
+		  in the provider or one of its realms.
+
+		  It is not guaranteed that this signal is emitted once per line.
+		  More than one line may be contained in @data, or a partial
+		  line. New line characters are embedded in @data.
+
+		  This signal is sent explicitly to the client which invoked
+		  operation method. In order to tell which operation this
+		  diagnostic data results from, pass a unique
+		  <literal>operation</literal> string identifier in the
+		  <literal>options</literal> argument of the operation method.
+		  That same identifier will be passed back via the @operation
+		  argument of this signal.
+		-->
+		<signal name="Diagnostics">
+			<arg name="data" type="s"/>
+			<arg name="operation" type="s"/>
+		</signal>
+
+		<!--
+		  Release:
+
+		  Normally realmd waits until all clients have disconnected
+		  before exiting itself, sometime later. For long lived clients
+		  they can call this method to allow the realmd service to quit.
+		  This is an optimization. The daemon will not exit immediately.
+		  It is safe to call this multiple times.
+		-->
+		<method name="Release">
+			<!-- no arguments -->
+		</method>
+
+	</interface>
+
+	<!--
+	  org.freedesktop.realmd.Realm:
+	  @short_description: a realm
+
+	  Represents one realm.
+
+	  Contains generic information about a realm, and useful properties for
+	  introspecting what kind of realm this is and how to work with
+	  the realm.
+
+	  Use #org.freedesktop.realmd.Provider:Realms or
+	  #org.freedesktop.realmd.Provider.Discover() to get access to some
+	  kerberos realm objects.
+
+	  Realms will always implement additional interfaces, such as
+	  #org.freedesktop.realmd.Kerberos.  Do not assume that all realms
+	  implement that kerberos interface. Use the
+	  #org.freedesktop.realmd.Realm:SupportedInterfaces property to see
+	  which interfaces are set.
+
+	  Different realms support various ways to configure them on the
+	  system. Use the #org.freedesktop.realmd.Realm:Configured property
+	  to determine if a realm is configured. If it is configured the
+	  property will be set to the interface of the mechanism that was
+	  used to configure it.
+
+	  To configure a realm, look in the
+	  #org.freedesktop.realmd.Realm:SupportedInterfaces property for a
+	  recognized purpose specific interface that can be used for
+	  configuration, such as the
+	  #org.freedesktop.realmd.KerberosMembership interface and its
+	  #org.freedesktop.realmd.KerberosMembership.Join() method.
+
+	  To deconfigure a realm from the current system, you can use the
+	  #org.freedesktop.realmd.Realm.Deconfigure() method. In additon some
+	  of the configuration specific interfaces provide methods to
+	  deconfigure a realm in a specific way, such as
+	  #org.freedesktop.realmd.KerberosMembership.Leave() method.
+
+	  The various properties are guaranteed to have been updated before
+	  the operation methods return, if they change state.
+	-->
+	<interface name="org.freedesktop.realmd.Realm">
+
+		<!--
+		  Name: the realm name
+
+		  This is the name of the realm, appropriate for display to
+		  end users where necessary.
+		-->
+		<property name="Name" type="s" access="read"/>
+
+		<!--
+		  Configured: whether this domain is configured and how
+
+		  If this property is an empty string, then the realm is not
+		  configured. Otherwise the realm is configured, and contains
+		  a string which is the interface that represents how it was
+		  configured, for example #org.freedesktop.realmd.KerberosMembership.
+		-->
+		<property name="Configured" type="s" access="read"/>
+
+		<!--
+		  Deconfigure: deconfigure this realm
+
+		  Deconfigure this realm from the local machine with standard
+		  default behavior.
+
+		  The behavior of this method depends on the which configuration
+		  interface is present in the
+		  #org.freedesktop.realmd.Realm.Configured property. It does not
+		  always delete membership accounts in the realm, but just
+		  reconfigures the local machine so it no longer is configured
+		  for the given realm. In some cases the implementation may try
+		  to update membership accounts, but this is not guaranteed.
+
+		  Various configuration interfaces may support more specific ways
+		  to deconfigure a realm in a specific way, such as the
+		  #org.freedesktop.realmd.KerberosMembership.Leave() method.
+
+		  @options can contain, but is not limited to, the following values:
+		  <itemizedlist>
+		    <listitem><para><literal>operation</literal>: a string
+		      identifier chosen by the client, which can then later be
+		      passed to org.freedesktop.realmd.Service.Cancel() in order
+		      to cancel the operation</para></listitem>
+		  </itemizedlist>
+
+		  This method requires authorization for the PolicyKit action
+		  called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
+
+		  In addition to common DBus error results, this method may return:
+		  <itemizedlist>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
+		      may be returned if the deconfigure failed for a generic reason.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
+		      returned if the operation was cancelled.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
+		      returned if the calling client is not permitted to deconfigure a
+		      realm.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
+		      returned if this realm is not configured on the machine.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
+		      returned if the service is currently performing another operation like
+		      join or leave.</para></listitem>
+		  </itemizedlist>
+		-->
+		<method name="Deconfigure">
+			<arg name="options" type="a{sv}" direction="in"/>
+		</method>
+
+		<!--
+		  SupportedInterfaces:
+
+		  Additional supported interfaces of this realm. This includes
+		  interfaces that contain more information about the realm,
+		  such as #org.freedesktop.realmd.Kerberos and interfaces
+		  which contain methods for configuring a realm, such as
+		  #org.freedesktop.realmd.KerberosMembership.
+		-->
+		<property name="SupportedInterfaces" type="as" access="read"/>
+
+		<!--
+		  Details: informational details about the realm
+
+		  Informational details about the realm. The following values
+		  should be present:
+		  <itemizedlist>
+		    <listitem><para><literal>server-software</literal>:
+		      identifier of the software running on the server (eg:
+		      <literal>active-directory</literal>).</para></listitem>
+		    <listitem><para><literal>client-software</literal>:
+		      identifier of the software running on the client (eg:
+		      <literal>sssd</literal>).</para></listitem>
+		  </itemizedlist>
+		-->
+		<property name="Details" type="a(ss)" access="read"/>
+
+		<!--
+		  LoginFormats: supported formats for login names
+
+		  Supported formats for login to this realm. This is only
+		  relevant once the realm has been enrolled. The formats
+		  will contain a <literal>%U</literal> in the string, which
+		  indicate where the user name should be placed. The formats
+		  may contain a <literal>%D</literal> in the string which
+		  indicate where a domain name should be placed.
+
+		  The first format in the list is the preferred format for
+		  login names.
+		-->
+		<property name="LoginFormats" type="as" access="read"/>
+
+		<!--
+		  LoginPolicy: the policy for logins using this realm
+
+		  The policy for logging into this computer using this realm.
+
+		  The policy can be changed using the
+		  #org.freedesktop.realmd.Realm.ChangeLoginPolicy() method.
+
+		  The following policies are predefined. Not all providers
+		  support all these policies and there may be provider specific
+		  policies or multiple policies represented in the string:
+		  <itemizedlist>
+		    <listitem><para><literal>allow-any-login</literal>: allow
+		      login by any authenticated user present in this
+		      realm.</para></listitem>
+		    <listitem><para><literal>allow-permitted-logins</literal>:
+		      only allow the logins permitted in the
+		      #org.freedesktop.realmd.Realm:PermittedLogins
+		      property.</para></listitem>
+		    <listitem><para><literal>deny-any-login</literal>:
+		      don't allow any logins via authenticated users of this
+		      realm.</para></listitem>
+		  </itemizedlist>
+		-->
+		<property name="LoginPolicy" type="s" access="read"/>
+
+		<!--
+		  PermittedLogins: the permitted login names
+
+		  The list of permitted authenticated users allowed to login
+		  into this computer. This is only relevant if the
+		  #org.freedesktop.realmd.Realm:LoginPolicy property
+		  contains the <literal>allow-permitted-logins</literal>
+		  string.
+		-->
+		<property name="PermittedLogins" type="as" access="read"/>
+
+		<!--
+		  ChangeLoginPolicy:
+		  @login_policy: the new login policy, or an empty string
+		  @permitted_add: a list of logins to permit
+		  @permitted_remove: a list of logins to not permit
+		  @options: options for this operation
+
+		  Change the login policy and/or permitted logins for this realm.
+
+		  Not all realms support the all the various login policies. An
+		  error will be returned if the new login policy is not supported.
+		  You may specify an empty string for the @login_policy argument
+		  which will cause no change in the policy itself. If the policy
+		  is changed, it will be reflected in the
+		  #org.freedesktop.realmd.Realm:LoginPolicy property.
+
+		  The @permitted_add and @permitted_remove arguments represent
+		  lists of login names that should be added and removed from
+		  the #org.freedesktop.realmd.Kerberos:PermittedLogins property.
+
+		  @options can contain, but is not limited to, the following values:
+		  <itemizedlist>
+		    <listitem><para><literal>operation</literal>: a string
+		      identifier chosen by the client, which can then later be
+		      passed to org.freedesktop.realmd.Service.Cancel() in order
+		      to cancel the operation</para></listitem>
+		  </itemizedlist>
+
+		  This method requires authorization for the PolicyKit action
+		  called <literal>org.freedesktop.realmd.login-policy</literal>.
+
+		  In addition to common DBus error results, this method may return:
+		  <itemizedlist>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
+		      may be returned if the policy change failed for a generic reason.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
+		      returned if the operation was cancelled.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
+		      returned if the calling client is not permitted to change login policy
+		      operation.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
+		      returned if the realm is not configured.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
+		      returned if the service is currently performing another operation like
+		      join or leave.</para></listitem>
+		  </itemizedlist>
+		-->
+		<method name="ChangeLoginPolicy">
+			<arg name="login_policy" type="s" direction="in"/>
+			<arg name="permitted_add" type="as" direction="in"/>
+			<arg name="permitted_remove" type="as" direction="in"/>
+			<arg name="options" type="a{sv}" direction="in"/>
+		</method>
+
+	</interface>
+
+	<!--
+	  org.freedesktop.realmd.Kerberos:
+	  @short_description: a kerberos realm
+
+	  An interface that describes a kerberos realm in more detail. This
+	  is always implemented on an DBus object path that also implements
+	  the #org.freedesktop.realmd.Realm interface.
+	-->
+	<interface name="org.freedesktop.realmd.Kerberos">
+
+		<!--
+		  RealmName: the kerberos realm name
+
+		  The kerberos name for this realm. This is usually in upper
+		  case.
+		-->
+		<property name="RealmName" type="s" access="read"/>
+
+		<!--
+		  DomainName: the DNS domain name
+
+		  The DNS domain name for this realm.
+		-->
+		<property name="DomainName" type="s" access="read"/>
+
+	</interface>
+
+	<!--
+	  org.freedesktop.realmd.KerberosMembership:
+
+	  An interface used to configure this machine by joining a realm.
+
+	  It sets up a computer/host account in the realm for this machine
+	  and a keytab to track the credentials for that account.
+
+	  The various properties are guaranteed to have been updated before
+	  the operation methods return, if they change state.
+	-->
+	<interface name="org.freedesktop.realmd.KerberosMembership">
+
+		<!--
+		  SuggestedAdministrator: common administrator name
+
+		  The common administrator name for this type of realm. This
+		  can be used by clients as a hint when prompting the user for
+		  administrative authentication.
+		-->
+		<property name="SuggestedAdministrator" type="s" access="read"/>
+
+		<!--
+		  SupportedJoinCredentials: credentials supported for joining
+
+		  Various kinds of credentials that are supported when calling the
+		  #org.freedesktop.realmd.Kerberos.Join() method.
+
+		  Each credential is represented by a type, and an owner. The type
+		  denotes which kind of credential is passed to the method. The
+		  owner indicates to the client how to prompt the user or obtain
+		  the credential, and to the service how to use the credential.
+
+		  The various types are:
+		  <itemizedlist>
+		    <listitem><para><literal>ccache</literal>:
+		      the credentials should contain an array of bytes as a
+		      <literal>ay</literal> containing the data from a kerberos
+		      credential cache file.</para></listitem>
+		    <listitem><para><literal>password</literal>:
+		      the credentials should contain a pair of strings as a
+		      <literal>(ss)</literal> representing a name and
+		      password. The name may contain a realm in the standard
+		      kerberos format. If missing, it will default to this
+		      realm. The name may be empty for a computer or one time
+		      password.</para></listitem>
+		    <listitem><para><literal>automatic</literal>:
+		      the credentials should contain an empty string as a
+		      <literal>s</literal>. Using <literal>automatic</literal>
+		      indicates that default or system credentials are to be
+		      used.</para></listitem>
+		  </itemizedlist>
+
+		  The various owners are:
+		  <itemizedlist>
+		    <listitem><para><literal>administrator</literal>:
+		      the credentials belong to a kerberos user principal.
+		      The caller may use this as a hint to prompt the user
+		      for administrative credentials.</para></listitem>
+		    <listitem><para><literal>user</literal>:
+		      the credentials belong to a kerberos user principal.
+		      The caller may use this as a hint to prompt the user
+		      for his (possibly non-administrative)
+		      credentials.</para></listitem>
+		    <listitem><para><literal>computer</literal>:
+		      the credentials belong to the computer realmd is
+		      being run on.</para></listitem>
+		    <listitem><para><literal>secret</literal>:
+		      the credentials are a one time password or other secret
+		      used to join or leave the computer.</para></listitem>
+		  </itemizedlist>
+		-->
+		<property name="SupportedJoinCredentials" type="a(ss)" access="read"/>
+
+		<!--
+		  SupportedLeaveCredentials: credentials supported for leaving
+
+		  Various kinds of credentials that are supported when calling the
+		  #org.freedesktop.realmd.Kerberos.Leave() method.
+
+		  See #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials for
+		  a discussion of what the values represent.
+		-->
+		<property name="SupportedLeaveCredentials" type="a(ss)" access="read"/>
+
+		<!--
+		  Join:
+
+		  Join this machine to the realm and enroll the machine.
+
+		  If this method returns successfully then the machine will be
+		  joined to the realm. It is not necessary to restart services or the
+		  machine afterward. Relevant properties on the realm will be updated
+		  before the method returns.
+
+		  The @credentials should be set according to one of the
+		  supported credentials returned by
+		  #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
+		  The first string in the tuple is the type, the second string
+		  is the owner, and the variant contains the credential contents
+		  See the discussion at
+		  #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
+		  for more information.
+
+		  @options can contain, but is not limited to, the following values:
+		  <itemizedlist>
+		    <listitem><para><literal>operation</literal>: a string
+		      identifier chosen by the client, which can then later be
+		      passed to org.freedesktop.realmd.Service.Cancel() in order
+		      to cancel the operation</para></listitem>
+		  </itemizedlist>
+
+		  This method requires authorization for the PolicyKit action
+		  called <literal>org.freedesktop.realmd.configure-realm</literal>.
+
+		  In addition to common DBus error results, this method may return:
+		  <itemizedlist>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
+		      may be returned if the join failed for a generic reason.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
+		      returned if the operation was cancelled.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
+		      returned if the calling client is not permitted to perform an join
+		      operation.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
+		      returned if the credentials passed did not authenticate against the realm
+		      correctly. It is appropriate to prompt the user again.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.AlreadyEnrolled</literal>:
+		      returned if already enrolled in this realm, or another realm and enrolling
+		      in multiple realms is not supported.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
+		      returned if the service is currently performing another operation like
+		      join or leave.</para></listitem>
+		  </itemizedlist>
+		-->
+		<method name="Join">
+			<arg name="credentials" type="(ssv)" direction="in"/>
+			<arg name="options" type="a{sv}" direction="in"/>
+		</method>
+
+		<!--
+		  Leave:
+
+		  Leave the realm and unenroll the machine.
+
+		  If this method returns successfully then the machine will have
+		  left the domain and been unenrolled. It is not necessary to restart
+		  services or the machine afterward. Relevant properties on the realm
+		  will be updated before the method returns.
+
+		  The @credentials should be set according to one of the
+		  supported credentials returned by
+		  #org.freedesktop.realmd.Kerberos:SupportedUnenrollCredentials.
+		  The first string in the tuple is the type, the second string
+		  is the owner, and the variant contains the credential contents
+		  See the discussion at
+		  #org.freedesktop.realmd.Kerberos:SupportedEnrollCredentials
+		  for more information.
+
+		  @options can contain, but is not limited to, the following values:
+		  <itemizedlist>
+		    <listitem><para><literal>operation</literal>: a string
+		      identifier chosen by the client, which can then later be
+		      passed to org.freedesktop.realmd.Service.Cancel() in order
+		      to cancel the operation</para></listitem>
+		  </itemizedlist>
+
+		  This method requires authorization for the PolicyKit action
+		  called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
+
+		  In addition to common DBus error results, this method may return:
+		  <itemizedlist>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
+		      may be returned if the unenroll failed for a generic reason.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
+		      returned if the operation was cancelled.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
+		      returned if the calling client is not permitted to perform an unenroll
+		      operation.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
+		      returned if the credentials passed did not authenticate against the realm
+		      correctly. It is appropriate to prompt the user again.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.NotEnrolled</literal>:
+		      returned if not enrolled in this realm.</para></listitem>
+		    <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
+		      returned if the service is currently performing another operation like
+		      enroll or unenroll.</para></listitem>
+		  </itemizedlist>
+		-->
+		<method name="Leave">
+			<arg name="credentials" type="(ssv)" direction="in"/>
+			<arg name="options" type="a{sv}" direction="in"/>
+		</method>
+
+	</interface>
+
+</node>
diff --git a/src/goaidentity/org.gnome.Identity.xml b/src/goaidentity/org.gnome.Identity.xml
new file mode 100644
index 0000000..c7ffd43
--- /dev/null
+++ b/src/goaidentity/org.gnome.Identity.xml
@@ -0,0 +1,124 @@
+<!DOCTYPE node PUBLIC
+"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd";>
+
+<!--
+ Copyright (C) 2012 Red Hat, Inc.
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General
+ Public License along with this library; if not, write to the
+ Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+ Boston, MA 02111-1307, USA.
+
+ Author: Ray Strode <rstrode redhat com>
+-->
+
+<node name="/" xmlns:doc="http://www.freedesktop.org/dbus/1.0/doc.dtd";>
+  <!--
+      org.gnome.Identity.Manager:
+
+      An interface used for managing identities.
+  -->
+  <interface name="org.gnome.Identity.Manager">
+
+    <method name="ExchangeSecretKeys">
+      <arg name="input_key" type="s" direction="in"/>
+      <arg name="output_key" type="s" direction="out"/>
+    </method>
+
+    <!--
+        SignIn:
+        @identifier: kerberos principal or partial principal
+        @details: Extra key/value pairs to set.
+        @identity_object_path: The object path of the signed in identity.
+
+        Signs in an identity. Available details are:
+
+        * domain: e.g. example.com
+        * initial-password: D-H encrypted initial password.
+                            Must call ExchangeSecretKeys() first.
+        * disallow-renewal: Don't request renewable ticket
+        * disallow-forwarding: Don't request forwardable ticket
+        * disallow-proxying: Don't request proxiable ticket
+
+    -->
+    <method name="SignIn">
+      <arg name="identifier" type="s" direction="in"/>
+      <arg name="details" type="a{ss}" direction="in"/>
+      <arg name="identity_object_path" type="o" direction="out"/>
+    </method>
+
+    <!--
+        SignOut:
+        @identity: The identifier of the identity (i.e., a kerberos principal name)
+
+        Signs out an identity.
+    -->
+    <method name="SignOut">
+      <arg name="identity" type="s" direction="in"/>
+    </method>
+  </interface>
+
+  <!--
+      org.gnome.Identity:
+
+      The identity interface.
+  -->
+  <interface name="org.gnome.Identity">
+    <!--
+        Identifier:
+        Unique string identifying identity (i.e., a kerberos principal name)
+    -->
+    <property name="Identifier" type="s" access="read"/>
+
+    <!--
+        ExpirationTimestamp:
+        The time the identity's credentials will expire
+    -->
+    <property name="ExpirationTimestamp" type="x" access="read"/>
+
+    <!--
+        IsSignedIn:
+        Whether or not the identity is currently signed in
+    -->
+    <property name="IsSignedIn" type="b" access="read"/>
+
+  </interface>
+
+  <!--
+      org.gnome.Identity.Realm:
+
+      The realm interface.
+  -->
+  <interface name="org.gnome.Identity.Realm">
+    <!--
+        Name:
+        Kerberos realm (e.g., EXAMPLE.COM)
+    -->
+    <property name="Name" type="s" access="read"/>
+
+    <!--
+        Domain:
+        host of domain controller (e.g., example.com)
+    -->
+    <property name="Domain" type="s" access="read"/>
+
+    <!--
+        IsEnrolled:
+        Whether or not the machine is currently enrolled in the realm
+    -->
+    <property name="IsEnrolled" type="b" access="read"/>
+
+  </interface>
+
+</node>
diff --git a/src/goaidentity/um-realm-manager.c b/src/goaidentity/um-realm-manager.c
new file mode 100644
index 0000000..301c905
--- /dev/null
+++ b/src/goaidentity/um-realm-manager.c
@@ -0,0 +1,828 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright 2009-2012  Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Written by: Matthias Clasen <mclasen redhat com>
+ *             Stef Walter <stefw gnome org>
+ */
+
+#include "config.h"
+
+#include "um-realm-manager.h"
+
+#include <krb5/krb5.h>
+
+#include <glib.h>
+#include <glib/gi18n.h>
+#include <glib/gstdio.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+
+
+struct _UmRealmManager {
+        UmRealmObjectManagerClient parent;
+        UmRealmProvider *provider;
+        guint diagnostics_sig;
+};
+
+typedef struct {
+        UmRealmProviderProxyClass parent_class;
+} UmRealmManagerClass;
+
+enum {
+        REALM_ADDED,
+        NUM_SIGNALS,
+};
+
+static gint signals[NUM_SIGNALS] = { 0, };
+
+G_DEFINE_TYPE (UmRealmManager, um_realm_manager, UM_REALM_TYPE_OBJECT_MANAGER_CLIENT);
+
+GQuark
+um_realm_error_get_quark (void)
+{
+        static GQuark quark = 0;
+        if (quark == 0)
+                quark = g_quark_from_static_string ("um-realm-error");
+        return quark;
+}
+
+static gboolean
+is_realm_with_kerberos_and_membership (gpointer object)
+{
+        GDBusInterface *interface;
+
+        if (!G_IS_DBUS_OBJECT (object))
+                return FALSE;
+
+        interface = g_dbus_object_get_interface (object, "org.freedesktop.realmd.Kerberos");
+        if (interface == NULL)
+                return FALSE;
+        g_object_unref (interface);
+
+        interface = g_dbus_object_get_interface (object, "org.freedesktop.realmd.KerberosMembership");
+        if (interface == NULL)
+                return FALSE;
+        g_object_unref (interface);
+
+        return TRUE;
+}
+
+static void
+on_interface_added (GDBusObjectManager *manager,
+                    GDBusObject *object,
+                    GDBusInterface *interface)
+{
+        g_dbus_proxy_set_default_timeout (G_DBUS_PROXY (interface), G_MAXINT);
+}
+
+static void
+on_object_added (GDBusObjectManager *manager,
+                 GDBusObject *object,
+                 gpointer user_data)
+{
+        if (is_realm_with_kerberos_and_membership (object))
+                g_signal_emit (user_data, signals[REALM_ADDED], 0, object);
+}
+
+static void
+um_realm_manager_init (UmRealmManager *self)
+{
+        g_signal_connect (self, "object-added", G_CALLBACK (on_object_added), self);
+        g_signal_connect (self, "interface-added", G_CALLBACK (on_interface_added), self);
+}
+
+static void
+um_realm_manager_dispose (GObject *obj)
+{
+        UmRealmManager *self = UM_REALM_MANAGER (obj);
+        GDBusConnection *connection;
+
+        g_clear_object (&self->provider);
+
+        if (self->diagnostics_sig) {
+                connection = g_dbus_object_manager_client_get_connection (G_DBUS_OBJECT_MANAGER_CLIENT (self));
+                if (connection != NULL)
+                        g_dbus_connection_signal_unsubscribe (connection, self->diagnostics_sig);
+                self->diagnostics_sig = 0;
+        }
+
+        G_OBJECT_CLASS (um_realm_manager_parent_class)->dispose (obj);
+}
+
+static void
+um_realm_manager_class_init (UmRealmManagerClass *klass)
+{
+        GObjectClass *object_class = G_OBJECT_CLASS (klass);
+
+        object_class->dispose = um_realm_manager_dispose;
+
+        signals[REALM_ADDED] = g_signal_new ("realm-added", UM_TYPE_REALM_MANAGER,
+                                             G_SIGNAL_RUN_FIRST, 0, NULL, NULL,
+                                             g_cclosure_marshal_generic,
+                                             G_TYPE_NONE, 1, UM_REALM_TYPE_OBJECT);
+}
+
+static void
+on_realm_diagnostics (GDBusConnection *connection,
+                      const gchar *sender_name,
+                      const gchar *object_path,
+                      const gchar *interface_name,
+                      const gchar *signal_name,
+                      GVariant *parameters,
+                      gpointer user_data)
+{
+        const gchar *message;
+        const gchar *unused;
+
+        if (g_variant_is_of_type (parameters, G_VARIANT_TYPE ("(ss)"))) {
+                /* Data is already formatted appropriately for stderr */
+                g_variant_get (parameters, "(&s&s)", &message, &unused);
+                g_printerr ("%s", message);
+        }
+}
+
+static gboolean
+number_at_least (const gchar *number,
+                 guint minimum)
+{
+        gchar *end;
+
+        if (strtol (number, &end, 10) < (long)minimum)
+                return FALSE;
+        if (!end || *end != '\0')
+                return FALSE;
+        return TRUE;
+}
+
+static gboolean
+version_compare (const char *version,
+                 guint req_major,
+                 guint req_minor)
+{
+        gboolean match = FALSE;
+        gchar **parts;
+
+        parts = g_strsplit (version, ".", 2);
+
+        if (parts[0] && parts[1]) {
+                match = number_at_least (parts[0], req_major) &&
+                        number_at_least (parts[1], req_minor);
+        }
+
+        g_strfreev (parts);
+        return match;
+}
+
+void
+um_realm_manager_new (GCancellable *cancellable,
+                      GAsyncReadyCallback callback,
+                      gpointer user_data)
+{
+        g_async_initable_new_async (UM_TYPE_REALM_MANAGER, G_PRIORITY_DEFAULT,
+                                    cancellable, callback, user_data,
+                                    "flags", G_DBUS_OBJECT_MANAGER_CLIENT_FLAGS_NONE,
+                                    "name", "org.freedesktop.realmd",
+                                    "bus-type", G_BUS_TYPE_SYSTEM,
+                                    "object-path", "/org/freedesktop/realmd",
+                                    "get-proxy-type-func", um_realm_object_manager_client_get_proxy_type,
+                                    NULL);
+}
+
+UmRealmManager *
+um_realm_manager_new_finish (GAsyncResult *result,
+                             GError **error)
+{
+        UmRealmManager *self;
+        GDBusConnection *connection;
+        GObject *source_object;
+        const gchar *version;
+        GObject *ret;
+        guint sig;
+
+        source_object = g_async_result_get_source_object (result);
+        ret = g_async_initable_new_finish (G_ASYNC_INITABLE (source_object), result, error);
+        g_object_unref (source_object);
+
+        if (ret == NULL)
+                return NULL;
+
+        self = UM_REALM_MANAGER (ret);
+        connection = g_dbus_object_manager_client_get_connection (G_DBUS_OBJECT_MANAGER_CLIENT (self));
+
+        /*
+         * TODO: Remove this version checking. This is temporary code, so
+         * just use sync here. Shortly we'll be stabilizing the realmd
+         * interfaces.
+         */
+
+        self->provider = um_realm_provider_proxy_new_sync (connection, G_DBUS_PROXY_FLAGS_NONE,
+                                                           "org.freedesktop.realmd",
+                                                           "/org/freedesktop/realmd",
+                                                           NULL, error);
+        if (self->provider == NULL) {
+                g_object_unref (self);
+                return NULL;
+        }
+
+        version = um_realm_provider_get_version (self->provider);
+        if (version == NULL || !version_compare (version, 0, 7)) {
+                /* No need to bother translators with this temporary message */
+                g_set_error (error, UM_REALM_ERROR, UM_REALM_ERROR_GENERIC,
+                             "realmd version should be at least 0.7");
+                g_object_unref (self);
+                return NULL;
+        }
+
+        sig = g_dbus_connection_signal_subscribe (connection,
+                                                  "org.freedesktop.realmd",
+                                                  "org.freedesktop.realmd.Service",
+                                                  "Diagnostics",
+                                                  NULL,
+                                                  NULL,
+                                                  G_DBUS_SIGNAL_FLAGS_NONE,
+                                                  on_realm_diagnostics,
+                                                  NULL,
+                                                  NULL);
+        self->diagnostics_sig = sig;
+
+        return self;
+}
+
+typedef struct {
+        GDBusObjectManager *manager;
+        GCancellable *cancellable;
+        GList *realms;
+} DiscoverClosure;
+
+static void
+discover_closure_free (gpointer data)
+{
+        DiscoverClosure *discover = data;
+        g_object_unref (discover->manager);
+        g_clear_object (&discover->cancellable);
+        g_list_free_full (discover->realms, g_object_unref);
+        g_slice_free (DiscoverClosure, discover);
+}
+
+static void
+on_provider_discover (GObject *source,
+                      GAsyncResult *result,
+                      gpointer user_data)
+{
+        GSimpleAsyncResult *async = G_SIMPLE_ASYNC_RESULT (user_data);
+        DiscoverClosure *discover = g_simple_async_result_get_op_res_gpointer (async);
+        GDBusObject *object;
+        GError *error = NULL;
+        gchar **realms;
+        gint relevance;
+        gint i;
+
+        um_realm_provider_call_discover_finish (UM_REALM_PROVIDER (source), &relevance,
+                                                &realms, result, &error);
+        if (error == NULL) {
+                for (i = 0; realms[i]; i++) {
+                        object = g_dbus_object_manager_get_object (discover->manager, realms[i]);
+                        if (object == NULL)
+                                g_warning ("Realm is not in object manager: %s", realms[i]);
+                        else
+                                discover->realms = g_list_prepend (discover->realms, object);
+                }
+
+        } else {
+                g_simple_async_result_take_error (async, error);
+                g_simple_async_result_complete (async);
+        }
+
+        g_object_unref (async);
+}
+
+void
+um_realm_manager_discover (UmRealmManager *self,
+                           const gchar *input,
+                           GCancellable *cancellable,
+                           GAsyncReadyCallback callback,
+                           gpointer user_data)
+{
+        GSimpleAsyncResult *res;
+        DiscoverClosure *discover;
+        GVariant *options;
+
+        g_return_if_fail (UM_IS_REALM_MANAGER (self));
+        g_return_if_fail (input != NULL);
+        g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
+
+        res = g_simple_async_result_new (G_OBJECT (self), callback, user_data,
+                                         um_realm_manager_discover);
+        discover = g_slice_new0 (DiscoverClosure);
+        discover->manager = g_object_ref (self);
+        discover->cancellable = cancellable ? g_object_ref (cancellable) : NULL;
+        g_simple_async_result_set_op_res_gpointer (res, discover, discover_closure_free);
+
+	options = g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0);
+
+        um_realm_provider_call_discover (self->provider, input, options, cancellable,
+                                         on_provider_discover, g_object_ref (res));
+
+        g_object_unref (res);
+}
+
+GList *
+um_realm_manager_discover_finish (UmRealmManager *self,
+                                  GAsyncResult *result,
+                                  GError **error)
+{
+        GSimpleAsyncResult *async;
+        DiscoverClosure *discover;
+        GList *realms;
+
+        g_return_val_if_fail (UM_IS_REALM_MANAGER (self), NULL);
+        g_return_val_if_fail (g_simple_async_result_is_valid (result, G_OBJECT (self),
+                              um_realm_manager_discover), NULL);
+        g_return_val_if_fail (error == NULL || *error == NULL, NULL);
+
+        async = G_SIMPLE_ASYNC_RESULT (result);
+        if (g_simple_async_result_propagate_error (async, error))
+                return NULL;
+
+        discover = g_simple_async_result_get_op_res_gpointer (async);
+        if (!discover->realms) {
+                g_set_error (error, UM_REALM_ERROR, UM_REALM_ERROR_GENERIC,
+                             _("No such domain or realm found"));
+                return NULL;
+        }
+
+        realms = g_list_reverse (discover->realms);
+        discover->realms = NULL;
+        return realms;
+}
+
+GList *
+um_realm_manager_get_realms (UmRealmManager *self)
+{
+        GList *objects;
+        GList *realms = NULL;
+        GList *l;
+
+        g_return_val_if_fail (UM_IS_REALM_MANAGER (self), NULL);
+
+        objects = g_dbus_object_manager_get_objects (G_DBUS_OBJECT_MANAGER (self));
+        for (l = objects; l != NULL; l = g_list_next (l)) {
+                if (is_realm_with_kerberos_and_membership (l->data))
+                        realms = g_list_prepend (realms, g_object_ref (l->data));
+        }
+
+        g_list_free_full (objects, g_object_unref);
+        return realms;
+}
+
+static void
+string_replace (GString *string,
+                const gchar *find,
+                const gchar *replace)
+{
+        const gchar *at;
+        gssize pos;
+
+        at = strstr (string->str, find);
+        if (at != NULL) {
+                pos = at - string->str;
+                g_string_erase (string, pos, strlen (find));
+                g_string_insert (string, pos, replace);
+        }
+}
+
+gchar *
+um_realm_calculate_login (UmRealmCommon *realm,
+                          const gchar *username)
+{
+        GString *string;
+        const gchar *const *formats;
+        gchar *login = NULL;
+
+        formats = um_realm_common_get_login_formats (realm);
+        if (formats[0] != NULL) {
+                string = g_string_new (formats[0]);
+                string_replace (string, "%U", username);
+                string_replace (string, "%D", um_realm_common_get_name (realm));
+                login = g_string_free (string, FALSE);
+        }
+
+        return login;
+
+}
+
+gboolean
+um_realm_is_configured (UmRealmObject *realm)
+{
+        UmRealmCommon *common;
+        const gchar *configured;
+        gboolean is;
+
+        common = um_realm_object_get_common (realm);
+        configured = um_realm_common_get_configured (common);
+        is = configured != NULL && !g_str_equal (configured, "");
+        g_object_unref (common);
+
+        return is;
+}
+
+static const gchar *
+find_supported_credentials (UmRealmKerberosMembership *membership,
+                            const gchar *owner)
+{
+        const gchar *cred_owner;
+        const gchar *cred_type;
+        GVariant *supported;
+        GVariantIter iter;
+
+        supported = um_realm_kerberos_membership_get_supported_join_credentials (membership);
+        g_return_val_if_fail (supported != NULL, NULL);
+
+        g_variant_iter_init (&iter, supported);
+        while (g_variant_iter_loop (&iter, "(&s&s)", &cred_type, &cred_owner)) {
+                if (g_str_equal (owner, cred_owner)) {
+                        if (g_str_equal (cred_type, "ccache") ||
+                            g_str_equal (cred_type, "password")) {
+                                return g_intern_string (cred_type);
+                        }
+                }
+        }
+
+        return NULL;
+}
+
+static void
+on_realm_join_complete (GObject *source,
+                        GAsyncResult *result,
+                        gpointer user_data)
+{
+	GSimpleAsyncResult *async = G_SIMPLE_ASYNC_RESULT (user_data);
+	g_simple_async_result_set_op_res_gpointer (async, g_object_ref (result), g_object_unref);
+	g_simple_async_result_complete_in_idle (async);
+	g_object_unref (async);
+}
+
+static gboolean
+realm_join_as_owner (UmRealmObject *realm,
+                     const gchar *owner,
+                     const gchar *login,
+                     const gchar *password,
+                     GBytes *credentials,
+                     GCancellable *cancellable,
+                     GAsyncReadyCallback callback,
+                     gpointer user_data)
+{
+        UmRealmKerberosMembership *membership;
+        GSimpleAsyncResult *async;
+        GVariant *contents;
+        GVariant *options;
+        GVariant *creds;
+        const gchar *type;
+
+        membership = um_realm_object_get_kerberos_membership (realm);
+        g_return_val_if_fail (membership != NULL, FALSE);
+
+        type = find_supported_credentials (membership, owner);
+        if (type == NULL) {
+                g_object_unref (membership);
+                return FALSE;
+        }
+
+        async = g_simple_async_result_new (G_OBJECT (realm), callback, user_data,
+                                           realm_join_as_owner);
+
+        if (g_str_equal (type, "ccache")) {
+                contents = g_variant_new_from_data (G_VARIANT_TYPE ("ay"),
+                                                    g_bytes_get_data (credentials, NULL),
+                                                    g_bytes_get_size (credentials),
+                                                    TRUE, (GDestroyNotify)g_bytes_unref, credentials);
+
+        } else if (g_str_equal (type, "password")) {
+                contents = g_variant_new ("(ss)", login, password);
+
+        } else {
+                g_assert_not_reached ();
+        }
+
+        creds = g_variant_new ("(ssv)", type, owner, contents);
+        options = g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0);
+
+        um_realm_kerberos_membership_call_join (membership, creds, options,
+                                                cancellable, on_realm_join_complete,
+                                                g_object_ref (async));
+
+        g_object_unref (async);
+        g_object_unref (membership);
+
+        return TRUE;
+}
+
+gboolean
+um_realm_join_as_user (UmRealmObject *realm,
+                       const gchar *login,
+                       const gchar *password,
+                       GBytes *credentials,
+                       GCancellable *cancellable,
+                       GAsyncReadyCallback callback,
+                       gpointer user_data)
+{
+        g_return_val_if_fail (UM_REALM_IS_OBJECT (realm), FALSE);
+        g_return_val_if_fail (credentials != NULL, FALSE);
+        g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), FALSE);
+        g_return_val_if_fail (login != NULL, FALSE);
+        g_return_val_if_fail (password != NULL, FALSE);
+        g_return_val_if_fail (credentials != NULL, FALSE);
+
+        return realm_join_as_owner (realm, "user", login, password,
+                                    credentials, cancellable, callback, user_data);
+}
+
+gboolean
+um_realm_join_as_admin (UmRealmObject *realm,
+                        const gchar *login,
+                        const gchar *password,
+                        GBytes *credentials,
+                        GCancellable *cancellable,
+                        GAsyncReadyCallback callback,
+                        gpointer user_data)
+{
+        g_return_val_if_fail (UM_REALM_IS_OBJECT (realm), FALSE);
+        g_return_val_if_fail (credentials != NULL, FALSE);
+        g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), FALSE);
+        g_return_val_if_fail (login != NULL, FALSE);
+        g_return_val_if_fail (password != NULL, FALSE);
+        g_return_val_if_fail (credentials != NULL, FALSE);
+
+        return realm_join_as_owner (realm, "administrator", login, password, credentials,
+                                    cancellable, callback, user_data);
+}
+
+gboolean
+um_realm_join_finish (UmRealmObject *realm,
+                      GAsyncResult *result,
+                      GError **error)
+{
+        UmRealmKerberosMembership *membership;
+        GError *call_error = NULL;
+        gchar *dbus_error;
+        GAsyncResult *async;
+
+        g_return_val_if_fail (UM_REALM_IS_OBJECT (realm), FALSE);
+        g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
+
+        membership = um_realm_object_get_kerberos_membership (realm);
+        g_return_val_if_fail (membership != NULL, FALSE);
+
+        async = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+        um_realm_kerberos_membership_call_join_finish (membership, async, &call_error);
+        g_object_unref (membership);
+
+        if (call_error == NULL)
+                return TRUE;
+
+        dbus_error = g_dbus_error_get_remote_error (call_error);
+        if (dbus_error == NULL) {
+                g_propagate_error (error, call_error);
+                return FALSE;
+        }
+
+        g_dbus_error_strip_remote_error (call_error);
+
+        if (g_str_equal (dbus_error, "org.freedesktop.realmd.Error.AuthenticationFailed")) {
+                g_set_error (error, UM_REALM_ERROR, UM_REALM_ERROR_BAD_LOGIN,
+                             "%s", call_error->message);
+                g_error_free (call_error);
+        } else {
+                g_propagate_error (error, call_error);
+        }
+
+        g_free (dbus_error);
+        return FALSE;
+}
+
+typedef struct {
+        gchar *domain;
+        gchar *realm;
+        gchar *user;
+        gchar *password;
+        GBytes *credentials;
+} LoginClosure;
+
+static void
+login_closure_free (gpointer data)
+{
+        LoginClosure *login = data;
+        g_free (login->domain);
+        g_free (login->realm);
+        g_free (login->user);
+        g_free (login->password);
+        g_bytes_unref (login->credentials);
+        g_slice_free (LoginClosure, login);
+}
+
+static krb5_error_code
+login_perform_kinit (krb5_context k5,
+                     const gchar *realm,
+                     const gchar *login,
+                     const gchar *password,
+                     const gchar *filename)
+{
+        krb5_get_init_creds_opt *opts;
+        krb5_error_code code;
+        krb5_principal principal;
+        krb5_ccache ccache;
+        krb5_creds creds;
+        gchar *name;
+
+        name = g_strdup_printf ("%s %s", login, realm);
+        code = krb5_parse_name (k5, name, &principal);
+        g_free (name);
+
+        if (code != 0)
+                return code;
+
+        if (filename == NULL)
+                code = krb5_cc_default (k5, &ccache);
+        else
+                code = krb5_cc_resolve (k5, filename, &ccache);
+
+        if (code != 0) {
+                krb5_free_principal (k5, principal);
+                return code;
+        }
+
+        code = krb5_get_init_creds_opt_alloc (k5, &opts);
+        g_return_val_if_fail (code == 0, code);
+
+        code = krb5_get_init_creds_opt_set_out_ccache (k5, opts, ccache);
+        g_return_val_if_fail (code == 0, code);
+
+        code = krb5_get_init_creds_password (k5, &creds, principal,
+                                             (char *)password,
+                                             NULL, 0, 0, NULL, opts);
+
+        krb5_get_init_creds_opt_free (k5, opts);
+        krb5_cc_close (k5, ccache);
+        krb5_free_principal (k5, principal);
+
+        if (code == 0)
+                krb5_free_cred_contents (k5, &creds);
+
+        return code;
+}
+
+static void
+kinit_thread_func (GSimpleAsyncResult *async,
+                   GObject *object,
+                   GCancellable *cancellable)
+{
+        LoginClosure *login = g_simple_async_result_get_op_res_gpointer (async);
+        krb5_context k5 = NULL;
+        krb5_error_code code;
+        GError *error = NULL;
+        gchar *filename = NULL;
+        gchar *contents;
+        gsize length;
+        gint temp_fd;
+
+        filename = g_build_filename (g_get_user_runtime_dir (),
+                                     "um-krb5-creds.XXXXXX", NULL);
+        temp_fd = g_mkstemp_full (filename, O_RDWR, S_IRUSR | S_IWUSR);
+        if (temp_fd == -1) {
+                g_warning ("Couldn't create credential cache file: %s: %s",
+                           filename, g_strerror (errno));
+                g_free (filename);
+                filename = NULL;
+        } else {
+                close (temp_fd);
+        }
+
+        code = krb5_init_context (&k5);
+        if (code == 0) {
+                code = login_perform_kinit (k5, login->realm, login->user,
+                                            login->password, filename);
+        }
+
+        switch (code) {
+        case 0:
+                if (filename != NULL) {
+                        g_file_get_contents (filename, &contents, &length, &error);
+                        if (error == NULL) {
+                                login->credentials = g_bytes_new_take (contents, length);
+                        } else {
+                                g_warning ("Couldn't read credential cache: %s", error->message);
+                                g_error_free (error);
+                        }
+                }
+                break;
+
+        case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+        case KRB5KDC_ERR_CLIENT_REVOKED:
+        case KRB5KDC_ERR_KEY_EXP:
+        case KRB5KDC_ERR_POLICY:
+        case KRB5KDC_ERR_ETYPE_NOSUPP:
+                g_simple_async_result_set_error (async, UM_REALM_ERROR, UM_REALM_ERROR_BAD_LOGIN,
+                                                 _("Cannot log in as %s at the %s domain"),
+                                                 login->user, login->domain);
+                break;
+        case KRB5KDC_ERR_PREAUTH_FAILED:
+                g_simple_async_result_set_error (async, UM_REALM_ERROR, UM_REALM_ERROR_BAD_PASSWORD,
+                                                 _("Invalid password, please try again"));
+                break;
+        default:
+                g_simple_async_result_set_error (async, UM_REALM_ERROR, UM_REALM_ERROR_GENERIC,
+                                                 _("Couldn't connect to the %s domain: %s"),
+                                                 login->domain, krb5_get_error_message (k5, code));
+                break;
+        }
+
+        if (filename) {
+                g_unlink (filename);
+                g_free (filename);
+        }
+
+        if (k5)
+                krb5_free_context (k5);
+}
+
+void
+um_realm_login (UmRealmObject *realm,
+                const gchar *user,
+                const gchar *password,
+                GCancellable *cancellable,
+                GAsyncReadyCallback callback,
+                gpointer user_data)
+{
+        GSimpleAsyncResult *async;
+        LoginClosure *login;
+        UmRealmKerberos *kerberos;
+
+        g_return_if_fail (UM_REALM_IS_OBJECT (realm));
+        g_return_if_fail (user != NULL);
+        g_return_if_fail (password != NULL);
+        g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
+
+        kerberos = um_realm_object_get_kerberos (realm);
+        g_return_if_fail (kerberos != NULL);
+
+        async = g_simple_async_result_new (NULL, callback, user_data,
+                                           um_realm_login);
+        login = g_slice_new0 (LoginClosure);
+        login->domain = g_strdup (um_realm_kerberos_get_domain_name (kerberos));
+        login->realm = g_strdup (um_realm_kerberos_get_realm_name (kerberos));
+        login->user = g_strdup (user);
+        login->password = g_strdup (password);
+        g_simple_async_result_set_op_res_gpointer (async, login, login_closure_free);
+
+        g_simple_async_result_set_handle_cancellation (async, TRUE);
+        g_simple_async_result_run_in_thread (async, kinit_thread_func,
+                                             G_PRIORITY_DEFAULT, cancellable);
+
+        g_object_unref (async);
+        g_object_unref (kerberos);
+}
+
+gboolean
+um_realm_login_finish (GAsyncResult *result,
+                       GBytes **credentials,
+                       GError **error)
+{
+        GSimpleAsyncResult *async;
+        LoginClosure *login;
+
+        g_return_val_if_fail (g_simple_async_result_is_valid (result, NULL,
+                              um_realm_login), FALSE);
+        g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
+
+        async = G_SIMPLE_ASYNC_RESULT (result);
+        if (g_simple_async_result_propagate_error (async, error))
+                return FALSE;
+
+        login = g_simple_async_result_get_op_res_gpointer (async);
+        if (credentials) {
+                if (login->credentials)
+                        *credentials = g_bytes_ref (login->credentials);
+                else
+                        *credentials = NULL;
+        }
+
+        return TRUE;
+}
diff --git a/src/goaidentity/um-realm-manager.h b/src/goaidentity/um-realm-manager.h
new file mode 100644
index 0000000..a604fae
--- /dev/null
+++ b/src/goaidentity/um-realm-manager.h
@@ -0,0 +1,106 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright 2012  Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Written by: Stef Walter <stefw gnome org>
+ */
+
+#ifndef __UM_REALM_MANAGER_H__
+#define __UM_REALM_MANAGER_H__
+
+#include "um-realm-generated.h"
+
+G_BEGIN_DECLS
+
+typedef enum {
+	UM_REALM_ERROR_BAD_LOGIN,
+	UM_REALM_ERROR_BAD_PASSWORD,
+	UM_REALM_ERROR_GENERIC,
+} UmRealmErrors;
+
+#define UM_REALM_ERROR             (um_realm_error_get_quark ())
+
+GQuark           um_realm_error_get_quark         (void) G_GNUC_CONST;
+
+#define UM_TYPE_REALM_MANAGER      (um_realm_manager_get_type ())
+#define UM_REALM_MANAGER(obj)      (G_TYPE_CHECK_INSTANCE_CAST ((obj), UM_TYPE_REALM_MANAGER, UmRealmManager))
+#define UM_IS_REALM_MANAGER(obj)   (G_TYPE_CHECK_INSTANCE_TYPE ((obj), UM_TYPE_REALM_MANAGER))
+
+typedef struct _UmRealmManager UmRealmManager;
+
+GType            um_realm_manager_get_type        (void) G_GNUC_CONST;
+
+void             um_realm_manager_new             (GCancellable *cancellable,
+                                                   GAsyncReadyCallback callback,
+                                                   gpointer user_data);
+
+UmRealmManager * um_realm_manager_new_finish      (GAsyncResult *result,
+                                                   GError **error);
+
+void             um_realm_manager_discover        (UmRealmManager *self,
+                                                   const gchar *input,
+                                                   GCancellable *cancellable,
+                                                   GAsyncReadyCallback callback,
+                                                   gpointer user_data);
+
+GList *          um_realm_manager_discover_finish (UmRealmManager *self,
+                                                   GAsyncResult *result,
+                                                   GError **error);
+
+GList *          um_realm_manager_get_realms      (UmRealmManager *self);
+
+void             um_realm_login                   (UmRealmObject *realm,
+                                                   const gchar *login,
+                                                   const gchar *password,
+                                                   GCancellable *cancellable,
+                                                   GAsyncReadyCallback callback,
+                                                   gpointer user_data);
+
+gboolean         um_realm_login_finish            (GAsyncResult *result,
+                                                   GBytes **credentials,
+                                                   GError **error);
+
+gboolean         um_realm_join_as_user            (UmRealmObject *realm,
+                                                   const gchar *login,
+                                                   const gchar *password,
+                                                   GBytes *credentials,
+                                                   GCancellable *cancellable,
+                                                   GAsyncReadyCallback callback,
+                                                   gpointer user_data)
+                                                   G_GNUC_WARN_UNUSED_RESULT;
+
+gboolean         um_realm_join_as_admin           (UmRealmObject *realm,
+                                                   const gchar *login,
+                                                   const gchar *password,
+                                                   GBytes *credentials,
+                                                   GCancellable *cancellable,
+                                                   GAsyncReadyCallback callback,
+                                                   gpointer user_data)
+                                                   G_GNUC_WARN_UNUSED_RESULT;
+
+gboolean         um_realm_join_finish             (UmRealmObject *realm,
+                                                   GAsyncResult *result,
+                                                   GError **error);
+
+gboolean         um_realm_is_configured           (UmRealmObject *realm);
+
+gchar *          um_realm_calculate_login         (UmRealmCommon *realm,
+                                                   const gchar *username);
+
+G_END_DECLS
+
+#endif /* __UM_REALM_H__ */



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]