[Desktop-packages] [Bug 1849346] Re: [snap] kerberos GSSAPI no longer works after deb->snap transition

Nathan Teodosio Sun, 30 Mar 2025 09:25:38 -0700

With Denison Barobosa's guidance, I managed to create a Windows server
and a Ubuntu client machines.


In the client I issue:

--->
# realm list
testdomain.com
  type: kerberos
  realm-name: TESTDOMAIN.COM
  domain-name: testdomain.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %u...@testdomain.com
  login-policy: allow-realm-logins
# login u...@testdomain.com
Password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-52-generic x86_64)
[...]

u...@testdomain.com@Jammy-client:~$ klist
Ticket cache: FILE:/tmp/krb5cc_746401104_JmHIJ0
Default principal: u...@testdomain.com

Valid starting       Expires              Service principal
31.03.2025 03:04:43  31.03.2025 13:04:43  krbtgt/testdomain....@testdomain.com
        renew until 01.04.2025 03:04:43
<---

Now I'm trying to figure out how exactly a browser enters this plot.

It seems that client-side this would be straightforward to configure[1],
but not nearly as much server-side. Maybe [2] is it, but again, advise
if you have better ideas.

[1]https://docs.active-directory-wp.com/Networking/Single_Sign_On/Configure_browsers_to_use_Kerberos.html
[2]https://plugins.miniorange.com/guide-to-setup-kerberos-single-sign-sso

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1849346

Title:
  [snap] kerberos GSSAPI no longer works after deb->snap transition

Status in Mozilla Firefox:
  New
Status in snapd:
  New
Status in chromium-browser package in Ubuntu:
  In Progress
Status in firefox package in Ubuntu:
  In Progress

Bug description:
  I configure AuthServerWhitelist as documented:

  https://www.chromium.org/developers/design-documents/http-
  authentication

  and can see my whitelisted domains in chrome://policy/

  but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
  work. I'm guessing the snap needs some sort of permission to use the
  kerberos ticket cache (or the plumbing to do so doesn't exist...).

  I can confirm that Chrome has the desired behavior.

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1849346] Re: [snap] kerberos GSSAPI no longer works after deb->snap transition

Reply via email to