Bug 834798 - MAPI no longer does Kerberos Authentication
Summary: MAPI no longer does Kerberos Authentication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: evolution-mapi
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Matthew Barnes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-23 17:37 UTC by Colin.Simpson
Modified: 2013-03-06 17:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-10 16:29:42 UTC
Type: Bug


Attachments (Terms of Use)
proposed ema patch (7.26 KB, patch)
2012-06-28 11:49 UTC, Milan Crha
no flags Details | Diff

Description Colin.Simpson 2012-06-23 17:37:24 UTC
Description of problem:
The version of Evolution shipped with F16 successfully did Kerberos Authentication. 
 
On F17, tickets are successfully retrieved  i.e "exchangeAB/". In the "Account Editor" if you select "Kerberos authentication" and click authenticate it returns "Authentication finished successfully". 

But it refuses to retrieve messages, and on restart it immediately prompts for passwords. If you pass a fake password to move on, you get
"Could not get message: The name org.gnome.KrbAuthDialog was not provided by any .service files"


Version-Release number of selected component (if applicable):
evolution-mapi-3.4.3-1.fc17.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Select "Kerberos authentication" and authenticate (assuming a suitably configured AD/Kerberos Environment/setup).
2.Authentication finished successfully"
3. No messages can be opened and constantly prompts for a password.
4/ If you give it a fake password to get passed this you get
"Could not get message: The name org.gnome.KrbAuthDialog was not provided by any .service files"

  
Actual results:
See above

Expected results:
Working passwordless with Kerberos.

Additional info:
This is against Exchange 2010

Regression from F16's Evolution

Comment 1 Milan Crha 2012-06-25 11:49:23 UTC
Thanks for a bug report. The actual error message (after passing in an invalid password) suggests that krb5-auth-dialog package is not installed. Is it possible?
Also, what is printed on console when you run evolution from it, please? It can print detailed errors, if available, there.

I see in the code that during Authentication the error from KrbAuthDialog is silently ignored, while in authentication of a mail account the error returned from the call to KrbAuthDialog is treated as failure and makes evolution-mapi deny access.

There was also done one change in the code, kerberos login is enabled only if set properly in the preferences, which I suppose was done, according to successful authentication during the account creation, thus this only seems like an issue with missing package.

Comment 2 Colin.Simpson 2012-06-25 13:48:26 UTC
Installing the KrbAuthDialog has made little difference. There is little of interest in the messages (below). Hitting if you select "Kerberos authentication" and click authenticate it returns "Authentication finished successfully". And keys are in the output of klist. But it continues to prompt for passwords on the main window on hitting Send/Receive (or restart):

(evolution:20436): e-data-server-ui-WARNING **: Unable to find password(s) in keyring (Keyring reports: No matching results)

(evolution:20436): e-data-server-ui-WARNING **: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)

Then some complaints about options in the smb.conf file:

Unknown parameter encountered: "max log size"
Ignoring unknown parameter "max log size"
Unknown parameter encountered: "preserve case"
Ignoring unknown parameter "preserve case"
Unknown parameter encountered: "short preserve case"
Ignoring unknown parameter "short preserve case"
Unknown parameter encountered: "load printers"
Ignoring unknown parameter "load printers"
Unknown parameter encountered: "client use spnego"
Ignoring unknown parameter "client use spnego"
Unknown parameter encountered: "map to guest"
Ignoring unknown parameter "map to guest"
Unknown parameter encountered: "guest account"
Ignoring unknown parameter "guest account"
Unknown parameter encountered: "hide dot files"
Ignoring unknown parameter "hide dot files"
Unknown parameter encountered: "nt acl support"
Ignoring unknown parameter "nt acl support"
Unknown parameter encountered: "ldap ssl"
Ignoring unknown parameter "ldap ssl"
Unknown parameter encountered: "machine password timeout"
Ignoring unknown parameter "machine password timeout"
Unknown parameter encountered: "kerberos method"
Ignoring unknown parameter "kerberos method"
Unknown parameter encountered: "dedicated keytab file"
Ignoring unknown parameter "dedicated keytab file"
Unknown parameter encountered: "winbind nested groups"
Ignoring unknown parameter "winbind nested groups"
Unknown parameter encountered: "ldap admin dn"
Ignoring unknown parameter "ldap admin dn"
Unknown parameter encountered: "idmap backend"
Ignoring unknown parameter "idmap backend"
Unknown parameter encountered: "idmap uid"
Ignoring unknown parameter "idmap uid"
Unknown parameter encountered: "idmap gid"
Ignoring unknown parameter "idmap gid"
Unknown parameter encountered: "idmap cache time"
Ignoring unknown parameter "idmap cache time"
Unknown parameter encountered: "writeable"
Ignoring unknown parameter "writeable"
Unknown parameter encountered: "guest ok"
Ignoring unknown parameter "guest ok"
Unknown parameter encountered: "writeable"
Ignoring unknown parameter "writeable"
Unknown parameter encountered: "guest ok"
Ignoring unknown parameter "guest ok"

Then one interesting message:

ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)

Comment 3 Milan Crha 2012-06-26 07:46:13 UTC
Thanks for the update. Could you run evolution in debugging mode, to get values which were sent and received between evolution-mapi and the exchange server, please? You can do that with command like this:
   $ LIBMAPI_DEBUG=15 evolution &>log.txt
Please note that the log contains raw communication between server and client, and can expose many things, like server address, user names and possibly passwords - in your kerberos setup the Realm or such. It is very chatty too. Just search for the "ndr_pull_error" string in it and get surrounding text of it, like is shown in bug #827371 comment #6, only with more lines before this actual error message, say about 30-50 lines above it.

The log also contains attempt of KDC login, you can search for "gssapi" (quotes for clarity only) and see what it prints, or whether it even tried it. (I think it's either "gssapi", "kdc" or just "kerberos", I'm not sure now).

Also, could you get backtrace of running evolution in time of the password prompt, please? It'll show where you were asked for the password, in which place of evolution-mapi. It's necessary to install debuginfo package for at least evolution-mapi, otherwise the backtrace will be essentially useless. You can get the backtrace with command like this:
   $ gdb --batch --ex "t a a bt" -pid=PID &>bt.txt
where PID is a process ID of running evolution (ps ax | grep evolution). Please make sure it'll not contain any private information, you do not want to share in public.

Thanks in advance.

Comment 4 Colin.Simpson 2012-06-26 18:35:45 UTC
There is no Kerberos transaction recorded at all if you have the Kerberos option ticked. The only time it records lots of things are if you click "Authenticate" in the account setup window.

I sent you an email about sending you these logs privately.

Comment 5 Milan Crha 2012-06-28 10:13:43 UTC
Thanks for the logs. I think I see what is going on. Does it work, if you enter a fake password, like just "a" or anything? It seems to me that it should work (as a workaround).

Comment 6 Milan Crha 2012-06-28 11:49:03 UTC
Created attachment 595000 [details]
proposed ema patch

for evolution-mapi;

This should make it. I'm not committing it yet, I would like to know result of the fake password passing first, then I'll create a test package for you, to make sure the change works as expected. (I do not have kerberos-enabled exchange server myself to be able fully test this. I'm keeping here the patch to not loose it, it's for master branch)

Comment 7 Colin.Simpson 2012-06-28 12:51:34 UTC
Doesn't seem to work with a fake password STDOUT/ERR and the UI display a message:

Fetching items failed: file e-mapi-connection.c: line 1141 (e_mapi_connection_cl
ose_folder): assertion `conn != NULL' failed

Comment 8 Milan Crha 2012-06-28 17:34:45 UTC
Hrm, then maybe the patch is not complete too? I created a test package with patch included at [1].

[1] http://koji.fedoraproject.org/koji/taskinfo?taskID=4206099

Comment 9 Milan Crha 2012-06-29 08:54:49 UTC
(In reply to comment #8)
> Hrm, then maybe the patch is not complete too? I created a test package with
> patch included at [1].

Nope, it doesn't work. I managed to setup kerberos for my server and I can reproduce what you see.

Comment 10 Fedora Update System 2012-06-29 09:54:32 UTC
evolution-mapi-3.4.3-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-9952/evolution-mapi-3.4.3-5.fc17

Comment 11 Milan Crha 2012-06-29 09:56:12 UTC
The above update contains fix for this. Thanks for your help with identifying the issue.

Comment 12 Colin.Simpson 2012-06-29 11:07:59 UTC
This is considerably better. I have removed all my saved passwords from the keyring and I can get in without typing any passwords. Great!

However one minor wrinkle Tasks and Calendar still prompt for a password even though canceling appears to let you in properly.

Comment 13 Milan Crha 2012-06-29 12:42:25 UTC
(In reply to comment #12)
> However one minor wrinkle Tasks and Calendar still prompt for a password
> even though canceling appears to let you in properly.

I had it too, but only with contacts, when there left source definition from other MAPI account. How many accounts do you see when you do:
   $ gconftool-2 --get /apps/evolution/calendar/sources | grep mapi | \
       grep source

Also, was the evolution-calendar-factory restarted after account changes (which requires restart of evolution too) and installation of the new evolution-mapi?

Comment 14 Colin.Simpson 2012-06-29 13:29:34 UTC
After a general account clear up in gconf-editor and killing evolution-calendar-factory. I seem all good.

Thanks for fixing.

Comment 15 Fedora Update System 2012-06-30 21:49:48 UTC
Package evolution-mapi-3.4.3-5.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing evolution-mapi-3.4.3-5.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9952/evolution-mapi-3.4.3-5.fc17
then log in and leave karma (feedback).

Comment 16 Milan Crha 2012-07-02 07:00:53 UTC
(In reply to comment #14)
> After a general account clear up in gconf-editor and killing
> evolution-calendar-factory. I seem all good.

Good. I still do not know how to invoke factories restart without breaking (possibly running) evolution, after new packages are installed or uninstalled. This is rather complicated for me.

Comment 17 Fedora Update System 2012-07-10 16:29:42 UTC
evolution-mapi-3.4.3-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Milan Crha 2013-03-04 19:54:58 UTC
Colin, I opened bug #917798 against samba for the Secure & Kerberos authentication. I'm not sure about the rest with calendar failing, it might be an issue with evolution-source-registry (3.6.x), but as it's working for me, and for Luf (the other bug reporter) then I guess there's something suspicious about that, maybe a corner case exhibiting on your machine. I suppose it should work once you'll restart evolution-source-registry and evolution-calendar-factory (in this order) with the Kerberos ticket being valid. Maybe we can use another bug report, this one is against 3.4.x/Fedora 17.

Comment 19 Colin.Simpson 2013-03-05 12:24:31 UTC
I think the bug we were working was opened for F18 i.e Bug #914775 not this one?

BTW I did restart evolution-source-registry and evolution-calendar-factory with valid credentials, so maybe your edge case is correct.

Thanks

Comment 20 Milan Crha 2013-03-06 17:18:29 UTC
(In reply to comment #19)
> I think the bug we were working was opened for F18 i.e Bug #914775 not this
> one?

Right, you sent me a private email with this bug report, thus I wrote my comment here, not there :)


Note You need to log in before you can comment on or make changes to this bug.