Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with Online Accounts and keyring #601

Open
alexsaezm opened this issue Sep 25, 2024 · 2 comments
Open

Issues with Online Accounts and keyring #601

alexsaezm opened this issue Sep 25, 2024 · 2 comments
Labels
bug Something isn't working f41 Related to Fedora 41

Comments

@alexsaezm
Copy link

Describe the bug
Both 40 and 41 lacks kerberos tools to allow the login into kerberos realms. Also, in 41 the keyring might be doing something odd as Online Accounts cannot store the information and kinit/klist/kdestroy fails with:

klist: Connection refused while resolving ccache

Also, VSCode seems to also have problems with tokens. This might not be related as other applications seem to work like Slack.

To Reproduce

  1. Install Fedora Silverblue 41
  2. Try to log into a Fedora account using Online Accounts or kinit. Or any other kerberos account.

Expected behavior
Fedora Workstation works.

Screenshots
Screenshot From 2024-09-24 16-27-49

OS version:

$ rpm-ostree status -b
State: idle
BootedDeployment:
● fedora:fedora/41/x86_64/silverblue
                  Version: 41.20240924.n.0 (2024-09-24T08:11:28Z)
               BaseCommit: fa1371df1ba32a0b7fd30e7dc4918c7c232e721680894e14135e564789db6cee
             GPGSignature: Valid signature by 466CF2D8B60BC3057AA9453ED0622462E99D6AD1
          LayeredPackages: fedora-packager-kerberos gnome-boxes krb5-workstation
            LocalPackages: 1password-8.10.44-1.x86_64 redhat-internal-cert-install-0.1-29.el7.noarch redhat-internal-NetworkManager-openvpn-profiles-0.1-62.el8.noarch slack-4.39.95-0.1.el8.x86_64

Additional context
Forum link: https://discussion.fedoraproject.org/t/fedora-41-impossible-to-log-with-fedora-project-account/131632/14
GNOME Issue: https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/370
@alexsaezm alexsaezm added the bug Something isn't working label Sep 25, 2024
@travier travier added the f41 Related to Fedora 41 label Sep 26, 2024
@andyholmes
Copy link

Additional error text for context:

(process:7420): libgoaidentity-DEBUG: 13:45:49.816: GoaIdentityService: asking to sign in
(process:7420): libgoaidentity-DEBUG: 13:45:49.817: GoaKerberosIdentityManager: signing in identity andyholmes@FEDORAPROJECT.ORG
(process:7420): libgoaidentity-DEBUG: 13:45:49.817: GoaKerberosIdentityManager: don't know if credential cache type (null) supports cache collections, assuming yes
(process:7420): libgoaidentity-DEBUG: 13:45:49.817: GoaKerberosIdentityManager:         Error creating new cache for identity credentials: Connection refused
(process:7420): libgoaidentity-DEBUG: 13:45:49.818: GoaKerberosIdentityManager: Waiting for next operation
(process:7420): libgoaidentity-DEBUG: 13:45:49.818: GoaIdentityService: could not sign in identity: Could not create credential cache for identity

The (null) credential cache type is probably the notable thing here.

@travier
Copy link
Member

travier commented Sep 30, 2024

I have a slightly different error message:

$ KRB5_TRACE=/dev/stdout kinit "siosm@FEDORAPROJECT.ORG"
[4946] 1727685273.788384: Matching siosm@FEDORAPROJECT.ORG in collection with result: -1765328243/Can't find client principal siosm@FEDORAPROJECT.ORG in cache collection
[4946] 1727685273.788385: Getting initial credentials for siosm@FEDORAPROJECT.ORG
[4946] 1727685273.788387: Sending unauthenticated request
[4946] 1727685273.788388: Sending request (208 bytes) to FEDORAPROJECT.ORG
[4946] 1727685273.788389: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[4946] 1727685273.788390: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[4946] 1727685273.788391: Resolving hostname id.fedoraproject.org
[4946] 1727685274.222675: TLS certificate name matched "id.fedoraproject.org"
[4946] 1727685274.222676: Sending HTTPS request to https 38.145.60.20:443
[4946] 1727685274.222677: Received answer (255 bytes) from https 38.145.60.20:443
[4946] 1727685274.222678: Terminating TCP connection to https 38.145.60.20:443
[4946] 1727685274.222679: Response was from primary KDC
[4946] 1727685274.222680: Received error from KDC: -1765328359/Additional pre-authentication required
[4946] 1727685274.222683: Preauthenticating using KDC method data
[4946] 1727685274.222684: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[4946] 1727685274.222685: Received cookie: MIT
[4946] 1727685274.222686: PKINIT client has no configured identity; giving up
[4946] 1727685274.222687: Preauth module pkinit (147) (info) returned: 0/Success
[4946] 1727685274.222688: PKINIT client received freshness token from KDC
[4946] 1727685274.222689: Preauth module pkinit (150) (info) returned: 0/Success
[4946] 1727685274.222690: PKINIT client has no configured identity; giving up
[4946] 1727685274.222691: Preauth module pkinit (16) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working f41 Related to Fedora 41
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andyholmes @alexsaezm @travier