Authentication window for GAL

Applications
1

Hi,

OS: Fedora 37
Evolution: 3.46.4
gnome-shell: 43.4

With the update of gnome to version 43 on Fedora 37 system, the message that authentication for GAL + in general the evolution-ews-account is required appears several times a day.

The dialog ask to save the credentials in keyring but it is already present:

Feb 28 10:08:19 fedoralap gnome-keyring-daemon[2120]: asked to register item /org/freedesktop/secrets/collection/login/1, but it's already registered

Any idea how to debug this any further?

Bye
Helge

2

Hi,
I guess you face a variant of:

but there landed some fixes for it in the 3.46.3 of the evolution-data-
server, which you have included in the 3.46.4 version.

See

for commands to run with OAuth2 debugging on. You might enable also EWS
debugging, with EWS_DEBUG=2 environment variable set. Do not share the
log anywhere, especially the OAuth2 logging exposes a lot of private
information, including tokens. You can verify with that what the server
does not like (for that is that EWS_DEBUG=2).

Maybe there’s a problem with the keyring. A restart of the evolution-
source-registry (and other background processes) may make it work, if
it’s it. You can restart all of them with:

evolution --force-shutdown

It usually helps, when the libsecret has lost connection to
the gnome-keyring-daemon. Nonetheless, I do not know whether it’s it or
not; I also did not see any such report in a long time.

Bye,
Milan
3

Hi Milan,

thank you very much for your detailed answer. I could not find the error and have set up the account again. The error remains. When starting evolution with EWS_DEBUG=2:

EWS_DEBUG=2 evolution >& logfile

Unfortunately, I am unable to interpret the log file but there are a lot of 401 errors. So for every 200, there is a 401?

➜  ~ grep -F '401 Unauthorized' logfile | wc -l
20
➜  ~ grep -F '200 OK' logfile | wc -l  
19
➜  ~

The first entry is:

> POST /EWS/Exchange.asmx HTTP/1.1
> Soup-Debug-Timestamp: 1678037811
> Soup-Debug: ESoupSession 1 (0x5601xx), SoupMessage 1 (0x5601xx), GSocket 1 (0x7f498xx)
> Cache-Control: no-cache
> Pragma: no-cache
> Content-Type: text/xml; charset=utf-8
> Content-Length: 2683
> User-Agent: Evolution/3.46.4
> Connection: Keep-Alive
> Accept-Encoding: gzip, deflate, br
> Accept-Language: de-de, de;q=0.9
> Host: <redacted>
> Authorization: <redacted>
> 
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><types:RequestServerVersion xmlns:types="http://schemas.microsoft.com/exchange/services/2006/types" Version="Exchange2007_SP1"/></SOAP-ENV:Header><SOAP-ENV:Body xmlns:messages="http://schemas.microsoft.com/exchange/services/2006/messages"><messages:SyncFolderHierarchy xmlns="http://schemas.microsoft.com/exchange/services/2006/types"><messages:FolderShape><BaseShape>AllProperties</BaseShape><AdditionalProperties><ExtendedFieldURI PropertyTag="4340" PropertyType="Boolean"/></AdditionalProperties></messages:FolderShape><messages:SyncState>xxx</messages:SyncState></messages:SyncFolderHierarchy></SOAP-ENV:Body></SOAP-ENV:Envelope>
  

** (process:2): WARNING **: 18:36:51.877: Error writing credentials to socket: Fehler beim Senden der Nachricht: Datenübergabe unterbrochen (broken pipe)
< HTTP/1.1 401 Unauthorized
< Soup-Debug-Timestamp: 1678037811
< Soup-Debug: SoupMessage 1 (0x5601xx)
< Server: Microsoft-IIS/10.0
< WWW-Authenticate: NTLM ..............EAAAAA
< WWW-Authenticate: Negotiate
< Date: Sun, 05 Mar 2023 17:36:50 GMT
< Content-Length: 0
< request-id: xxxx
< x-owa-version: 15.1.2507.21
< x-powered-by: ASP.NET
< x-feserver: xxx

I think our Exchange admin has changed a security setting so that certain areas no longer work via NTLM but require Kerberos. I can’t describe it any better, but will ask him tomorrow. That could be the problem here or?

4

there are a lot of 401 errors. So for every 200, there is a 401?

Hi,

it’s okay to see the 401-s in the log, it’s what the NTLM
authentication method does.

** (process:2): WARNING **: 18:36:51.877: Error writing credentials
to socket: Fehler beim Senden der Nachricht: Datenübergabe
unterbrochen (broken pipe)

The above is a problem, you should fix it first. Or, it depends what
writes it. The “process:2” sounds weird. It looks like the process
failed to write to libsecret, and/or gnome-keyring, which might mean
the gnome-keyring-daemon experiences a problem. Could it crash in the
background?
Bye,
Milan

5

Hi,

That’s really weird, because i cant reproduce this error message any more but the issue stays the same.

In one of the authentication windows, I changed the username. The Exchange server accepts both the email address and the sAMAccountName. Afterwards, this entry is correct in the gnome keyring under "Evolution Data Source “Global Address List” (Address Book - ews). After a certain time the GAL shows this error message:

 »GAL konnte nicht aktualisiert werden:Legitimation gescheitert«
translated: "Failed to update GAL: Authentication failed"
6

In one of the authentication windows, I changed the username. The
Exchange server accepts both the email address and the
sAMAccountName. Afterwards, this entry is correct in the gnome
keyring under "Evolution Data Source “Global Address List” (Address
Book - ews).

Hi,

there should not be any such entry, but if you changed the user name
only for the GAL, then it makes sense, because it cannot share the
credentials with the main EWS account and has stored its own password.

After a certain time the GAL shows this error message:
»GAL konnte nicht aktualisiert werden:Legitimation gescheitert«
translated: “Failed to update GAL: Authentication failed”

The GAL authentication issues are discussed within lengthy

as one subpart of it. The bug is closed due to other fixes being
committed for it. I was not able to reproduce the GAL problem yet.
Bye,
Milan

7

Hi Milan,

thanks again. I am not sure, if #208 is the same issue. In my case, i did not received any GAL entries at all?

8

Hi,
you are right, the #208 was more about OAuth2, while you seem to use
NTLM, if I’m not mistaken.

There is that problem with your gnome-keyring-daemon, which should be
sorted out first. That’s an obvious problem. Fixing it will get it out
of the equation, which can help. When entering a password in the
Evolution, it is saved into the keyring, after which
evolution-addressbook-factory (a different process) reads the password
from there and uses it. If the keyring cannot save passwords (for the
other process), then this inter-process exchange of the secret cannot
work.

Bye,
Milan
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.