Re: [Evolution] Kerberos credentials for more than e-mail with evolution-ews?

[Paul Graham <pgrahamdev gmail com>]

Milan,

Thanks for the explanation.  It makes sense that GNOME is starting up
some Evolution processes at session startup, which wouldn't have a
valid Kerberos ticket.  I tried running the "evolution
--force-shutdown" after getting the Kerberos ticket but before
starting Evolution and that did prevent the "Reconnect" messages from
coming up.

A few other things to pass on.  While it does look like the various
processes do find out that a Kerberos ticket is available (things work
just fine if I just hit the "X" instead of "Reconnect" to dismiss all
of the messages), the "stale" Reconnect messages react in a way that
is a little surprising.  Basically, when I hit "Reconnect" for the
first resource (contacts, calendar, etc.), it acts as if it doesn't
actually recognize that there is a valid Kerberos ticket available
already and asks for my credentials.  I would have expected Evolution
to check to see if a valid Kerberos ticket was available before asking
for my credentials.  Once I provide my credentials for the first
resource, the remaining resources with "Reconnect" messages don't
prompt me for my credentials when I hit "Reconnect", which is good and
expected.  I looked at the Kerberos tickets before and after doing the
first "Reconnect" and they didn't change as a result of providing my
credentials, so I am not exactly sure what providing my credentials
even did.

Anyway, thanks for the information--you explained a lot and it seems
like I can dismiss the "Reconnect" messages without any problems when
I have a Kerberos ticket in place already or I can clean up the
Evolution processes with "evolution --force-shutdown" before starting
Evolution.

Thanks!

Paul

On Mon, Aug 31, 2020 at 9:54 AM Milan Crha via evolution-list
<evolution-list gnome org> wrote:
> On Mon, 2020-08-31 at 09:05 -0600, Paul Graham wrote:
> > I see this issue even when I have just come up
> > from a new system startup, so there shouldn’t be any additional
> > evolution programs running.
>
>         Hi,
> there can be multiple programs/services starting the evolution-data-
> server background processes. One can be evolution-alarm-notify (which
> is started after login by default), another is GNOME Shell's calendar
> server (if you run GNOME), other desktop environments can have their
> own services running it.
>
> > the message also has the message "No response: OK".
>
> This should not happen, it looks like a bug.
>
> > I generally have the Kerberos authentication tickets established
> > before running Evolution, so I don't know why I get the reconnect
> > messages at all--maybe some old messages or a race condition of some
> > sort.  It is good to know, though, that I can safely ignore them
> > since the connections to all of the Exchange resources seem to work
> > with Kerberos.
>
> I guess that one of the aforementioned processes started after login,
> and it also started evolution-source-registry, where the EWS account
> tries to refresh list of available folders (being it calendars, books,
> ...), but it fails due to non-existent or expired Kerberos token. This
> is remembered and it's waiting for a signal that the token is available
> (it's waiting basically for the Reconnect, with the token available).
> The Evolution (and some other applications) can respond to such
> credentials requests, thus, in this case Evolution, shows the prompt
> for the reconnect (it cannot ask for the Kerberos ticket directly). As
> you have the valid Kerberos ticket the Reconnect should work. Depending
> on the order you can reconnect with the main account source, which
> spreads the good news to the other sources and the 'Reconnect' notices
> will disappear on their own. In the theory.
>
> If you want to give it a little test, then I suggest you expire your
> token (`kdestroy`, or try it another day), then log in, set the
> Kerberos ticket and then run from a terminal:
>
>    $ evolution --force-shutdown
>
> This will stop any running (background) processes, thus they will start
> on demand from fresh, this time with available Kerberos ticket, thus
> they should not claim any credentials-related issue. You'll see when
> you run Evolution.
>
> That being said, the background processes try to connect to the server
> when the Kerberos ticket is not available yet, then it doesn't know
> that the ticket is available and they keep waiting for the explicit
> 'Reconnect'.
>         Bye,
>         Milan
>
> _______________________________________________
> evolution-list mailing list
> evolution-list gnome org
> To change your list options or unsubscribe, visit ...
> https://mail.gnome.org/mailman/listinfo/evolution-list