Bug 1520936
| Summary: | Unable to authenticate using Kerberos without krb5-auth-dialog package | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | afox <afox> | ||||||||
| Component: | evolution-mapi | Assignee: | Milan Crha <mcrha> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 7.4 | CC: | afox, debarshir, dominik.mierzejewski, jkoten, mcrha, tpelka, vanhoof | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | evolution-mapi-3.22.6-2.el7 | Doc Type: | If docs needed, set a value | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2018-10-30 10:20:09 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 1546815, 1571842 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
afox@redhat.com
2017-12-05 13:38:54 UTC
Thanks for a bug report. What had it been replaced with, please? It's used to be able to ask the user about the kerberos password in the UI. A workaround is to use `kinit` in a terminal. I see that both evolution-data-server and evolution-mapi can try to call org.gnome.KrbAuthDialog D-Bus service calling acquireTgt method, both to refresh the kerberos token from the UI. Rishi, how does one replace org.gnome.KrbAuthDialog.acquireTgt D-Bus method with GOA, please? The closest seems to be org.gnome.OnlineAccounts.Ticketing.GetTicket(), but that doesn't have proper arguments, neither properties (the Details doesn't look like anything "user@REALM", which uses the old acquireTgt), nor it look like anything I might want to touch and dictate which part the kerberos is supposed to use; the Details property documentation says: Metadata about the tickets getting fetched. For kerberos tickets, this may contain a preauthentication source used by pkinit (such as PKCS11:libcoolkeypk11.so) and I do not feel like hardcoding such things. (In reply to Milan Crha from comment #4) Sorry, I missed your comment in my bug-mail. > Rishi, how does one replace org.gnome.KrbAuthDialog.acquireTgt D-Bus method > with GOA, please? Yes, gnome-online-accounts is meant to replace krb5-auth-dialog in RHEL 7. The Online Accounts panel in Settings is meant to be a graphical interface to libkrb5, just like kinit and friends provide a command line interface to it. The main difference between GOA and kinit is that if an account is added through GOA and the user chooses to save the password, then it will try to ensure that a valid ticket is always available. > The closest seems to be > org.gnome.OnlineAccounts.Ticketing.GetTicket(), but that doesn't have proper > arguments, neither properties (the Details doesn't look like anything > "user@REALM", which uses the old acquireTgt), nor it look like anything I > might want to touch and dictate which part the kerberos is supposed to use; > the Details property documentation says: > > Metadata about the tickets getting fetched. For kerberos tickets, this > may contain a preauthentication source used by pkinit (such as > PKCS11:libcoolkeypk11.so) > > and I do not feel like hardcoding such things. You are right. The org.gnome.OnlineAccounts.Ticketing.GetTicket() interface is something else. If you want to prompt the user to do a graphical equivalent of kinit, then you could provide a button or similar UI element to launch "gnome-control-center online-accounts" and ask him to add his account there. Hrm, it's not the same thing. I see that the krb5-auth-dialog D-Bus interface has/had 'acquireTgt' method and that ensured there is a valid token before asking for it. It had the advantage that when the ticket was available, then it returned silently, without showing any dialog. I understand that the evolution-mapi should work differently in this regard, I only want to mention the difference. There is currently no way to show "Open Settings" button (or any other) in the error message which would open the Settings->Online Accounts, thus the closest would be to give a hint into the error message what to do to make it work when the krb5-auth-dialog is not available. I do not want to drop its usage from the sources, because there are distributions where it can be still available and/or used. Created attachment 1407341 [details]
proposed ema patch
For evolution-mapi;
This adds some hint into the error message. I'd commit it to the upstream sources straight away, but I'd like to ask for the wording. The added message says:
Cannot ask for Kerberos ticket. Obtain the ticket manually, like on command
line with “kinit” or open “Online Accounts” in “Settings” and add the
Kerberos account there. Reported error was: ....
The thing is that evolution-mapi is not tight to GNOME, thus it can run also without gnome-online-accounts being installed at all and/or under different desktop environment as well, thus I also mention there the 'kinit' part. I surely cannot mention each possibility for each desktop environment, thus at least the GNOME Online Accounts are there as one of the ways for the GUI way of dealing with expired ticket.
I also finally understood the main issue here, maybe it's not about the message itself, it's more about evolution-mapi mail part not working at all with Kerberos when there is not installed the krb5-auth-dialog D-Bus service. That's fixed with this patch as well.
Due to the errors can provide useful information I didn't want to just replace the returned error with some locally made, thus I pile the error messages together, which can construct a beast like this:
The reported error was “MapiLogonEx: Failed to login into the server (Cannot
ask for Kerberos ticket. Obtain the ticket manually, like on command line
with “kinit” or open “Online Accounts” in “Settings” and add the Kerberos
account there. Reported error was: The name org.gnome.KrbAuthDialog was not
provided by any .service files)
Maybe it's not ideal, but it avoids hiding possibly useful information from other parts of the system.
Unless I see any objection on this I'll commit this upstream within a week or so, but I'd really appreciate any feedback on the wording of the error message or anything you could think of. Thanks in advance.
Created attachment 1407342 [details]
proposed eds patch
for evolution-data-server;
Similar change (about the detailed error message) added on the evolution-data-server side.
I committed a simplified version of the above change into the upstream sources for 3.29.1+ [1] and for 3.28.1+. With this change, instead of receiving an error message about no service provider for the D-Bus interface I get "The reported error was “MAPIKRB authentication failed”.", which is not much descriptive, but it at least tries to connect to the server. I'd like to include the extended error message as well; I'm still waiting for a hint on better wording of it. [1] https://git.gnome.org/browse/evolution-mapi/commit/?id=f0d8ae5 (In reply to Milan Crha from comment #8) > There is currently no way to show "Open Settings" button (or any other) in > the error message which would open the Settings->Online Accounts Umm... you could show the Settings -> Online Accounts panel using a combination of g_app_info_create_from_commandline and g_app_info_launch to spawn "gnome-control-center online-accounts". You can go even one step further and spawn "gnome-control-center online-accounts <account-id>", if you want to draw attention to a specific GOA account. Created attachment 1408805 [details]
Example error notification about an expired account
Here's an example error notification from gnome-photos to handle cases where an account's credentials aren't working and human intervention is required.
(In reply to Debarshi Ray from comment #12) > Umm... you could show the Settings -> Online Accounts panel using a > combination of g_app_info_create_from_commandline and g_app_info_launch to > spawn "gnome-control-center online-accounts". I meant from the evolution-mapi point of view. I have also no way to know the account-id in GOA, we are talking about Kerberos accounts, which may or may not exist. I committed the attached patches to upstream sources for 3.29.2+ of them both: https://git.gnome.org/browse/evolution-data-server/commit/?id=db4bbe0652bddb7ac341ea491f8d613664f45f7e https://git.gnome.org/browse/evolution-mapi/commit/?id=bb03200f1e0b23a7d66e7b00fece7099dc82906a Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3140 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |