This bug was fixed in the package snapd - 2.71+ubuntu24.04
---------------
snapd (2.71+ubuntu24.04) noble; urgency=medium
* New upstream release, LP: #2118396
- FDE: auto-repair when recovery key is used
- FDE: revoke keys on shim update
- FDE: revoke old TPM keys when dbx has been updated
- FDE: do not reseal FDE hook keys every time
- FDE: store keys in the kernel keyring when installing from initrd
- FDE: allow disabled DMA on Core
- FDE: snap-bootstrap: do not check for partition in scan-disk on
CVM
- FDE: support secboot preinstall check for 25.10+ hybrid installs
via the /v2/system/{label} endpoint
- FDE: support generating recovery key at install time via the
/v2/systems/{label} endpoint
- FDE: update passphrase quality check at install time via the
/v2/systems/{label} endpoint
- FDE: support replacing recovery key at runtime via the new
/v2/system-volumes endpoint
- FDE: support checking recovery keys at runtime via the /v2/system-
volumes endpoint
- FDE: support enumerating keyslots at runtime via the /v2/system-
volumes endpoint
- FDE: support changing passphrase at runtime via the /v2/system-
volumes endpoint
- FDE: support passphrase quality check at runtime via the
/v2/system-volumes endpoint
- FDE: update secboot to revision 3e181c8edf0f
- Confdb: support lists and indexed paths on read and write
- Confdb: alias references must be wrapped in brackets
- Confdb: support indexed paths in confdb-schema assertion
- Confdb: make API errors consistent with options
- Confdb: fetch confdb-schema assertion on access
- Confdb: prevent --previous from being used in read-side hooks
- Components: fix snap command with multiple components
- Components: set revision of seed components to x1
- Components: unmount extra kernel-modules components mounts
- AppArmor Prompting: add lifespan "session" for prompting rules
- AppArmor Prompting: support restoring prompts after snapd restart
- AppArmor Prompting: limit the extra information included in probed
AppArmor features and system key
- Notices: refactor notice state internals
- SELinux: look for restorecon/matchpathcon at all known locations
rather than current PATH
- SELinux: update policy to allow watching cgroups (for RAA), and
talking to user session agents (service mgmt/refresh)
- Refresh App Awareness: Fix unexpected inotify file descriptor
cleanup
- snap-confine: workaround for glibc fchmodat() fallback and handle
ENOSYS
- snap-confine: add support for host policy for limiting users able
to run snaps
- LP: #2114923 Reject system key mismatch advise when not yet seeded
- Use separate lanes for essential and non-essential snaps during
seeding and allow non-essential installs to retry
- Fix bug preventing remodel from core18 to core18 when snapd snap
is unchanged
- LP: #2112551 Make removal of last active revision of a snap equal
to snap remove
- LP: #2114779 Allow non-gpt in fallback mode to support RPi
- Switch from using systemd LogNamespace to manually controlled
journal quotas
- Change snap command trace logging to only log the command names
- Grant desktop-launch access to /v2/snaps
- Update code for creating the snap journal stream
- Switch from using core to snapd snap for snap debug connectivity
- LP: #2112544 Fix offline remodel case where we switched to a
channel without an actual refresh
- LP: #2112332 Exclude snap/snapd/preseeding when generating preseed
tarball
- LP: #1952500 Fix snap command progress reporting
- LP: #1849346 Interfaces: kerberos-tickets | add new interface
- Interfaces: u2f | add support for Thetis Pro
- Interfaces: u2f | add OneSpan device and fix older device
- Interfaces: pipewire, audio-playback | support pipewire as system
daemon
- Interfaces: gpg-keys | allow access to GPG agent sockets
- Interfaces: usb-gadget | add new interface
- Interfaces: snap-fde-control, firmware-updater-support | add new
interfaces to support FDE
- Interfaces: timezone-control | extend to support timedatectl
varlink
- Interfaces: cpu-control | fix rules for accessing IRQ sysfs and
procfs directories
- Interfaces: microstack-support | allow SR-IOV attachments
- Interfaces: modify AppArmor template to allow snaps to read their
own systemd credentials
- Interfaces: posix-mq | allow stat on /dev/mqueue
- LP: #2098780 Interfaces: log-observe | add capability
dac_read_search
- Interfaces: block-devices | allow access to ZFS pools and datasets
- LP: #2033883 Interfaces: block-devices | opt-in access to
individual partitions
- Interfaces: accel | add new interface to support accel kernel
subsystem
- Interfaces: shutdown | allow client to bind on its side of dbus
socket
- Interfaces: modify seccomp template to allow pwritev2
- Interfaces: modify AppArmor template to allow reading
/proc/sys/fs/nr_open
- Packaging: drop snap.failure service for openSUSE
- Packaging: add SELinux support for openSUSE
- Packaging: disable optee when using nooptee build tag
- Packaging: add support for static PIE builds in snapd.mk, drop
pie.patch from openSUSE
- Packaging: add libcap2-bin runtime dependency for ubuntu-16.04
- Packaging: use snapd.mk for packaging on Fedora
- Packaging: exclude .git directory
- Packaging: fix DPKG_PARSECHANGELOG assignment
- Packaging: fix building on Fedora with dpkg installed
snapd (2.70+ubuntu24.04) noble; urgency=medium
- FDE: Fix reseal with v1 hook key format
- FDE: set role in TPM keys
- AppArmor prompting (experimental): add handling for expired
requests or listener in the kernel
- AppArmor prompting: log the notification protocol version
negotiated with the kernel
- AppArmor prompting: implement notification protocol v5 (manually
disabled for now)
- AppArmor prompting: register listener ID with the kernel and
resend notifications after snapd restart (requires protocol v5+)
- AppArmor prompting: select interface from metadata tags and set
request interface accordingly (requires protocol v5+)
- AppArmor prompting: include request PID in prompt
- AppArmor prompting: move the max prompt ID file to a subdirectory
of the snap run directory
- AppArmor prompting: avoid race between closing/reading socket fd
- Confdb (experimental): make save/load hooks mandatory if affecting
ephemeral
- Confdb: clear tx state on failed load
- Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g.
confdb-schema)
- Confdb: add NestedEphemeral to confdb schemas
- Confdb: add early concurrency checks
- Simplify building Arch package
- Enable snapd.apparmor on Fedora
- Build snapd snap with libselinux
- Emit snapd.apparmor warning only when using apparmor backend
- When running snap, on system key mismatch e.g. due to network
attached HOME, trigger and wait for a security profiles
regeneration
- Avoid requiring state lock to get user, warnings, or pending
restarts when handling API requests
- Start/stop ssh.socket for core24+ when enabling/disabling the ssh
service
- Allow providing a different base when overriding snap
- Modify snap-bootstrap to mount snapd snap directly to /snap
- Modify snap-bootstrap to mount /lib/{modules,firmware} from snap
as fallback
- Modify core-initrd to use systemctl reboot instead of /sbin/reboot
- Copy the initramfs 'manifest-initramfs.yaml' to initramfs file
creation directory so it can be copied to the kernel snap
- Build the early initrd from installed ucode packages
- Create drivers tree when remodeling from UC20/22 to UC24
- Load gpio-aggregator module before the helper-service needs it
- Run 'systemctl start' for mount units to ensure they are run also
when unchanged
- Update godbus version to 'v5 v5.1.0'
- Add support for POST to /v2/system-info with system-key-mismatch
indication from the client
- Add 'snap sign --update-timestamp' flag to update timestamp before
signing
- Add vfs support for snap-update-ns to use to simulate and evaluate
mount sequences
- Add refresh app awareness debug logging
- Add snap-bootstrap scan-disk subcommand to be called from udev
- Add feature to inject proxy store assertions in build image
- Add OP-TEE bindings, enable by default in ARM and ARM64 builds
- Fix systemd dependency options target to go under 'unit' section
- Fix snap-bootstrap reading kernel snap instead of base resulting
in bad modeenv
- Fix a regression during seeding when using early-config
- LP: #2107443 reset SHELL to /bin/bash in non-classic snaps
- Make Azure kernels reboot upon panic
- Fix snap-confine to not drop capabilities if the original user is
already root
- Fix data race when stopping services
- Fix task dependency issue by temporarily disable re-refresh on
prerequisite updates
- Fix compiling against op-tee on armhf
- Fix dbx update when not using FDE
- Fix potential validation set deadlock due to bases waiting on
snaps
- LP: #2104066 Only cancel notices requests on stop/shutdown
- Interfaces: bool-file | fix gpio glob pattern as required for
'[XXXX]*' format
- Interfaces: system-packages-doc | allow access to
/usr/local/share/doc
- Interfaces: ros-snapd-support interface | added new interface
- Interfaces: udisks2 | allow chown capability
- Interfaces: system-observe | allow reading cpu.max
- Interfaces: serial-port | add ttyMAXX to allowed list
- Interfaces: modified seccomp template to disallow
'O_NOTIFICATION_PIPE'
- Interfaces: fwupd | add support for modem-manager plugin
- Interfaces: gpio-chardev | make unsupported and remove
experimental flag to hide this feature until gpio-aggregator is
available
- Interfaces: hardware-random | fix udev match rule
- Interfaces: timeserver-control | extend to allow timedatectl
timesync commands
- Interfaces: add symlinks backend
- Interfaces: system key mismatch handling
snapd (2.69+ubuntu24.04) noble; urgency=medium
- FDE: re-factor listing of the disks based on run mode model and
model to correctly resolve paths
- FDE: run snapd from snap-failure with the correct keyring mode
- Snap components: allow remodeling back to an old snap revision
that includes components
- Snap components: fix remodel to a kernel snap that is already
installed on the system, but not the current kernel due to a
previous remodel.
- Snap components: fix for snapctl inputs that can crash snapd
- Confdb (experimental): load ephemeral data when reading data via
snapctl get
- Confdb (experimental): load ephemeral data when reading data via
snap get
- Confdb (experimental): rename {plug}-view-changed hook to observe-
view-{plug}
- Confdb (experimental): rename confdb assertion to confdb-schema
- Confdb (experimental): change operator grouping in confdb-control
assertion
- Confdb (experimental): add confdb-control API
- AppArmor: extend the probed features to include the presence of
files, as well as directories
- AppArmor prompting (experimental): simplify the listener
- AppArmor metadata tagging (disabled): probe parser support for
tags
- AppArmor metadata tagging (disabled): implement notification
protocol v5
- Confidential VMs: sysroot.mount is now dynamically created by
snap-bootstrap instead of being a static file in the initramfs
- Confidential VMs: Add new implementation of snap integrity API
- Non-suid snap-confine: first phase to replace snap-confine suid
with capabilities to achieve the required permissions
- Initial changes for dynamic security profiles updates
- Provide snap icon fallback for /v2/icons without requiring network
access at runtime
- Add eMMC gadget update support
- Support reexec when using /usr/libexec/snapd on the host (Arch
Linux, openSUSE)
- Auto detect snap mount dir location on unknown distributions
- Modify snap-confine AppArmor template to allow all glibc HWCAPS
subdirectories to prevent launch errors
- LP: #2102456 update secboot to bf2f40ea35c4 and modify snap-
bootstrap to remove usage of go templates to reduce size by 4MB
- Fix snap-bootstrap to mount kernel snap from
/sysroot/writable/system-data
- LP: #2106121 fix snap-bootstrap busy loop
- Fix encoding of time.Time by using omitzero instead of omitempty
(on go 1.24+)
- Fix setting snapd permissions through permctl for openSUSE
- Fix snap struct json tags typo
- Fix snap pack configure hook permissions check incorrect file mode
- Fix gadget snap reinstall to honor existing sizes of partitions
- Fix to update command line when re-executing a snapd tool
- Fix 'snap validate' of specific missing newline and add error on
missed case of 'snap validate --refresh' without another action
- Workaround for snapd-confine time_t size differences between
architectures
- Disallow pack and install of snapd, base and os with specific
configure hooks
- Drop udev build dependency that is no longer required and add
missing systemd-dev dependency
- Build snap-bootstrap with nomanagers tag to decrease size by 1MB
- Interfaces: polkit | support custom polkit rules
- Interfaces: opengl | LP: #2088456 fix GLX on nvidia when xorg is
confined by AppArmor
- Interfaces: log-observe | add missing udev rule
- Interfaces: hostname-control | fix call to hostnamectl in core24
- Interfaces: network-control | allow removing created network
namespaces
- Interfaces: scsi-generic | re-enable base declaration for scsi-
generic plug
- Interfaces: u2f | add support for Arculus AuthentiKey
-- Ernest Lotter <[email protected]> Fri, 25 Jul 2025
13:18:47 +0200
** Changed in: snapd (Ubuntu Noble)
Status: Fix Committed => Fix Released
** Changed in: snapd (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[SRU] kerberos GSSAPI no longer works after deb->snap transition
Status in Mozilla Firefox:
New
Status in snapd:
Fix Released
Status in chromium-browser package in Ubuntu:
Fix Released
Status in firefox package in Ubuntu:
In Progress
Status in snapd package in Ubuntu:
Fix Released
Status in snapd source package in Jammy:
Fix Released
Status in snapd source package in Noble:
Fix Released
Status in snapd source package in Plucky:
Fix Released
Status in snapd source package in Questing:
Fix Released
Bug description:
[SRU] 2.71:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2118396
[ Impact ]
Programs that use Kerberos do not have access to Kerberos' tickets (by
default, /tmp/krb5cc*) if snapped, resulting in denied access to
documents that the user would otherwise be able to access if the
program weren't snapped.
[ Test Plan ]
Requires a server that uses Kerberos authentication and a Ubuntu
client, that for the following tests is presumed to have logged into
the server's realm.
Also requires configuring the browser in the client as per
https://docs.active-directory-
wp.com/Networking/Single_Sign_On/Configure_browsers_to_use_Kerberos.html,
namely for Firefox, put the server name in network.negotiate-
auth.trusted-uris.
1. Reproduce on snapd deb < 2.71
Install the Firefox snap.
Expect:
- websites that used to work with SPNEGO/GSSAPI/kerberos do not work (access
denied).
- 'snap connect firefox:kerberos-tickets' fails because Snapd < 2.71 does
not yet have the corresponding slot.
2. Prove fix on snapd 2.71
First connect the new plug:
snap connect firefox:kerberos-tickets
Then access a document from said server, it should work.
[ Regression potential ]
Unauthorized snaps (i.e., without kerberos-tickets connection) have
access to the tickets.
Snaps fail to launch due to some bug in the implementation logic
merged in https://github.com/canonical/snapd/pull/15519.
---original---
Workaround
----------
Add
default_ccache_name = FILE:/run/user/%{euid}/krb5cc
to the [libdefaults] section of /etc/krb5.conf so that the Kerberos
credentials are stored in a file path a snapped application can read.
Acknowledgement: For many that can't work for {different reasons}, as
stated in multiple comments below. Nonetheless it is worth a mention.
Original report
---------------
I configure AuthServerWhitelist as documented:
https://www.chromium.org/developers/design-documents/http-
authentication
and can see my whitelisted domains in chrome://policy/
but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
work. I'm guessing the snap needs some sort of permission to use the
kerberos ticket cache (or the plumbing to do so doesn't exist...).
I can confirm that Chrome has the desired behavior.
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
