On Ubuntu 22.04 I was able to work around this issue for Firefox by
punching a hole through the Snap sandbox in order to make the file
accessible both inside and outside of the sandbox. Specifically, I used
the following script:
#!/bin/bash
src="/tmp/krb5cc_$(id -u)"
dest="/tmp/snap-private-tmp/snap.firefox/tmp/krb5cc_$(id -u)"
sudo ln -f "${src}" "${dest}"
sudo chown $(whoami):$(whoami) "${dest}"
On Ubuntu 24.04, this no longer works. Using the magical environment
variables shows the following:
[Parent 28276: Main Thread]: D/negotiateauth using REQ_DELEGATE
[Parent 28276: Main Thread]: D/negotiateauth service = <REDACTED>
[Parent 28276: Main Thread]: D/negotiateauth using negotiate-gss
[Parent 28276: Main Thread]: D/negotiateauth entering
nsAuthGSSAPI::nsAuthGSSAPI()
[Parent 28276: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init()
[Parent 28276: BgIOThreadPool #2]: D/negotiateauth
nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
[Parent 28276: BgIOThreadPool #2]: D/negotiateauth entering
nsAuthGSSAPI::GetNextToken()
[Parent 28276: BgIOThreadPool #2]: D/negotiateauth gss_init_sec_context()
failed: Unspecified GSS failure. Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
[Parent 28276: BgIOThreadPool #2]: D/negotiateauth leaving
nsAuthGSSAPI::GetNextToken [rv=80004005]
Unfortunately, I've no idea what the "minor code" is nor where to get
it.
The APT package works. Setting "devmode" does not workaround the issue.
Placing the TGT in my home directory does not workaround the issue.
Using the same version of Snap as Ubuntu 22.04 does not workaround the
issue.
Anyone have a new workaround to share?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Status in Mozilla Firefox:
New
Status in snapd:
New
Status in chromium-browser package in Ubuntu:
Triaged
Status in firefox package in Ubuntu:
Triaged
Bug description:
I configure AuthServerWhitelist as documented:
https://www.chromium.org/developers/design-documents/http-
authentication
and can see my whitelisted domains in chrome://policy/
but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
work. I'm guessing the snap needs some sort of permission to use the
kerberos ticket cache (or the plumbing to do so doesn't exist...).
I can confirm that Chrome has the desired behavior.
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
