> I then ran 'kinit' in order to get a
> new TGT:
>
> Then I opened up Firefox and navigated to an internal site which
> requires Kerberos and got an HTTP 401 error.
>
> I also tried 'FILE:/run/user/%{euid}/krb5cc' but have the same issue.
I suspect that won't update the Kerberos variable in the environment. Please
check whether the value of
< /proc/"$(pgrep firefox)"/environ xargs -0L1 | grep KRB
reflects the updated or the old value. If the latter, simplest is to log out and
in again so the whole environment gets hold of the updated variable.
> > That is a reasonable expectation, but in snaps /tmp just cannot work
> since every snap has a private tmp. Yes, we do not want to pollute
> people's home directory and that's not what we're going for as per my
> last comment. It's just the easy way for testing.
>
> There's no way to punch a hole for a specific file path? That's too
> bad.
Yes in general, but /tmp is special, see [1]. Maybe you would be interested in
this bypass[2].
[1]https://ubuntu.com/core/docs/security-and-sandboxing
[2]https://askubuntu.com/questions/1263843/how-to-allow-snap-applications-to-access-tmp-folder
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Status in Mozilla Firefox:
New
Status in snapd:
New
Status in chromium-browser package in Ubuntu:
In Progress
Status in firefox package in Ubuntu:
In Progress
Bug description:
Workaround
----------
Add
default_ccache_name = FILE:/run/user/%{euid}/krb5cc
to the [libdefaults] section of /etc/krb5.conf so that the Kerberos
credentials are stored in a file path a snapped application can read.
Acknowledgement: For many that can't work for {different reasons}, as
stated in multiple comments below. Nonetheless it is worth a mention.
Original report
---------------
I configure AuthServerWhitelist as documented:
https://www.chromium.org/developers/design-documents/http-
authentication
and can see my whitelisted domains in chrome://policy/
but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
work. I'm guessing the snap needs some sort of permission to use the
kerberos ticket cache (or the plumbing to do so doesn't exist...).
I can confirm that Chrome has the desired behavior.
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
