> For some reason it does not show up in about:support, but it is there
if snap run --shell firefox -c 'env|grep KRB' shows it.
Okay, will keep that in mind.
> I did not know this method. The manual crafting of the environment
variable works for me (although in my case it already is in the
environment so I don't really need to do it and am just showing it for
demonstration's sake):
One of the things I'm finding confusing is trying to distinguish the
state of the environment variables in the currently running Firefox
process versus just the current snap command. There's also some kind of
state being set between commands, because the output differs. From a
fresh boot:
wtcline@wtcline-desk20:~$ KRB5CCNAME=FILE:/tmp/krb5cc_1000 snap run
--shell firefox -c 'env|grep KRB'
update.go:85: cannot change mount namespace according to change mount
(/var/lib/snapd/hostfs/usr/local/share/doc /usr/local/share/doc none bind,ro 0
0): cannot write to "/var/lib/snapd/hostfs/usr/local/share/doc" because it
would affect the host in "/var/lib/snapd"
update.go:85: cannot change mount namespace according to change mount
(/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none
bind,ro 0 0): cannot write to "/var/lib/snapd/hostfs/usr/share/gimp/2.0/help"
because it would affect the host in "/var/lib/snapd"
update.go:85: cannot change mount namespace according to change mount
(/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0):
cannot write to "/var/lib/snapd/hostfs/usr/share/gtk-doc" because it would
affect the host in "/var/lib/snapd"
update.go:85: cannot change mount namespace according to change mount
(/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help
none bind,ro 0 0): cannot write to
"/var/lib/snapd/hostfs/usr/share/libreoffice/help" because it would affect the
host in "/var/lib/snapd"
update.go:85: cannot change mount namespace according to change mount
(/var/lib/snapd/hostfs/usr/share/sphinx_rtd_theme /usr/share/sphinx_rtd_theme
none bind,ro 0 0): cannot write to
"/var/lib/snapd/hostfs/usr/share/sphinx_rtd_theme" because it would affect the
host in "/var/lib/snapd"
update.go:85: cannot change mount namespace according to change mount
(/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none
bind,ro 0 0): cannot write to "/var/lib/snapd/hostfs/usr/share/xubuntu-docs"
because it would affect the host in "/var/lib/snapd"
KRB5CCNAME=FILE:/var/lib/snapd/hostfs/tmp/krb5cc_1000
wtcline@wtcline-desk20:~$ snap run --shell firefox -c 'env|grep KRB'
wtcline@wtcline-desk20:~$ snap run --shell firefox -c 'env|grep KRB'
wtcline@wtcline-desk20:~$ KRB5CCNAME=FILE:/tmp/krb5cc_1000 snap run
--shell firefox -c 'env|grep KRB'
KRB5CCNAME=FILE:/var/lib/snapd/hostfs/tmp/krb5cc_1000
wtcline@wtcline-desk20:~$
I can't tell whether the environment variable is properly set in Firefox
or not.
> Note KRB5CCNAME must start with the file type, here FILE, so
>
> [INCORRECT] KRB5CCNAME=/tmp/krb5cc_1000
> [-CORRECT-] KRB5CCNAME=FILE:/tmp/krb5cc_1000
>
> That is why you saw the "will not expose" error.
Good catch. I was probably not consistent about the 'FILE:' bit.
>Now, from what I gather it nonetheless does not work, so let's take a step
>back. Can you walk me through the minimal path from boot until your attempt on
>Firefox? I.e., do you get a log in screen, you log in with your normal, local
>user? Then you generate a ticket with Kinit and then start Firefox with or
>without the environment variable?
>
>What is then the output of
>
> id
> klist
> snap run --shell firefox 'env|grep KRB; id; od ${KRB5CCNAME#FILE:}'
Here's from a fresh snapshot (corporate-specific configuration applied
via policies but Firefox never launched):
* Login as local user
* https_proxy=http://ourproxy.com wget
https://launchpad.net/~nteodosio/+snap/ff-krb/+build/2873123/+files/firefox_143.0a1_amd64.snap
* sudo snap set system proxy.http=http://ourproxy.com
* sudo snap set system proxy.https=http://ourproxy.com
* sudo snap install --devmode --dangerous firefox_143.0a1_amd64.snap
* mkdir -p ~/snap/firefox/common/.mozilla/certificates
* cp /usr/local/share/ca-certificates/corporate/*
~/snap/firefox/common/.mozilla/certificates/
* sudo vim /etc/firefox/policies/policies.json
* - Replace "SecurityDevices" with "Certificates"
* sudo snap connect firefox:kerberos-tickets
* kinit
* KRB5CCNAME=FILE:/tmp/krb5cc_1000 snap run firefox
I believe the above sets up everything correctly. And command output
(from another shell tab):
wtcline@wtcline-desk20:~$ id
uid=1000(wtcline) gid=1000(wtcline)
groups=1000(wtcline),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),116(lpadmin)
wtcline@wtcline-desk20:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
09/04/2025 12:05:45 09/04/2025 22:05:45
krbtgt/[email protected]
renew until 09/05/2025 12:05:42
wtcline@wtcline-desk20:~$ snap run --shell firefox 'env|grep KRB; id;
od ${KRB5CCNAME#FILE:}'
/bin/bash: env|grep KRB; id; od ${KRB5CCNAME#FILE:}: No such file or
directory
wtcline@wtcline-desk20:~$ snap run --shell firefox -c 'env|grep KRB;
id; od ${KRB5CCNAME#FILE:}'
uid=1000(wtcline) gid=1000(wtcline)
groups=1000(wtcline),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),116(lpadmin)
^C
wtcline@wtcline-desk20:~$
Note that the environment variable does not appear to be set when
running the snap command, though it should be set in the process.
I checked to see if the ticket was in the sandbox and saw a ZIP file
'd3ea392f-7e3e-4124-87b8-7dfd21f9341f.zip' but no 'krb5cc_1000' file;
manually adding the TGT to the sandbox's '/tmp' did not get Kerberos
working.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[SRU] kerberos GSSAPI no longer works after deb->snap transition
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
