The magic disappears in Firefox's AppArmor profile, which doesn't allow
it to access `/tmp/krb5cc_*`. As an easy workaround until the Snap
configuration is fixed, edit `/etc/krb5.conf` to relocate your Kerberos
ticket cache somewhere Firefox *can* access it:

```
[libdefaults]
        default_ccache_name = FILE:/home/%{username}/krb5cc
```

(Don't forget to re-`kinit`.)

---

In addition to the AppArmor problems, the snap is also missing the
`krb5/plugins/tls/k5tls.so` module that's required to access KDCs via
MS-KKDCP (aka KdcProxy). Now _most_ realms should work fine without the
k5tls plugin, but in some cases it might be necessary to manually
specify non-proxied KDC hostnames in krb5.conf `[realms]`. (If you're
using Azure AD Kerberos, you're out of luck.)

The magic environment variables to reveal such problems are
`KRB5_TRACE=/dev/stderr NSPR_LOG_MODULES=negotiateauth:5`.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346

Title:
  [snap] kerberos GSSAPI no longer works after deb->snap transition

Status in Mozilla Firefox:
  New
Status in chromium-browser package in Ubuntu:
  Triaged
Status in firefox package in Ubuntu:
  Triaged

Bug description:
  I configure AuthServerWhitelist as documented:

  https://www.chromium.org/developers/design-documents/http-
  authentication

  and can see my whitelisted domains in chrome://policy/

  but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
  work. I'm guessing the snap needs some sort of permission to use the
  kerberos ticket cache (or the plumbing to do so doesn't exist...).

  I can confirm that Chrome has the desired behavior.

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to