>After
>
> default_ccache_name = FILE:/home/%{username}/krb5cc
>
>this works. So let me first of all put this in the bug report description.
This did not work for me with Firefox on Ubuntu 24.04. Worth noting
that manually copying the file into the sandbox worked on Ubuntu 22.04
but not on 24.04 (see previous comment). This leads me to believe that
the issue on 24.04 is not just file access, but something else as well.
>I do read many comments that say that changing default_ccache_name is
not an option. But as they do not state what that is for them, so I
don't have much of an idea of what are the most common scenarios to
target first, although I'd guess it's really /tmp.
Certainly no one should have to pollute their home directory with what
should be an ephemeral file, and I'd expect the default location as per
the kinit(1) manual page, 'FILE:/tmp/krb5cc_%{uid}', to work.
> *Ship the configuration with default_ccache_name set to
$XDG_RUNTIME_DIR (or some path under it to be more specific).
That might work for 22.02, but if the issue on 24.04 isn't just file
accessibility then that might not fully work.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Status in Mozilla Firefox:
New
Status in snapd:
New
Status in chromium-browser package in Ubuntu:
In Progress
Status in firefox package in Ubuntu:
In Progress
Bug description:
Workaround
----------
Execute
echo 'default_ccache_name = FILE:/home/%{username}/krb5cc' >>
/etc/krb5.conf
so that the Kerberos credentials are stored in a file path a snapped
application can read.
Acknowledgement: For many that can't work for {different reasons}, as
stated in multiple comments below. Nonetheless it is worth a mention.
Original report
---------------
I configure AuthServerWhitelist as documented:
https://www.chromium.org/developers/design-documents/http-
authentication
and can see my whitelisted domains in chrome://policy/
but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
work. I'm guessing the snap needs some sort of permission to use the
kerberos ticket cache (or the plumbing to do so doesn't exist...).
I can confirm that Chrome has the desired behavior.
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
