Issues with Online Accounts and keyring

[alexsaezm]

Describe the bug Both 40 and 41 lacks kerberos tools to allow the login into kerberos realms. Also, in 41 the keyring might be doing something odd as Online Accounts cannot store the information and kinit/klist/kdestroy fails with:

klist: Connection refused while resolving ccache

Also, VSCode seems to also have problems with tokens. This might not be related as other applications seem to work like Slack.

To Reproduce

1. Install Fedora Silverblue 41
2. Try to log into a Fedora account using Online Accounts or kinit. Or any other kerberos account.

Expected behavior Fedora Workstation works.

Screenshots

OS version:

$ rpm-ostree status -b
State: idle
BootedDeployment:
● fedora:fedora/41/x86_64/silverblue
                  Version: 41.20240924.n.0 (2024-09-24T08:11:28Z)
               BaseCommit: fa1371df1ba32a0b7fd30e7dc4918c7c232e721680894e14135e564789db6cee
             GPGSignature: Valid signature by 466CF2D8B60BC3057AA9453ED0622462E99D6AD1
          LayeredPackages: fedora-packager-kerberos gnome-boxes krb5-workstation
            LocalPackages: 1password-8.10.44-1.x86_64 redhat-internal-cert-install-0.1-29.el7.noarch redhat-internal-NetworkManager-openvpn-profiles-0.1-62.el8.noarch slack-4.39.95-0.1.el8.x86_64

Additional context Forum link: https://discussion.fedoraproject.org/t/fedora-41-impossible-to-log-with-fedora-project-account/131632/14 GNOME Issue: https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/370

[andyholmes]

Additional error text for context:

(process:7420): libgoaidentity-DEBUG: 13:45:49.816: GoaIdentityService: asking to sign in
(process:7420): libgoaidentity-DEBUG: 13:45:49.817: GoaKerberosIdentityManager: signing in identity andyholmes@FEDORAPROJECT.ORG
(process:7420): libgoaidentity-DEBUG: 13:45:49.817: GoaKerberosIdentityManager: don't know if credential cache type (null) supports cache collections, assuming yes
(process:7420): libgoaidentity-DEBUG: 13:45:49.817: GoaKerberosIdentityManager:         Error creating new cache for identity credentials: Connection refused
(process:7420): libgoaidentity-DEBUG: 13:45:49.818: GoaKerberosIdentityManager: Waiting for next operation
(process:7420): libgoaidentity-DEBUG: 13:45:49.818: GoaIdentityService: could not sign in identity: Could not create credential cache for identity

The (null) credential cache type is probably the notable thing here.

[travier]

I have a slightly different error message:

$ KRB5_TRACE=/dev/stdout kinit "siosm@FEDORAPROJECT.ORG"
[4946] 1727685273.788384: Matching siosm@FEDORAPROJECT.ORG in collection with result: -1765328243/Can't find client principal siosm@FEDORAPROJECT.ORG in cache collection
[4946] 1727685273.788385: Getting initial credentials for siosm@FEDORAPROJECT.ORG
[4946] 1727685273.788387: Sending unauthenticated request
[4946] 1727685273.788388: Sending request (208 bytes) to FEDORAPROJECT.ORG
[4946] 1727685273.788389: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[4946] 1727685273.788390: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[4946] 1727685273.788391: Resolving hostname id.fedoraproject.org
[4946] 1727685274.222675: TLS certificate name matched "id.fedoraproject.org"
[4946] 1727685274.222676: Sending HTTPS request to https 38.145.60.20:443
[4946] 1727685274.222677: Received answer (255 bytes) from https 38.145.60.20:443
[4946] 1727685274.222678: Terminating TCP connection to https 38.145.60.20:443
[4946] 1727685274.222679: Response was from primary KDC
[4946] 1727685274.222680: Received error from KDC: -1765328359/Additional pre-authentication required
[4946] 1727685274.222683: Preauthenticating using KDC method data
[4946] 1727685274.222684: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[4946] 1727685274.222685: Received cookie: MIT
[4946] 1727685274.222686: PKINIT client has no configured identity; giving up
[4946] 1727685274.222687: Preauth module pkinit (147) (info) returned: 0/Success
[4946] 1727685274.222688: PKINIT client received freshness token from KDC
[4946] 1727685274.222689: Preauth module pkinit (150) (info) returned: 0/Success
[4946] 1727685274.222690: PKINIT client has no configured identity; giving up
[4946] 1727685274.222691: Preauth module pkinit (16) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials