[Desktop-packages] [Bug 1849346] Re: [snap] kerberos GSSAPI no longer works after deb->snap transition

Tue, 01 Apr 2025 23:40:46 -0700 

> This did not work for me with Firefox on Ubuntu 24.04.

That was where I tested it.

What exactly "not work" means here, i.e., what exactly did you do? In
your last comment you set default_ccache_name to a different directory
than what I tried in my test case. Did you reboot after the change, did
you verify the tickets were created in the new location, or were they
still in the old place?

> Certainly no one should have to pollute their home directory with what
should be an ephemeral file, and I'd expect the default location as per
the kinit(1) manual page, 'FILE:/tmp/krb5cc_%{uid}', to work.

That is a reasonable expectation, but in snaps /tmp just cannot work
since every snap has a private tmp. Yes, we do not want to pollute
people's home directory and that's not what we're going for as per my
last comment. It's just the easy way for testing.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1849346

Title:
  [snap] kerberos GSSAPI no longer works after deb->snap transition

Status in Mozilla Firefox:
  New
Status in snapd:
  New
Status in chromium-browser package in Ubuntu:
  In Progress
Status in firefox package in Ubuntu:
  In Progress

Bug description:
  Workaround
  ----------

  Execute

    echo 'default_ccache_name = FILE:/home/%{username}/krb5cc' >>
  /etc/krb5.conf

  so that the Kerberos credentials are stored in a file path a snapped
  application can read.

  Acknowledgement: For many that can't work for {different reasons}, as
  stated in multiple comments below. Nonetheless it is worth a mention.

  Original report
  ---------------

  I configure AuthServerWhitelist as documented:

  https://www.chromium.org/developers/design-documents/http-
  authentication

  and can see my whitelisted domains in chrome://policy/

  but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
  work. I'm guessing the snap needs some sort of permission to use the
  kerberos ticket cache (or the plumbing to do so doesn't exist...).

  I can confirm that Chrome has the desired behavior.

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to