TL;DR:
First, the proposed fix won't help. I had a typo in my issue in one spot, all
the others are correct.
The include directive in /etc/krb5.conf is 'includedir /etc/krb5.conf.d/'
Firefox snap appears to fail to apply any krb5 configuration completely if any
file is not allowed in the snap sandbox that is included via an 'includedir'
directive.
- Changing the name of the included files so an allowed file comes
alphabetically before the disallowed file does not resolve the issue.
- Moving our kerberos config into /etc/krb5.conf but keeping the includedir
directive does not resolve the issue.
Feel free to skip to "NEW INFORMATION:" below. The "RESPONSES:" are
mostly for historical documentation purposes at this point.
RESPONSES:
(1)> Our krb5.conf has an includedir directive for /etc/krb5/krb5.conf.d/
Oh no I had a typo in my issue in one spot, all the others are correct.
The include directive in /etc/krb5.conf is 'includedir /etc/krb5.conf.d/'
The file with our config is in /etc/krb5.conf.d/COMPANY.conf
ls -la output:
-rw-r--r-- 1 root root 970 Dec 24 09:09 /etc/krb5.conf.d/COMPANY.conf
(1a)> Indeed, the snap will not be able to read files under that
directory
If I run `snap run --shell firefox`, I can `ls -la /etc/krb5.conf.d/`,
and I can `cat /etc/krb5.conf.d/COMPANY.conf`
(1b)> I'm surprised though you got no denial in the strace. How exactly
did you execute it? Preferrable is 'snap run --strace firefox'.
Alternatively one could check 'journalctl -f' too for that one denial.
I ran firefox with `KRB5_TRACE=/dev/stderr
NSPR_LOG_MODULES=negotiateauth:5 KRB5CCNAME=FILE:/tmp/krb5cc_1000 snap
run firefox` and ran strace with '-p $(pgrep firefox)'.
I do not believe Firefox even attempted to read
`/etc/krb5.conf.d/COMPANY.conf`
Here's a snippet of the strace:
[pid 51461] 14:24:23 newfstatat(AT_FDCWD, "/etc/krb5.conf",
{st_mode=S_IFREG|0644, st_size=2995, ...}, 0) = 0
[pid 51461] 14:24:23 openat(AT_FDCWD, "/etc/krb5.conf", O_RDONLY) = 110
[pid 51461] 14:24:23 newfstatat(110, "", {st_mode=S_IFREG|0644, st_size=2995,
...}, AT_EMPTY_PATH) = 0
[pid 51461] 14:24:23 openat(AT_FDCWD, "/etc/krb5.conf.d/",
O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 124
[pid 51461] 14:24:23 newfstatat(124, "", {st_mode=S_IFDIR|0755, st_size=4096,
...}, AT_EMPTY_PATH) = 0
[pid 51461] 14:24:23 openat(AT_FDCWD, "/etc/krb5.conf.d//enable_sssd_conf_dir",
O_RDONLY) = 124
[pid 51461] 14:24:23 newfstatat(124, "", {st_mode=S_IFREG|0644, st_size=252,
...}, AT_EMPTY_PATH) = 0
NOTE - it opens /etc/krb5.conf, /etc/krb5.conf.d/, and
/etc/krb5.conf.d//enable_sssd_conf_dir. It just doesn't open
/etc/krb5.conf.d/COMPANY.conf (or //COMPANY.conf)
(2)> The interface is available there, I suppose you mentioned this just
for completeness.
I ran `sudo snap connect firefox:kerberos-tickets` because Wade
mentioned it but I didn't confirm if it worked without that. I can
double check that.
Wade just tested this and he did have to run `sudo snap connect
firefox:kerberos-tickets`
(3)> Ah, that is something new to me. I can't find any instance of SGT
in the source/docs though, did you possibly mean TGS? I'll need to study
that, but indeed the interface only allows reads and maps of the ticket
file.
Apologies. I used the wrong abbreviation.
The krb5 cache stores three main items:
- Ticket Granting Ticket (TGT) - essentially your identity.
- Service Tickets (ST) - tickets showing you're authorized to access a service
(read: website/file server)
- Session Keys - keys used for securing communication between client and
KDC/services
To make Kerberos most efficient, Firefox (snap) should have the
capability to write to the krb5 cache so it can add TGTs, STs, and
Session Keys.
(5)> I'm going to leave this to Wade to answer. He asked I include this.
> Just to scope the bug: Am I correct that you described a full work-around and
> that the bug is not really related to manually joining with Kinit but rather
> to a custom configuration, namely with includedir to directories to which the
> snap does not (at least yet) have access?
Yes, you are correct. If we: (1) run 'sudo snap connect
firefox:kerberos-tickets', (2) set KRB5CCNAME env variable properly, and
(3) move the configuration directly into /etc/krb5.conf, then we are
able to user kerberos authentication in snap Firefox in Ubuntu 24.04.
To clarify, at this point, I suspect the firefox snap sandbox has access
to the necessary directories, but for some reason the include directive
is not being read or not being acted on.
However...
NEW INFORMATION:
New information we just discovered while running 'sudo strace -f -t -e
trace=open,openat,read,write -p $(pgrep firefox)':
```
[pid 54119] 14:43:32 openat(AT_FDCWD, "/etc/krb5.conf", O_RDONLY) = 63
[pid 54119] 14:43:32 read(63, "# This file is managed by REDACTED"..., 4096) =
2995
[pid 54119] 14:43:32 openat(AT_FDCWD, "/etc/krb5.conf.d/",
O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 66
[pid 54119] 14:43:32 openat(AT_FDCWD, "/etc/krb5.conf.d//enable_sssd_conf_dir",
O_RDONLY) = 66
[pid 54119] 14:43:32 read(66, <unfinished ...>
[pid 54119] 14:43:32 <... read resumed>"# This file should normally be i"...,
4096) = 252
[pid 54119] 14:43:32 openat(AT_FDCWD, "/var/lib/sss/pubconf/krb5.include.d/",
O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or
directory)
```
/var/lib/sss/pubconf/krb5.include.d/ exists on my computer. Firefox is
trying to read /var/lib/sss/pubconf/krb5.include.d/ and gets a ENOENT,
and doesn't attempt to read any other files in /etc/krb5.conf.d/
The change we make related to Kerberos is to add 'includedir
/etc/krb5.conf.d/' to the end of /etc/krb5.conf, and create
/etc/krb5.conf.d/COMPANY.conf
A completely clean Ubuntu 24.04 Desktop VM (installed from
ubuntu-24.04-desktop-amd64.iso SHA256SUM:
81fae9cc21e2b1e3a9a4526c7dad3131b668e346c580702235ad4d02645d9455) has the
following content in /etc/krb5.conf.d/enable_sssd_conf_dir:
'''
# This file should normally be installed by your distribution into a
# directory that is included from the Kerberos configuration file
(/etc/krb5.conf)
# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
'''
enable_sssd_conf_dir is installed by the sssd-krb5 package, and I see
that package in the Ubuntu 24.04.3 manifest[1].
We did 4 tests:
Test 1: pass
1. run 'sudo snap connect firefox:kerberos-tickets'
2. set KRB5CCNAME env variable properly
3. comment out 'includedir /var/lib/sss/pubconf/krb5.include.d/' in
'/etc/krb5.conf.d/enable_sssd_conf_dir'
4. Auth to CM.company.com
Test 2: fail
While I refer to our conf file as COMPANY.conf, our conf file actually comes
alphabetically after 'enable'
1. run 'sudo snap connect firefox:kerberos-tickets'
2. set KRB5CCNAME env variable properly
3. rename our conf file to be alphabetically before enable_sssd_conf_dir
4. Auth to CM.company.com
Test 3: fail
1. run 'sudo snap connect firefox:kerberos-tickets'
2. set KRB5CCNAME env variable properly
3. Merge COMPANY.conf into krb5.conf (keeping the 'includedir' directive)
4. Auth to CM.company.com
Test 4: pass
1. run 'sudo snap connect firefox:kerberos-tickets'
2. set KRB5CCNAME env variable properly
3. Merge COMPANY.conf into krb5.conf
4. comment out 'includedir /var/lib/sss/pubconf/krb5.include.d/' in
'/etc/krb5.conf.d/enable_sssd_conf_dir'
4. Auth to CM.company.com
Based on this new information, I believe the bug is as stated in the TL;DR at
the top of this comment:
Firefox snap appears to fail to apply any krb5 configuration completely if any
file is not allowed in the snap sandbox that is included via an 'includedir'
directive.
- Changing the name of the included files so an allowed file comes
alphabetically before the disallowed file does not resolve the issue.
- Moving our kerberos config into /etc/krb5.conf but keeping the includedir
directive does not resolve the issue.
[1] https://releases.ubuntu.com/24.04/ubuntu-24.04.3-desktop-amd64.manifest
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2122317
Title:
Kerberos authentication fails for TGT generated by a local user
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/2122317/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
