Bug 1520936 - Unable to authenticate using Kerberos without krb5-auth-dialog package [NEEDINFO]
Summary: Unable to authenticate using Kerberos without krb5-auth-dialog package
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: evolution-mapi
Version: 7.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Milan Crha
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 1546815 1571842
TreeView+ depends on / blocked
 
Reported: 2017-12-05 13:38 UTC by afox@redhat.com
Modified: 2018-10-30 10:21 UTC (History)
7 users (show)

Fixed In Version: evolution-mapi-3.22.6-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:20:09 UTC
Target Upstream Version:
tpelka: needinfo? (afox)


Attachments (Terms of Use)
proposed ema patch (8.82 KB, patch)
2018-03-12 18:23 UTC, Milan Crha
no flags Details | Diff
proposed eds patch (5.65 KB, patch)
2018-03-12 18:24 UTC, Milan Crha
no flags Details | Diff
Example error notification about an expired account (145.90 KB, image/png)
2018-03-16 13:48 UTC, Debarshi Ray
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3140 0 None None None 2018-10-30 10:21:35 UTC

Description afox@redhat.com 2017-12-05 13:38:54 UTC
Description of problem:
After configuring a MAPI account in evolution using Kerberos authentication, evolution is unable to access the account, showing "The name org.gnome.krbauthdialog was not provided by any .service files" error. 

The krb5-auth-dialog package was deprecated in RHEL7, but there is clearly still a dependency on it for evolution. Installing the krb5-auth-dialog-3.20.0-1.fc25 package from Fedora works, but it should still be present in RHEL repositories if software has a dependency on it. 

Version-Release number of selected component (if applicable):
openchange-2.3-2.el7.x86_64
evolution-data-server-3.22.7-6.el7.x86_64
evolution-mapi-3.22.6-1.el7.x86_64
evolution-3.22.6-10.el7.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. COnfigure a MAPI account using Kerberos in Evolution.

Actual results:
Error "The name org.gnome.krbauthdialog was not provided by any .service files" is shown.

Expected results:
Authentication dialogue should be displayed.

Comment 2 Milan Crha 2017-12-05 13:41:23 UTC
Thanks for a bug report. What had it been replaced with, please? It's used to be able to ask the user about the kerberos password in the UI. A workaround is to use `kinit` in a terminal.

Comment 4 Milan Crha 2017-12-05 14:17:17 UTC
I see that both evolution-data-server and evolution-mapi can try to call org.gnome.KrbAuthDialog D-Bus service calling acquireTgt method, both to refresh the kerberos token from the UI.

Rishi, how does one replace org.gnome.KrbAuthDialog.acquireTgt D-Bus method with GOA, please? The closest seems to be org.gnome.OnlineAccounts.Ticketing.GetTicket(), but that doesn't have proper arguments, neither properties (the Details doesn't look like anything "user@REALM", which uses the old acquireTgt), nor it look like anything I might want to touch and dictate which part the kerberos is supposed to use; the Details property documentation says:

   Metadata about the tickets getting fetched. For kerberos tickets, this
   may contain a preauthentication source used by pkinit (such as
   PKCS11:libcoolkeypk11.so)

and I do not feel like hardcoding such things.

Comment 7 Debarshi Ray 2018-02-22 10:33:34 UTC
(In reply to Milan Crha from comment #4)

Sorry, I missed your comment in my bug-mail.

> Rishi, how does one replace org.gnome.KrbAuthDialog.acquireTgt D-Bus method
> with GOA, please?


Yes, gnome-online-accounts is meant to replace krb5-auth-dialog in RHEL 7. The Online Accounts panel in Settings is meant to be a graphical interface to libkrb5, just like kinit and friends provide a command line interface to it. The main difference between GOA and kinit is that if an account is added through GOA and the user chooses to save the password, then it will try to ensure that a valid ticket is always available.

> The closest seems to be
> org.gnome.OnlineAccounts.Ticketing.GetTicket(), but that doesn't have proper
> arguments, neither properties (the Details doesn't look like anything
> "user@REALM", which uses the old acquireTgt), nor it look like anything I
> might want to touch and dictate which part the kerberos is supposed to use;
> the Details property documentation says:
> 
>    Metadata about the tickets getting fetched. For kerberos tickets, this
>    may contain a preauthentication source used by pkinit (such as
>    PKCS11:libcoolkeypk11.so)
> 
> and I do not feel like hardcoding such things.

You are right. The org.gnome.OnlineAccounts.Ticketing.GetTicket() interface is something else.

If you want to prompt the user to do a graphical equivalent of kinit, then you could provide a button or similar UI element to launch "gnome-control-center online-accounts" and ask him to add his account there.

Comment 8 Milan Crha 2018-03-12 16:49:03 UTC
Hrm, it's not the same thing. I see that the krb5-auth-dialog D-Bus interface has/had 'acquireTgt' method and that ensured there is a valid token before asking for it. It had the advantage that when the ticket was available, then it returned silently, without showing any dialog. I understand that the evolution-mapi should work differently in this regard, I only want to mention the difference.

There is currently no way to show "Open Settings" button (or any other) in the error message which would open the Settings->Online Accounts, thus the closest would be to give a hint into the error message what to do to make it work when the krb5-auth-dialog is not available. I do not want to drop its usage from the sources, because there are distributions where it can be still available and/or used.

Comment 9 Milan Crha 2018-03-12 18:23:34 UTC
Created attachment 1407341 [details]
proposed ema patch

For evolution-mapi;

This adds some hint into the error message. I'd commit it to the upstream sources straight away, but I'd like to ask for the wording. The added message says:

  Cannot ask for Kerberos ticket. Obtain the ticket manually, like on command
  line with “kinit” or open “Online Accounts” in “Settings” and add the
  Kerberos account there. Reported error was: ....

The thing is that evolution-mapi is not tight to GNOME, thus it can run also without gnome-online-accounts being installed at all and/or under different desktop environment as well, thus I also mention there the 'kinit' part. I surely cannot mention each possibility for each desktop environment, thus at least the GNOME Online Accounts are there as one of the ways for the GUI way of dealing with expired ticket.

I also finally understood the main issue here, maybe it's not about the message itself, it's more about evolution-mapi mail part not working at all with Kerberos when there is not installed the krb5-auth-dialog D-Bus service. That's fixed with this patch as well.

Due to the errors can provide useful information I didn't want to just replace the returned error with some locally made, thus I pile the error messages together, which can construct a beast like this:

  The reported error was “MapiLogonEx: Failed to login into the server (Cannot
  ask for Kerberos ticket. Obtain the ticket manually, like on command line
  with “kinit” or open “Online Accounts” in “Settings” and add the Kerberos
  account there. Reported error was: The name org.gnome.KrbAuthDialog was not
  provided by any .service files)

Maybe it's not ideal, but it avoids hiding possibly useful information from other parts of the system.

Unless I see any objection on this I'll commit this upstream within a week or so, but I'd really appreciate any feedback on the wording of the error message or anything you could think of. Thanks in advance.

Comment 10 Milan Crha 2018-03-12 18:24:30 UTC
Created attachment 1407342 [details]
proposed eds patch

for evolution-data-server;

Similar change (about the detailed error message) added on the evolution-data-server side.

Comment 11 Milan Crha 2018-03-13 08:59:40 UTC
I committed a simplified version of the above change into the upstream sources for 3.29.1+ [1] and for 3.28.1+. With this change, instead of receiving an error message about no service provider for the D-Bus interface I get "The reported error was “MAPIKRB authentication failed”.", which is not much descriptive, but it at least tries to connect to the server.

I'd like to include the extended error message as well; I'm still waiting for a hint on better wording of it.

[1] https://git.gnome.org/browse/evolution-mapi/commit/?id=f0d8ae5

Comment 12 Debarshi Ray 2018-03-16 13:46:02 UTC
(In reply to Milan Crha from comment #8)
> There is currently no way to show "Open Settings" button (or any other) in
> the error message which would open the Settings->Online Accounts

Umm... you could show the Settings -> Online Accounts panel using a combination of g_app_info_create_from_commandline and g_app_info_launch to spawn "gnome-control-center online-accounts".

You can go even one step further and spawn "gnome-control-center online-accounts <account-id>", if you want to draw attention to a specific GOA account.

Comment 13 Debarshi Ray 2018-03-16 13:48:41 UTC
Created attachment 1408805 [details]
Example error notification about an expired account

Here's an example error notification from gnome-photos to handle cases where an account's credentials aren't working and human intervention is required.

Comment 14 Milan Crha 2018-03-19 08:24:53 UTC
(In reply to Debarshi Ray from comment #12)
> Umm... you could show the Settings -> Online Accounts panel using a
> combination of g_app_info_create_from_commandline and g_app_info_launch to
> spawn "gnome-control-center online-accounts".

I meant from the evolution-mapi point of view. I have also no way to know the account-id in GOA, we are talking about Kerberos accounts, which may or may not exist.

Comment 28 errata-xmlrpc 2018-10-30 10:20:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3140


Note You need to log in before you can comment on or make changes to this bug.