After
default_ccache_name = FILE:/home/%{username}/krb5cc
this works. So let me first of all put this in the bug report
description.
I do read many comments that say that changing default_ccache_name is
not an option. But as they do not state what that is for them, so I
don't have much of an idea of what are the most common scenarios to
target first, although I'd guess it's really /tmp.
If default_ccache_name can be anywhere at all in the file-system, even
in a key-ring... I find it hard to see a fully encompassing solution for
a sandboxed (snapped) application.
** Description changed:
+ Workaround
+ ----------
+
+ Execute
+
+ echo 'default_ccache_name = FILE:/home/%{username}/krb5cc' >>
+ /etc/krb5.conf.
+
+ so that the Kerberos credentials are stored in a file path a snapped
+ application can read.
+
+ Acknowledgement: For many that can't work for {different reasons}, as
+ stated in multiple comments below. Nonetheless it is worth a mention.
+
+ Original report
+ ---------------
+
I configure AuthServerWhitelist as documented:
https://www.chromium.org/developers/design-documents/http-authentication
and can see my whitelisted domains in chrome://policy/
but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
work. I'm guessing the snap needs some sort of permission to use the
kerberos ticket cache (or the plumbing to do so doesn't exist...).
I can confirm that Chrome has the desired behavior.
** Description changed:
Workaround
----------
Execute
- echo 'default_ccache_name = FILE:/home/%{username}/krb5cc' >>
- /etc/krb5.conf.
+ echo 'default_ccache_name = FILE:/home/%{username}/krb5cc' >>
+ /etc/krb5.conf
so that the Kerberos credentials are stored in a file path a snapped
application can read.
Acknowledgement: For many that can't work for {different reasons}, as
stated in multiple comments below. Nonetheless it is worth a mention.
Original report
---------------
I configure AuthServerWhitelist as documented:
https://www.chromium.org/developers/design-documents/http-authentication
and can see my whitelisted domains in chrome://policy/
but websites that used to work with SPNEGO/GSSAPI/kerberos no longer
work. I'm guessing the snap needs some sort of permission to use the
kerberos ticket cache (or the plumbing to do so doesn't exist...).
I can confirm that Chrome has the desired behavior.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
