Hi Phillip, sorry for the long delay getting back to you (I had an end- of-year break), and also to thank you for your proactive investigation of the matter.
(1)> Our krb5.conf has an includedir directive for /etc/krb5/krb5.conf.d/. Indeed, the snap will not be able to read files under that directory, but it is unclear to me what Apparmor policy is denying that but allowing /etc/krb5.conf, for example. I don't see it in the snap's Apparmor profile, maybe in one of its includes. I'll ask around and see if we could allow that directory as it is default in other distributions, though I'm pretty sure the security team would deny including an arbitrary directory (as krb5.conf includedir itself would allow). I'm surprised though you got no denial in the strace. How exactly did you execute it? Preferrable is 'snap run --strace firefox'. Alternatively one could check 'journalctl -f' too for that one denial. (2)> The interface is available there, I suppose you mentioned this just for completeness. (3)> Ah, that is something new to me. I can't find any instance of SGT in the source/docs though, did you possibly mean TGS? I'll need to study that, but indeed the interface only allows reads and maps of the ticket file. (4)> This is a reasonable. I'll raise it for discussion too. (5)> Is there any benefit for that over just setting the value in the environment (like you did in your run or in .profile or something)? Just to scope the bug: Am I correct that you described a full work- around and that the bug is not really related to manually joining with Kinit but rather to a custom configuration, namely with includedir to directories to which the snap does not (at least yet) have access? [1]https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122317 Title: Kerberos authentication fails for TGT generated by a local user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/2122317/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
