[Bug 1849346] Re: [SRU] kerberos GSSAPI no longer works after deb->snap transition

Thu, 28 Aug 2025 12:05:57 -0700 

It was even stranger this morning.  I reverted my snapshot, installed
the custom Snap, and was able to browse to HTTPS sites successfully.
After I closed the browser, generated a Kerberos TGT, and started the
browser again, all certificates (internal and external) were once again
untrusted.  Destroying the Kerberos TGT did not help validate HTTPS
sites.

>I assume you did do the pre-requisite steps, i.e. connecting the interface
The "interface" in this context is the same as the "plug" ('snap connect 
firefox:kerberos-tickets'), correct?  I wasn't able to get that far as my first 
goal was to reproduce authentication failure on a Kerberos-only site, but I've 
been unable to consistently validate an HTTPS connection with the 
manually-installed snap.  Enabling the 'firefox:kerberos-tickets' interface did 
not appear to help the HTTPS validation issue.

>and putting the server in trusted-uris.
We use policies in order to configure the Kerberos trusted URIs.  Ex:

"policies": {
    "Authentication": {
        "Delegated": [
            "example.com"
        ],
        "Locked": false,
        "NTLM": [
            "example.com"
        ],
        "SPNEGO": [
            "example.com"
        ]
    },
}

Looking in the custom Snap Firefox's 'about:policies' and 'about:config'
shows that these URIs are consistent, though I've also heard that non-
ESR Firefox does not apply the policies file... though what I'm seeing
in the GUI suggests that the policies are being applied.

I don't believe bug #1901586 is the issue.  Yes, we install our internal
Root CAs under '/usr/local/share/ca-certificates/', but we also run
'update-ca-certificates' after installing our internal Root CAs.
Furthermore, the issue is trusting *any* certificate, not just our
internal Root CAs.

So there are three potential avenues for errors:

  1. I'm not installing/configuring the .snap package properly
  2. Something changed in the newer version of Firefox
  3. Something changed as a result of using Firefox Nightly instead of Firefox 
ESR

I'm not particularly familiar with Snap, so #1 is quite possible.  I
could try a run on Ubuntu 25.10 when able.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346

Title:
  [SRU] kerberos GSSAPI no longer works after deb->snap transition

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to