GNOME Bugzilla – Bug 592779
RFE: authenticate using Kerberos
Last modified: 2011-08-10 15:24:22 UTC
I have a Kerberos TGT. Why are you asking for my password?
*** Bug 597579 has been marked as a duplicate of this bug. ***
I noticed some tries to use kerberos login in logs while using openchange svn trunk (revision 1889), but I think it's there since OpenChange 0.9 or earlier. The only issue with a correct "realm", it seems, though that might be probably fetchable from the server, as I was told it should be the server.domain.ext or something similar for a kerberos login, and also the server should be its name, not IP. But I'm not sure with that. From a brief looking over samba4 and openchange sources I guess the libmapi uses a default value for krb5, which might be "user kerberos if available", thus please test this with actual evolution-mapi stable (0.30.1+) and openchange 0.9. You can also run evolution like: $ MAPI_DEBUG=10 evolution >&evo.log to see what is samba trying to do (search for "gssapi_krb5" in the log file). Though as evolution doesn't set the "realm", it would be probably easier to create a new profile for openchangeclient (through mapiprofile), with a realm set, and do something like: $ openchangeclient --debuglevel=10 --fetchsummary I do not have an environment to test this myself, thus I'll appreciate any help from you. Thanks in advance.
Closing this bug report as no further information has been provided. Please feel free to reopen this bug if you can provide the information asked for. Thanks!
please re-open, I have a kerberos related patch in the works and this bug seems like a good place to drop it :)
Here you are.
Created attachment 193473 [details] [review] patch 1/3 small api tweak used in later patches
Created attachment 193475 [details] [review] patch 2/3 The same data gets passed around in various places, this is an attempt to consolodate it, simplifying a number of APIs and making it easier to implement the kerberos changes without adding even more parameters to various functions.
Created attachment 193476 [details] [review] patch 3/3 This is the big one. A considerable amount of review would be a good idea, especially with the asynchronous backend stuff.
Thanks for the patch. The calendar didn't work due to change in ecbm_op_authenticate_user, which had opposite condition. I removed that code completely, because you made sure that the auth-required is not called for kerberos authentications. I also fixed the configuration UI, to show the realm edit, and reordered them slightly, to see that realm has only meaning with Kerberos authentication enabled. Then some wrapping with parameters, I do not like that, I prefer longer lines, at least till it fits my screen resolution. It's usually better when grepping for something.
Created commit 6e731ab in ema master (3.1.5+)