Closed Bug 576490 Opened 14 years ago Closed 10 years ago

Notify user when Kerberos failed that usernames (principial) are case-sensitive

Categories

(Thunderbird :: Account Manager, enhancement)

Product:
Thunderbird
Component:
Account Manager
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: shopik, Unassigned)

Details

Attachments

(1 file)

update error message
5.94 KB, patch
BenB
: review-
Details | Diff | Splinter Review 
Currently error message looks like this "Please check that you are logged in to the Kerberos/GSSAPI realm." 
I suggest add note that username are case-sensitive.
Please check that you are logged in to the Kerberos/GSSAPI realm. User name are case-sensitive.
Depends on: 525238
No longer depends on: 525238
Summary: Notify user when Kerberos failed what username(principial) are case-sensetive → Notify user when Kerberos failed that usernames (principial) are case-sensitive
Wayne, Ludo,
Any thoughts how this should be re-worded if need? If it sounds fine I'll attach patch to change string.
Looks fine by me. Proceed with the patch.
not sure who should done string review
Attachment #459777 - Flags: review?
Status: NEW → ASSIGNED
I don't think this is necessary. Usernames are generally always case-sensitive. The login happens at the OS level, and the login UI of the OS is responsible for telling users such details.

More importantly, the username case is a setup problem. However, this UI regularly comes up during everyday use when the users ticket expired or he has not yet logged in (via the OS). In other words, this msg is the equivalent of "please enter your password", in an app that can't store passwords.

It's inappropriate to clutter this frequent message with notes about potential setup problems that we don't even know are the problem here at all.

So, I don't think this message should be changed.
Do use the username at all? We have a field, but I'm not sure its content actually makes a difference. If so, wouldn't it be better to add the note where you enter the username?
Attachment #459777 - Flags: review-
> he has not yet logged in (via the OS).

ops, I might be confused about this.
(In reply to comment #4)
> I don't think this is necessary. Usernames are generally always case-sensitive.
> The login happens at the OS level, and the login UI of the OS is responsible
> for telling users such details.
MS Windows allow case insensitive user names to log in.

> Do use the username at all? We have a field, but I'm not sure its content
> actually makes a difference. 
I've usually setup username via environment variable %USERNAME% in windows. It does make difference for example I may enter username@REALM.TLD, and it will send request for such principal. I think it suppose to be working with cross-realm setups, but I not tried it.

>If so, wouldn't it be better to add the note where you enter the username?

Yeah I do agree this maybe better place to advertise about potential problems.
Can you please describe when there is an actual problem? Does the username field in Thunderbird (and its case) make any difference?
Changing case of username, make login fail. 
nshopik - working
Nshopik - fail
nshopik@REALM.TLD - working
nshopik@relam.tld - fail(which is fine, realm always upper-case)

Error message looks kinda strange. The Kerberos/GSSAPI ticket was not accepted by the IMAP server Nshopik@realm.tld. Where Nshopik@realm.tld is account name not hostname of IMAP server.
> Changing case of username, make login fail.

In Thunderbird username field, I assume.
Which Kerberos lib is that?

> Nshopik@realm.tld is account name not hostname of IMAP server.

Ah, I guess we could add "for" in the (English) msg, i.e.:
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server for nshopik@REALM.TLD. ..."

BTW: To change strings, we need to change the string ID (and therefore the code) as well, otherwise other locales will not pick up the change.
(In reply to comment #9)
> > Changing case of username, make login fail.
> 
> In Thunderbird username field, I assume.
> Which Kerberos lib is that?

I did tried MIT on Windows 7 and Domain joined Windows 2003 client. I think problem itself lies in Windows itself. 
MIT lib will try get TGT for default identity and if username in Thunderbird doesn't match default identity it will fail.
In vanilla Windows Kerberos lib TGT always given to lower case username if it created as lower case, and if username created as UPPERCASE it will always be uppercase regardless username during OS login screen.
Did additional test on linux machine with MIT installed. Tried different case for OS login and TGT issues correctly according OS login case.
What windows machine is doing during OS login is setting FLAG canonicalize for AS-REQ, and thus different username in AS-REP.
Nikolay, you're saying it works on Linux with MIT Kerberos libs regardless of case of username? But not in Windows?
Ben, if I log in into Linux with username _NSHOPIK_ and Thunderbird will have same username it will work correctly, but entering _nshopik_ in thunderbird make login fail.
If I log in into Windows with username _NSHOPIK_ and Thunderbird will have same username it will fail to log in, because TGT is for username _nshopik_.
Comment on attachment 459777 [details] [diff] [review]
update error message

I'm not sure what happened with the review flags here, but clearing empty request flag as it won't get looked at. Please re-request if necessary.
Attachment #459777 - Flags: review?
After discussions with Ben, decisions was made not update error message but find better place to notify user about that.
Status: ASSIGNED → NEW
(In reply to Nikolay Shopik from comment #15)
> After discussions with Ben, decisions was made not update error message but
> find better place to notify user about that.

Have you identified such a place?
Flags: needinfo?(shopik)
It would help to have an actual reproduction, including all steps in Windows and in Thunderbird, from the setup to when the problem appears, every click. Then show in which step the user made a mistake and what would have been the correct entry.
What steps exactly are you looking for? Its simple as title says, if you are using GSSAPI, your username are case-sensitive, that's it
Flags: needinfo?(shopik)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
All clicks and keyboard entries that you need to do, from a fresh (newly installed) Windows, to seeing the bug.
(In reply to Ben Bucksch (:BenB) from comment #19)
> All clicks and keyboard entries that you need to do, from a fresh (newly
> installed) Windows, to seeing the bug.

There is just one step and simple as entering in username field "Shopik" instead of "shopik" and it fails with generic message, which I suggest to improve to give user a clue, that usernames are case-sensitive.
Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---
I have no idea what you're talking about. Not even where that "username field" is that you're talking about. And you definitely need to enter a password *somewhere*, probably not in Thunderbird, but somewhere else.
I have no idea what is in your head unless you spell it out, *all* of it. I need to understand the context.

From a fresh Windows with fresh Thunderbird, there are many more steps to set up Kerberos on that machine, and setting up Thunderbird with Kerberos. I need every single step described.
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: