GNOME Bugzilla – Bug 789187
Fedora Kerberos account can't be added
Last modified: 2017-11-08 08:47:37 UTC
Fedora Kerberos account can't be added to gnome-online-accounts (while others, like Red Hat account, work). kinit works well, the problem is just with goa. The journal prints: Oct 19 10:28:20 dryad realmd[4597]: * Resolving: _ldap._tcp.fedoraproject.org Oct 19 10:28:20 dryad realmd[4597]: * Resolving: _ldap._tcp.fedoraproject.org Oct 19 10:28:20 dryad realmd[4597]: No DNS record of the requested type for “_ldap._tcp.fedoraproject.org” Oct 19 10:28:20 dryad realmd[4597]: * Resolving: fedoraproject.org Oct 19 10:28:20 dryad realmd[4597]: * Resolving: fedoraproject.org Oct 19 10:28:20 dryad realmd[4597]: Resolving fedoraproject.org failed: No DNS record of the requested type for “_kerberos._udp.fedoraproject.org” Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 8.43.85.67 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 8.43.85.67 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 209.132.181.15 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 209.132.181.15 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 67.219.144.68 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 67.219.144.68 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 67.203.2.67 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 67.203.2.67 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 140.211.169.206 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 140.211.169.206 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 152.19.134.142 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 152.19.134.142 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 140.211.169.196 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 140.211.169.196 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 209.132.181.16 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 209.132.181.16 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 209.132.190.2 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 209.132.190.2 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 152.19.134.198 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 152.19.134.198 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 66.35.62.162 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 66.35.62.162 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2604:1580:fe00:0:dead:beef:cafe:fed1 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2604:1580:fe00:0:dead:beef:cafe:fed1 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2605:bc80:3010:600:dead:beef:cafe:feda Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2605:bc80:3010:600:dead:beef:cafe:feda Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2607:f188::dead:beef:cafe:fed1 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2607:f188::dead:beef:cafe:fed1 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2610:28:3090:3001:dead:beef:cafe:fed3 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2610:28:3090:3001:dead:beef:cafe:fed3 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2605:bc80:3010:600:dead:beef:cafe:fed9 Oct 19 10:28:20 dryad realmd[4597]: * Performing LDAP DSE lookup on: 2605:bc80:3010:600:dead:beef:cafe:fed9 Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: socket closed or error Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:20 dryad realmd[4597]: ! Can't contact LDAP server Oct 19 10:28:35 dryad realmd[4597]: ! Discovery timed out after 15 seconds Oct 19 10:28:35 dryad realmd[4597]: ! Discovery timed out after 15 seconds Oct 19 10:28:51 dryad realmd[4597]: explicitly releasing service: :1.188 Oct 19 10:28:51 dryad realmd[4597]: released daemon: :1.188 I talked to Patrick Uiterwijk from Fedora Infra and he told me this is a goa bug: <puiterwijk> kparal: it looks like GOA is only checking for _kerberos._udp, but due to technical constraints we don't have that, and we only have _kerberos._tcp. This looks like a bug in GOA to me <puiterwijk> Also, it should be looking for other records as well <kparal> which records (asking so that I can write it into the bug report)? <puiterwijk> It should also ask for _kerberos.fedoraproject.org as the URI-encoded KDC record <puiterwijk> kparal: honestly, I think it shouldn't do any of the lookups itself and just use krb5-libs. But ah well gnome-online-accounts-3.26.1-1.fc27.x86_64 realmd-0.16.3-7.fc27.x86_64 sssd-krb5-1.15.3-5.fc27.x86_64 krb5-workstation-1.15.2-2.fc27.x86_64 krb5-libs-1.15.2-2.fc27.x86_64
This is happening on both F27 and updated F26. I had the account working recently, but had to remove it, and now it can't be added back.
My first instinct is that it looks a lot like: https://bugzilla.redhat.com/show_bug.cgi?id=1401605
Created attachment 362930 [details] [review] utils: Domain names may not have a dot; usernames shouldn't be empty
Created attachment 362931 [details] [review] kerberos: Re-write the account addition UI without realmd
Pushed to master. However, it adds the following string: "_Principal": label for a text entry for entering a Kerberos principal So, I will hold back a bit for translators to catch up on the stable branches before making a bug-fix release. In the meantime, downstream solutions can be arranged. ;)
Works for me. Thanks!