2134219 – goa-identity-service is confused and doing a lot of failed KRB5 requests

Bug 2134219 - goa-identity-service is confused and doing a lot of failed KRB5 requests

Summary: goa-identity-service is confused and doing a lot of failed KRB5 requests

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnome-online-accounts
Sub Component:
Version:	36
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Gwyn Ciesla
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-10-12 20:04 UTC by Petr Menšík
Modified:	2022-12-16 01:42 UTC (History)
CC List:	2 users (show)
Fixed In Version:	gnome-online-accounts-3.46.0-2.fc37 gnome-online-accounts-3.44.0-2.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-12-08 02:06:14 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
GNOME Gitlab	GNOME gnome-online-accounts issues 79	0	None	opened	goa-identity-service confused by multiple TGTs for the same Kerberos principal, spams sssd_kcm with requests, pegging th...	2022-10-12 20:04:50 UTC

Description Petr Menšík 2022-10-12 20:04:51 UTC

Description of problem:
I am signed into FEDORAPROJECT.ORG realm and one Red Hat internal realm. Red Hat internal realm seems to be confused somehow. It seems it got broken during one of my kinit.

Version-Release number of selected component (if applicable):
gnome-online-accounts-3.40.1-1.fc35.x86_64

How reproducible:
unsure, rare

Steps to Reproduce:
1. Have FEDORAPROJECT.ORG realm
2. Login into Red Hat realm too
3. Repeat multiple times step 2, for expired tokens, have long uptime of machine
4. After time goa gets broken RH realm, even though klist lists normal tickets.

Actual results:
Catched backtrace of one wrong requests. It sends about 3 requests per minute. In GOA panel settings it shouws expired token, but login butting results in error.

(gdb) bt
#0  krb5_get_error_message (ctx=0x56497ba6a8a0, code=-1765328360) at krb/kerrs.c:173
#1  0x000056497a66c306 in set_and_prefix_error_from_krb5_error_code
    (self=self@entry=0x7f0bfc006c80, error=error@entry=0x7f0c037fda38, code=code@entry=6, error_code=<optimized out>, format=format@entry=0x56497a6752a7 "%s") at /usr/src/debug/gnome-online-accounts-3.40.1-1.fc35.x86_64/src/goaidentity/goakerberosidentity.c:321
#2  0x000056497a673a55 in goa_kerberos_identity_sign_in
    (inquiry_func=0x56497a66d1c0 <on_kerberos_identity_inquiry>, destroy_notify=0x0, error=0x7f0c037fda38, cancellable=0x7f0bfd2794e0, inquiry_data=0x56497ba52510, flags=<optimized out>, preauth_source=0x0, initial_password=0x7f0c17afd638, principal_name=0x7f0c037fda50 "\030\326\001\370\v\177", self=0x7f0bfc006c80) at /usr/src/debug/gnome-online-accounts-3.40.1-1.fc35.x86_64/src/goaidentity/goakerberosidentity.c:1300
#3  goa_kerberos_identity_sign_in
    (inquiry_func=0x56497a66d1c0 <on_kerberos_identity_inquiry>, destroy_notify=0x0, error=0x7f0c037fda38, cancellable=0x7f0bfd2794e0, inquiry_data=0x56497ba52510, flags=<optimized out>, preauth_source=0x0, initial_password=0x7f0c17afd638, principal_name=0x7f0c037fda50 "\030\326\001\370\v\177", self=0x7f0bfc006c80) at /usr/src/debug/gnome-online-accounts-3.40.1-1.fc35.x86_64/src/goaidentity/goakerberosidentity.c:1190
#4  sign_in_identity (operation=0x56497ba52510, self=0x56497ba5ea30)
    at /usr/src/debug/gnome-online-accounts-3.40.1-1.fc35.x86_64/src/goaidentity/goakerberosidentitymanager.c:916
#5  goa_kerberos_identity_manager_thread_pool_func (data=0x56497ba52510, user_data=<optimized out>)
    at /usr/src/debug/gnome-online-accounts-3.40.1-1.fc35.x86_64/src/goaidentity/goakerberosidentitymanager.c:1051
#6  0x00007f0c17636094 in g_thread_pool_thread_proxy (data=<optimized out>) at ../glib/gthreadpool.c:354
#7  0x00007f0c176337c2 in g_thread_proxy (data=0x7f0bfc02e640) at ../glib/gthread.c:827
#8  0x00007f0c1729f822 in start_thread (arg=<optimized out>) at pthread_create.c:443
#9  0x00007f0c1723f450 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81


Expected results:
It should stop repeating requests endlessly. And there should be a way to 

Additional info:
Likely related to https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/79

Comment 3 Gwyn Ciesla 2022-10-12 21:30:59 UTC

Agreed. I've had trouble reproducing this. Does klist -A show the tickets you expect?

Comment 4 Petr Menšík 2022-10-13 12:54:59 UTC

Yes, the klist -A shows tickets I would expect there, also with valid expiration time.

From what I have seen during the breakage, indication on RH realm did not display accurate status of the principal in control panel. RH realm showed exclamation mark, but refreshed token worked fine with brew, brewweb or errata. But login using button in account details did not work.

I have fixed it by dropping RH principal and logged by kinit again. That seems to fixed that for now, so I cannot debug it. But I think I have seen it more time.

Comment 5 Ben Cotton 2022-11-29 19:01:50 UTC

This message is a reminder that Fedora Linux 35 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '35'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 35 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 6 Fedora Update System 2022-11-30 19:19:41 UTC

FEDORA-2022-2b91cbd30f has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-2b91cbd30f

Comment 7 Fedora Update System 2022-11-30 19:19:46 UTC

FEDORA-2022-8e64a8ce03 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8e64a8ce03

Comment 8 Fedora Update System 2022-12-01 01:34:25 UTC

FEDORA-2022-8e64a8ce03 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-8e64a8ce03`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8e64a8ce03

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-12-01 02:36:23 UTC

FEDORA-2022-2b91cbd30f has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-2b91cbd30f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-2b91cbd30f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-12-08 02:06:14 UTC

FEDORA-2022-8e64a8ce03 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Fedora Update System 2022-12-16 01:42:30 UTC

FEDORA-2022-2b91cbd30f has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.