Description of problem: The version of Evolution shipped with F16 successfully did Kerberos Authentication. On F17, tickets are successfully retrieved i.e "exchangeAB/". In the "Account Editor" if you select "Kerberos authentication" and click authenticate it returns "Authentication finished successfully". But it refuses to retrieve messages, and on restart it immediately prompts for passwords. If you pass a fake password to move on, you get "Could not get message: The name org.gnome.KrbAuthDialog was not provided by any .service files" Version-Release number of selected component (if applicable): evolution-mapi-3.4.3-1.fc17.x86_64 How reproducible: Every time Steps to Reproduce: 1. Select "Kerberos authentication" and authenticate (assuming a suitably configured AD/Kerberos Environment/setup). 2.Authentication finished successfully" 3. No messages can be opened and constantly prompts for a password. 4/ If you give it a fake password to get passed this you get "Could not get message: The name org.gnome.KrbAuthDialog was not provided by any .service files" Actual results: See above Expected results: Working passwordless with Kerberos. Additional info: This is against Exchange 2010 Regression from F16's Evolution
Thanks for a bug report. The actual error message (after passing in an invalid password) suggests that krb5-auth-dialog package is not installed. Is it possible? Also, what is printed on console when you run evolution from it, please? It can print detailed errors, if available, there. I see in the code that during Authentication the error from KrbAuthDialog is silently ignored, while in authentication of a mail account the error returned from the call to KrbAuthDialog is treated as failure and makes evolution-mapi deny access. There was also done one change in the code, kerberos login is enabled only if set properly in the preferences, which I suppose was done, according to successful authentication during the account creation, thus this only seems like an issue with missing package.
Installing the KrbAuthDialog has made little difference. There is little of interest in the messages (below). Hitting if you select "Kerberos authentication" and click authenticate it returns "Authentication finished successfully". And keys are in the output of klist. But it continues to prompt for passwords on the main window on hitting Send/Receive (or restart): (evolution:20436): e-data-server-ui-WARNING **: Unable to find password(s) in keyring (Keyring reports: No matching results) (evolution:20436): e-data-server-ui-WARNING **: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) Then some complaints about options in the smb.conf file: Unknown parameter encountered: "max log size" Ignoring unknown parameter "max log size" Unknown parameter encountered: "preserve case" Ignoring unknown parameter "preserve case" Unknown parameter encountered: "short preserve case" Ignoring unknown parameter "short preserve case" Unknown parameter encountered: "load printers" Ignoring unknown parameter "load printers" Unknown parameter encountered: "client use spnego" Ignoring unknown parameter "client use spnego" Unknown parameter encountered: "map to guest" Ignoring unknown parameter "map to guest" Unknown parameter encountered: "guest account" Ignoring unknown parameter "guest account" Unknown parameter encountered: "hide dot files" Ignoring unknown parameter "hide dot files" Unknown parameter encountered: "nt acl support" Ignoring unknown parameter "nt acl support" Unknown parameter encountered: "ldap ssl" Ignoring unknown parameter "ldap ssl" Unknown parameter encountered: "machine password timeout" Ignoring unknown parameter "machine password timeout" Unknown parameter encountered: "kerberos method" Ignoring unknown parameter "kerberos method" Unknown parameter encountered: "dedicated keytab file" Ignoring unknown parameter "dedicated keytab file" Unknown parameter encountered: "winbind nested groups" Ignoring unknown parameter "winbind nested groups" Unknown parameter encountered: "ldap admin dn" Ignoring unknown parameter "ldap admin dn" Unknown parameter encountered: "idmap backend" Ignoring unknown parameter "idmap backend" Unknown parameter encountered: "idmap uid" Ignoring unknown parameter "idmap uid" Unknown parameter encountered: "idmap gid" Ignoring unknown parameter "idmap gid" Unknown parameter encountered: "idmap cache time" Ignoring unknown parameter "idmap cache time" Unknown parameter encountered: "writeable" Ignoring unknown parameter "writeable" Unknown parameter encountered: "guest ok" Ignoring unknown parameter "guest ok" Unknown parameter encountered: "writeable" Ignoring unknown parameter "writeable" Unknown parameter encountered: "guest ok" Ignoring unknown parameter "guest ok" Then one interesting message: ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
Thanks for the update. Could you run evolution in debugging mode, to get values which were sent and received between evolution-mapi and the exchange server, please? You can do that with command like this: $ LIBMAPI_DEBUG=15 evolution &>log.txt Please note that the log contains raw communication between server and client, and can expose many things, like server address, user names and possibly passwords - in your kerberos setup the Realm or such. It is very chatty too. Just search for the "ndr_pull_error" string in it and get surrounding text of it, like is shown in bug #827371 comment #6, only with more lines before this actual error message, say about 30-50 lines above it. The log also contains attempt of KDC login, you can search for "gssapi" (quotes for clarity only) and see what it prints, or whether it even tried it. (I think it's either "gssapi", "kdc" or just "kerberos", I'm not sure now). Also, could you get backtrace of running evolution in time of the password prompt, please? It'll show where you were asked for the password, in which place of evolution-mapi. It's necessary to install debuginfo package for at least evolution-mapi, otherwise the backtrace will be essentially useless. You can get the backtrace with command like this: $ gdb --batch --ex "t a a bt" -pid=PID &>bt.txt where PID is a process ID of running evolution (ps ax | grep evolution). Please make sure it'll not contain any private information, you do not want to share in public. Thanks in advance.
There is no Kerberos transaction recorded at all if you have the Kerberos option ticked. The only time it records lots of things are if you click "Authenticate" in the account setup window. I sent you an email about sending you these logs privately.
Thanks for the logs. I think I see what is going on. Does it work, if you enter a fake password, like just "a" or anything? It seems to me that it should work (as a workaround).
Created attachment 595000 [details] proposed ema patch for evolution-mapi; This should make it. I'm not committing it yet, I would like to know result of the fake password passing first, then I'll create a test package for you, to make sure the change works as expected. (I do not have kerberos-enabled exchange server myself to be able fully test this. I'm keeping here the patch to not loose it, it's for master branch)
Doesn't seem to work with a fake password STDOUT/ERR and the UI display a message: Fetching items failed: file e-mapi-connection.c: line 1141 (e_mapi_connection_cl ose_folder): assertion `conn != NULL' failed
Hrm, then maybe the patch is not complete too? I created a test package with patch included at [1]. [1] http://koji.fedoraproject.org/koji/taskinfo?taskID=4206099
(In reply to comment #8) > Hrm, then maybe the patch is not complete too? I created a test package with > patch included at [1]. Nope, it doesn't work. I managed to setup kerberos for my server and I can reproduce what you see.
evolution-mapi-3.4.3-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/FEDORA-2012-9952/evolution-mapi-3.4.3-5.fc17
The above update contains fix for this. Thanks for your help with identifying the issue.
This is considerably better. I have removed all my saved passwords from the keyring and I can get in without typing any passwords. Great! However one minor wrinkle Tasks and Calendar still prompt for a password even though canceling appears to let you in properly.
(In reply to comment #12) > However one minor wrinkle Tasks and Calendar still prompt for a password > even though canceling appears to let you in properly. I had it too, but only with contacts, when there left source definition from other MAPI account. How many accounts do you see when you do: $ gconftool-2 --get /apps/evolution/calendar/sources | grep mapi | \ grep source Also, was the evolution-calendar-factory restarted after account changes (which requires restart of evolution too) and installation of the new evolution-mapi?
After a general account clear up in gconf-editor and killing evolution-calendar-factory. I seem all good. Thanks for fixing.
Package evolution-mapi-3.4.3-5.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing evolution-mapi-3.4.3-5.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9952/evolution-mapi-3.4.3-5.fc17 then log in and leave karma (feedback).
(In reply to comment #14) > After a general account clear up in gconf-editor and killing > evolution-calendar-factory. I seem all good. Good. I still do not know how to invoke factories restart without breaking (possibly running) evolution, after new packages are installed or uninstalled. This is rather complicated for me.
evolution-mapi-3.4.3-5.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Colin, I opened bug #917798 against samba for the Secure & Kerberos authentication. I'm not sure about the rest with calendar failing, it might be an issue with evolution-source-registry (3.6.x), but as it's working for me, and for Luf (the other bug reporter) then I guess there's something suspicious about that, maybe a corner case exhibiting on your machine. I suppose it should work once you'll restart evolution-source-registry and evolution-calendar-factory (in this order) with the Kerberos ticket being valid. Maybe we can use another bug report, this one is against 3.4.x/Fedora 17.
I think the bug we were working was opened for F18 i.e Bug #914775 not this one? BTW I did restart evolution-source-registry and evolution-calendar-factory with valid credentials, so maybe your edge case is correct. Thanks
(In reply to comment #19) > I think the bug we were working was opened for F18 i.e Bug #914775 not this > one? Right, you sent me a private email with this bug report, thus I wrote my comment here, not there :)