@frigo Thanks for the tip.
Unfortunately my systems requires pam_krb5 which has precedence over
default_ccache_name and sets KRB5CCNAME directly.
I tried to set ccache_dir in the pam section of krb5.conf but I didn't manage.
While waiting for this to be fixed I'll continue with the not-snap
** Changed in: chromium-browser (Ubuntu)
Importance: Undecided => Medium
** Changed in: chromium-browser (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The same applies to Chromium, please set it to medium as well, Luka.
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
To manage notifications about this bug go to:
Unless the snap move was intended to provide isolation from Kerberos,
setting to medium because this breaks many enterprise usecases for
Firefox.
** Changed in: firefox (Ubuntu)
Importance: Undecided => Medium
** Changed in: firefox (Ubuntu)
Status: Confirmed => Triaged
--
You
if the goal is to have a single snap making use of the kerberos ticket,
as a workaround you can put something like this in /etc/krb5.conf
[libdefaults]
default_ccache_name =
DIR:/home/%{username}/snap/firefox/common/.cache/.k5_ccache
the default connections for the firefox snap
Launchpad has imported 4 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=1734791.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
** Also affects: firefox (Ubuntu)
Importance: Undecided
Status: New
** Also affects: firefox via
https://bugzilla.mozilla.org/show_bug.cgi?id=1734791
Importance: Unknown
Status: Unknown
** Changed in: firefox (Ubuntu)
Status: New => Confirmed
** No longer affects:
There is a similar bug follow up at
https://bugzilla.mozilla.org/show_bug.cgi?id=1734791
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after
Which is different in our case that for normal people is that the use of
Kerberos requires to set in firefox the preference
"network.negotiate-auth.trusted-uris" which by default is not set.
In my case it is set as network.negotiate-auth.trusted-uris=cern.ch
I have everything setup correctly,
Today my brand new Ubuntu 21.10 Impish has forced the change of Firefox as
Snap, so I'm suffering Kerberos not working from inside the Firefox snap.
Kerberos works fine at Linux level.KInit, KList, etc... shows that the tickets
are assigned and handle correctly when requested.
Some closed door
Maybe the information I collected here
https://bugzilla.mozilla.org/show_bug.cgi?id=1734791 for the Firefox
snap, which suffers from the same problem, is helpful in order to fix
the problem for the Chromium snap as well.
** Bug watch added: Mozilla Bugzilla #1734791
Same problem here, chromium is not able to use kerberos ticket. I think,
it is time to get back chromium as a deb package until snap is really
working.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Unsure why thunderbird is listed there, it's not mentioned in the
description nor posts, could you give some details on what isn't working
and how?
** Changed in: thunderbird (Ubuntu)
Importance: Undecided => Low
** Changed in: thunderbird (Ubuntu)
Status: Confirmed => Incomplete
--
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: thunderbird (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
Observed the same issue issue using the Thunderbird snap instead of the
RPM.
** Also affects: thunderbird (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The snap should have the required libraries to support kerberos
authentication, but it's likely that confinement is getting in the way.
Does kerberos allow verbose logging on the server end, to inspect where
authentication is failing?
--
You received this bug notification because you are a
Sorry, I changed the issue's type accidently.
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no
Why do you think it's a security issue?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
To manage notifications about
This problem still persist and SPNEGO won't work even with new policies:
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AuthServerAllowlist
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AuthNegotiateDelegateAllowlist
The policies are loaded successfully but
Sorry this sucks guys - when is it going to get fixed? Ubuntu 20.04 also
stopped working for me since the transition to snap happend - all
kerberos and gssapi authentications no longer work
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
The same problem here, after upgrading to 'snapped' chromium 79 we lost
Single Sign-On, all our Kerberos security based intranet web servers
started asking for username and password.
Kerberos ticket cache is file /tmp/krb5cc_:
johndoe@computer:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default
Thanks, that's useful.
I'm not familiar with SPNEGO/GSSAPI/kerberos, could you maybe come up
with easy steps to reproduce the problem on a clean system? That would
allow me to dig further into the problem.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
The /etc/gss/mech.d/ and /etc/krb5.conf.d/ denials may be relevant. Both
directories are empty in my case, but lack of access may be killing some
logic that relies on checking them.
** Attachment added: "AppArmor denials"
Thanks for the report.
Can you check for apparmor denials in the system journal when reproducing the
problem? Run the following command in a terminal before launching chromium:
journalctl -f | grep DEN
** Tags added: snap
--
You received this bug notification because you are a member of
** Summary changed:
- kerberos GSSAPI no longer works after deb->snap transition
+ [snap] kerberos GSSAPI no longer works after deb->snap transition
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
26 matches
Mail list logo