After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 789187 - Fedora Kerberos account can't be added
Fedora Kerberos account can't be added
Status: RESOLVED FIXED
Product: gnome-online-accounts
Classification: Core
Component: Kerberos
3.26.x
Other Linux
: Normal normal
: ---
Assigned To: GNOME Online Accounts maintainer(s)
GNOME Online Accounts maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2017-10-19 08:45 UTC by Kamil Páral
Modified: 2017-11-08 08:47 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
utils: Domain names may not have a dot; usernames shouldn't be empty (956 bytes, patch)
2017-11-03 19:30 UTC, Debarshi Ray
committed Details | Review
kerberos: Re-write the account addition UI without realmd (50.09 KB, patch)
2017-11-03 19:30 UTC, Debarshi Ray
committed Details | Review

Description Kamil Páral 2017-10-19 08:45:33 UTC
Fedora Kerberos account can't be added to gnome-online-accounts (while others, like Red Hat account, work). kinit works well, the problem is just with goa. The journal prints:

Oct 19 10:28:20 dryad realmd[4597]:  * Resolving: _ldap._tcp.fedoraproject.org
Oct 19 10:28:20 dryad realmd[4597]:  * Resolving: _ldap._tcp.fedoraproject.org
Oct 19 10:28:20 dryad realmd[4597]: No DNS record of the requested type for “_ldap._tcp.fedoraproject.org”
Oct 19 10:28:20 dryad realmd[4597]:  * Resolving: fedoraproject.org
Oct 19 10:28:20 dryad realmd[4597]:  * Resolving: fedoraproject.org
Oct 19 10:28:20 dryad realmd[4597]: Resolving fedoraproject.org failed: No DNS record of the requested type for “_kerberos._udp.fedoraproject.org”
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 8.43.85.67
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 8.43.85.67
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 209.132.181.15
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 209.132.181.15
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 67.219.144.68
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 67.219.144.68
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 67.203.2.67
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 67.203.2.67
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 140.211.169.206
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 140.211.169.206
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 152.19.134.142
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 152.19.134.142
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 140.211.169.196
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 140.211.169.196
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 209.132.181.16
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 209.132.181.16
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 209.132.190.2
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 209.132.190.2
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 152.19.134.198
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 152.19.134.198
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 66.35.62.162
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 66.35.62.162
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2604:1580:fe00:0:dead:beef:cafe:fed1
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2604:1580:fe00:0:dead:beef:cafe:fed1
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2605:bc80:3010:600:dead:beef:cafe:feda
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2605:bc80:3010:600:dead:beef:cafe:feda
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2607:f188::dead:beef:cafe:fed1
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2607:f188::dead:beef:cafe:fed1
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2610:28:3090:3001:dead:beef:cafe:fed3
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2610:28:3090:3001:dead:beef:cafe:fed3
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2605:bc80:3010:600:dead:beef:cafe:fed9
Oct 19 10:28:20 dryad realmd[4597]:  * Performing LDAP DSE lookup on: 2605:bc80:3010:600:dead:beef:cafe:fed9
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]: socket closed or error
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:20 dryad realmd[4597]:  ! Can't contact LDAP server
Oct 19 10:28:35 dryad realmd[4597]:  ! Discovery timed out after 15 seconds
Oct 19 10:28:35 dryad realmd[4597]:  ! Discovery timed out after 15 seconds
Oct 19 10:28:51 dryad realmd[4597]: explicitly releasing service: :1.188
Oct 19 10:28:51 dryad realmd[4597]: released daemon: :1.188

I talked to Patrick Uiterwijk from Fedora Infra and he told me this is a goa bug:

<puiterwijk> kparal: it looks like GOA is only checking for _kerberos._udp, but due to technical constraints we don't have that, and we only have _kerberos._tcp. This looks like a bug in GOA to me
<puiterwijk> Also, it should be looking for other records as well
<kparal> which records (asking so that I can write it into the bug report)?
<puiterwijk> It should also ask for _kerberos.fedoraproject.org as the URI-encoded KDC record
<puiterwijk> kparal: honestly, I think it shouldn't do any of the lookups itself and just use krb5-libs. But ah well


gnome-online-accounts-3.26.1-1.fc27.x86_64
realmd-0.16.3-7.fc27.x86_64
sssd-krb5-1.15.3-5.fc27.x86_64
krb5-workstation-1.15.2-2.fc27.x86_64
krb5-libs-1.15.2-2.fc27.x86_64
Comment 1 Kamil Páral 2017-10-19 08:53:46 UTC
This is happening on both F27 and updated F26. I had the account working recently, but had to remove it, and now it can't be added back.
Comment 2 Debarshi Ray 2017-11-03 13:39:04 UTC
My first instinct is that it looks a lot like:
https://bugzilla.redhat.com/show_bug.cgi?id=1401605
Comment 3 Debarshi Ray 2017-11-03 19:30:39 UTC
Created attachment 362930 [details] [review]
utils: Domain names may not have a dot; usernames shouldn't be empty
Comment 4 Debarshi Ray 2017-11-03 19:30:51 UTC
Created attachment 362931 [details] [review]
kerberos: Re-write the account addition UI without realmd
Comment 5 Debarshi Ray 2017-11-07 16:13:13 UTC
Pushed to master.

However, it adds the following string:
  "_Principal": label for a text entry for entering a Kerberos principal

So, I will hold back a bit for translators to catch up on the stable branches before making a bug-fix release. In the meantime, downstream solutions can be arranged. ;)
Comment 6 Kamil Páral 2017-11-08 08:47:37 UTC
Works for me. Thanks!