thunderbird gives bad error if kerberos tickets are expired or nonexistant

RESOLVED FIXED

Status

defect
RESOLVED FIXED
13 years ago
9 years ago

People

(Reporter: jeaton, Assigned: BenB)

Tracking

(Blocks 1 bug)

unspecified
Dependency tree / graph
Bug Flags:
blocking-thunderbird3 -
wanted-thunderbird3 -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Reporter

Description

13 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Build Identifier: version 1.5.0.2 (20060308)

If Thunderbird is configured to use GSSAPI authentication on OS X, and the user does not have tickets or has expired tickets, an error dialog with the following is presented:

You cannot log in to SERVERNAME because you have enabled secure authentication and this server does not support it.  To log in, turn off secure authentication for this account.

First, the error message is a lie, sicne the server does indeed support secure authentication (via GSSAPI).  However, Thunderbird should not simply fail, but should instead use the appropriate function call to have the OS bring up the Kerberos login dialog.  I believe that on Windows, when using MIT Kerberos for Windows, Thunderbird does the correct thing.

Reproducible: Always

Steps to Reproduce:
1. Configure Thunderbird to authenticate via GSSAPI
2. Don't get tickets.
3. Launch Thunderbird and see the error dialog.



Expected Results:  
Prompt the user to get Kerberos tickets via the OS provided interface.

Comment 1

13 years ago
The prompting problem should be fixed on the trunk by bug #307788 - this fix hasn't been pulled into
the 1.5 releases, as there was a desire to get more test exposure.

The poor quality error message is a problem. I'll claim this bug and have a look at sorting the code so
it can tell the difference between SASL mechanisms failing, and not being supported at all.
Assignee: dveditz → simon
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 3

11 years ago
2.0.0.8 and higher should work according bug 307788
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 307788

Comment 4

11 years ago
This bug is tracking the problem with the quality of the error messages when a SASL mechanism fails, not the issue with ticket prompting. This is still an issue - you can't tell when a mechanism has failed, and when one just isn't supported.

Reopening, de-duplicating.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

Updated

11 years ago
Status: REOPENED → ASSIGNED

Comment 5

10 years ago
Reproduced with thunderbird-2.0.0.19-1.fc10.x86_64
Suggesting to switch Kerberos authentication just because my ticket has expired (and not telling me that -- even I could parse output of klist if worst comes to worst, but I guess Kerberos library provides better way how to do it), saying that is total crazy talk.

Updated

10 years ago
Flags: wanted-thunderbird3?
Flags: blocking-thunderbird3?

Comment 6

10 years ago
... and it is not platform dependent .. reproduced on Fedora 10

Updated

10 years ago
OS: Mac OS X → All
Hardware: PowerPC → All

Comment 7

10 years ago
Yes, this is a general problem.

The big issue is that at the moment, we don't get told that you _wanted_ to try Kerberos authentication, and there are a huge number of servers on the net that claim to support GSSAPI, but just don't. So, we try GSSAPI whenever we can, but hide the errors from the user and move on. If we can't move on, as in this case, the default error message comes up.

None of this is ideal. I've got another bug open which concerns adding UI so that the user will explicitly request Kerberos - that will allow us to give users who know they are using Kerberos better errors when it fails.
Simon, is this still true in shredder nightlies?  It's a bit hard to figure out from this bug.  What's the other bug about the UI?  Denying blocking or wanted status for now, could reconsider w/ more info.
Flags: wanted-thunderbird3?
Flags: wanted-thunderbird3-
Flags: blocking-thunderbird3?
Flags: blocking-thunderbird3-

Comment 9

10 years ago
David it is true for latest nightlies. It just silently fails for my case and tried next authentication.
http://groups.google.com/group/mozilla.dev.apps.thunderbird/browse_thread/thread/bbae709de00d623e

Comment 10

10 years ago
David, other bug about UI is bug 370178

Updated

10 years ago
Blocks: 495412
Assignee

Updated

10 years ago
Blocks: 524698
Assignee

Updated

10 years ago
Assignee: simon → ben.bucksch
Blocks: 525238
Assignee

Comment 11

10 years ago
The patch in bug 525238 has the groundwork for this.
Assignee

Updated

10 years ago
No longer blocks: 525238
Depends on: 525238
Assignee

Comment 12

9 years ago
This should be fixed as part of bug 525238.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago9 years ago
Resolution: --- → FIXED
Assignee

Updated

9 years ago
No longer blocks: 495412
You need to log in before you can comment on or make changes to this bug.