I work with Wade[1] that you've been in contact with in Bug 1849346. While chatting earlier today, he mentioned that the prior bug was resolved for AD joined computers, but using the manual krb5 config still wasn't working so I jumped in to take a look today.
I just got kerberos to authenticate in snap Firefox but with some caveats... below are the details. I tested this on my production device, on a VM, and Wade tested in a VM. All work the same way. My environment: - OS and Version: Ubuntu 24.04.3 LTS - Firefox: 146.0.1 - snapd: 2.72+ubuntu24.04 - website used for testing will be known as "CM.COMPANY.com" Normally, our kerberos configuration is in /etc/krb5.conf.d/COMPANY.conf. When I use our default config, I get "SPNEGO cannot find mechanism to negotiate". It appears based on strace, that firefox snap never reads /etc/krb5.conf.d/COMPANY.conf. I'm unclear if that's because it's just not looking or if snap prevents reading inside of /etc/krb5.conf.d/. Because of the issue seen with that config, I merged /etc/krb5.conf with our COMPANY.conf file to see if that would work, and it does. Steps to reproduce: In terminal 1: $ sudo mv /etc/krb5.conf /etc/krb5.conf.bk $ sudo cp /etc/krb5.conf.d/COMPANY.conf /etc/krb5.conf $ # Copy libdefaults from /etc/krb5.conf.bk to new /etc/krb5.conf $ kinit pboushy $ klist $ killall firefox (in case it's running already) $ sudo snap connect firefox:kerberos-tickets $ KRB5_TRACE=/dev/stderr NSPR_LOG_MODULES=negotiateauth:5 KRB5CCNAME=FILE:/tmp/krb5cc_1000 snap run firefox In terminal 2: $ < /proc/"$(pgrep firefox)"/environ xargs -0L1 | grep KRB KRB5_TRACE=/dev/stderr KRB5CCNAME=FILE:/var/lib/snapd/hostfs/krb5cc_1000 In the Firefox window that opens load CM.COMPANY.com In terminal 1's firefox stderr I can see: * Getting credentials $myAccount -> HTTP/CM.COMPANY.com * Successfully retrieving krbtgt * Requesting the ticket for HTTP/server * Doing a TON of DNS queries * Initiating TCP connect to IP:88 * TGS reply is for my account -> HTTP/server * TGS request success * Receive creds * Storing creds Kerberos appears to work properly in this scenario assuming the kerberos-tickets plug has been added and firefox can see KRB5CCNAME because all the config is in /etc/krb5.conf which snap can read. However, auths do seem to be slower, and `klist` doesn't show that a SGT was received. In strace I noticed: openat(AT_FDWCD, "/var/lib/snapd/hostfs/tmp/krb5cc_1000", O_RDWR|O_APPEND|O_CLOEXEC = -1 EACCESS (Permission denied) If I run `snap run --shell firefox` and `ls -la /var/lib/snapd/hostfs/tmp/krb5cc_1000` the permissions are 0600, my user account, and the file shows properly from what I can tell, so that appears to be good. To my understanding, the strace line means that Firefox is trying to open the file as read/write and append data to it. That reminded me that the krb5 cache contains both TGT (retrieved via kinit) and SGTs, and it seems like updating the SGT is not possible with the current design. So in summary, I think there are 5 items: 1. Snap apps using kerberos need to read krb5.conf and any included directories properly. While the krb5.conf includedir directive can include any directory, the standard directory is /etc/krb5.conf.d/. Our krb5.conf has an includedir directive for /etc/krb5/krb5.conf.d/. (We did this because that's how Fedora is setup, and Ubuntu's man page lists support for this.) 2. The kerberos-tickets plug should be added to firefox. 3. /var/lib/snapd/hostfs/tmp/krb5cc_1000 needs to be writable within the snap sandbox so that the app can save SGTs to it. Auth is much faster if you get a ticket using curl from outside snap and then load the same page in Firefox. 4. KRB5CCNAME env variable must currently be set for this to work. We would like to see this be improved to read the 'default_ccache_name' from the krb5 configuration if KRB5CCNAME is not set. 5. It should be possible to set the KRB5CCNAME environment variable for firefox using `snap set firefox env.KRBCCNAME=...` [1] https://launchpad.net/~wtcline -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122317 Title: Kerberos authentication fails for TGT generated by a local user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/2122317/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
