Public bug reported:
This is a follow-up to item 3 in LP:2122317.
I don't really know if this is a snapd bug, a snapd 'kerberos-tickets' plug
bug, or if it is a bug per browser. NOTE - this may also impact Thunderbird
based on the info in LP:1849346, but I have not tested.
The snap sandbox for Firefox and Chromium now allow read-only access to
/tmp/krb5cc_%{UID}.
This works well for authenticating with a Kerberos Ticket Granting Ticket (TGT)
and Service Ticket (ST) that have been retrieved from another application.
However, if no other app has retrieved the ST prior to signing in to the
webpage Firefox/Chromium must retrieve an ST every time they are prompted for
Kerberos authentication by a webpage. (This often occurs multiple times)
When Kerberos is used to authenticate to a website, the browser and kerberos
libraries retrieve a service ticket (ST) and store that in the krb5cc cache.
Because the snap sandbox only allow read-only to the krb5cc cache, the ST
cannot be stored and Firefox/Chromium must retrieve a new one for every auth
request increasing the load time of every page that requires kerberos auth.
Evidence:
Firefox debug log entries:
[96875] 1768248554.027412: Received creds for desired service
HTTP/[email protected]
[96875] 1768248554.027413: Storing [email protected] ->
HTTP/[email protected] in
FILE:/var/lib/snapd/hostfs/tmp/krb5cc_100
[96875] 1768248554.027434: Received creds for desired service
HTTP/[email protected]
[96875] 1768248554.027435: Storing [email protected] ->
HTTP/[email protected] in
FILE:/var/lib/snapd/hostfs/tmp/krb5cc_1000
journalctl log entries at same time:
Jan 12 13:09:14 pboushy-mobl kernel: audit: type=1400
audit(1768248554.709:300): apparmor="DENIED" operation="open" class="file"
profile="snap.firefox.firefox" name="/var/lib/snapd/hostfs/tmp/krb5cc_1000"
pid=96875 comm=4267494F5468727E506F6F6C202334 requested_mask="a"
denied_mask="a" fsuid=1000 ouid=1000
Jan 12 13:09:14 pboushy-mobl kernel: audit: type=1400
audit(1768248554.937:301): apparmor="DENIED" operation="open" class="file"
profile="snap.firefox.firefox" name="/var/lib/snapd/hostfs/tmp/krb5cc_1000"
pid=96875 comm=4267494F5468727E506F6F6C202333 requested_mask="a"
denied_mask="a" fsuid=1000 ouid=1000
Jan 12 13:09:15 pboushy-mobl kernel: audit: type=1400
audit(1768248555.023:302): apparmor="DENIED" operation="open" class="file"
profile="snap.firefox.firefox" name="/var/lib/snapd/hostfs/tmp/krb5cc_1000"
pid=96875 comm=4267494F5468727E506F6F6C202332 requested_mask="a"
denied_mask="a" fsuid=1000 ouid=1000
Chromium debug log entries:
[111480] 1768250882.435827: Getting credentials [email protected] ->
HTTP/[email protected] using ccache
FILE:/var/lib/snapd/hostfs/tmp/krb5cc_1000
[111480] 1768250882.435828: Retrieving [email protected] ->
krb5_ccache_conf_data/start_realm@X-CACHECONF: from
FILE:/var/lib/snapd/hostfs/tmp/krb5cc_1000 with result: -1765328243/Matching
credential not found (filename: /var/lib/snapd/hostfs/tmp/krb5cc_1000)
[111480] 1768250882.435829: Retrieving [email protected] ->
HTTP/[email protected] from
FILE:/var/lib/snapd/hostfs/tmp/krb5cc_1000 with result: -1765328243/Matching
credential not found (filename: /var/lib/snapd/hostfs/tmp/krb5cc_1000)
[111480] 1768250882.435832: Requesting tickets for
HTTP/[email protected], referrals on
...
[111480] 1768250895.402633: Retrieving [email protected] ->
krb5_ccache_conf_data/start_realm@X-CACHECONF: from
FILE:/var/lib/snapd/hostfs/tmp/krb5cc_1000 with result: -1765328243/Matching
credential not found (filename: /var/lib/snapd/hostfs/tmp/krb5cc_1000)
[111480] 1768250895.402634: Retrieving [email protected] ->
HTTP/[email protected] from
FILE:/var/lib/snapd/hostfs/tmp/krb5cc_1000 with result: -1765328243/Matching
credential not found (filename: /var/lib/snapd/hostfs/tmp/krb5cc_1000)
[111480] 1768250895.402637: Requesting tickets for
HTTP/[email protected], referrals on
...
NOTE - this happens several times.
journalctl log entries at same time:
Jan 12 13:48:08 pboushy-mobl kernel: audit: type=1400
audit(1768250888.853:600): apparmor="DENIED" operation="open" class="file"
profile="snap.chromium.chromium" name="/var/lib/snapd/hostfs/tmp/krb5cc_1000"
pid=111480 comm="Chrome_ChildIOT" requested_mask="a" denied_mask="a" fsuid=1000
ouid=1000
Jan 12 13:48:21 pboushy-mobl kernel: audit: type=1400
audit(1768250901.710:602): apparmor="DENIED" operation="open" class="file"
profile="snap.chromium.chromium" name="/var/lib/snapd/hostfs/tmp/krb5cc_1000"
pid=111480 comm="Chrome_ChildIOT" requested_mask="a" denied_mask="a" fsuid=1000
ouid=1000
Jan 12 13:48:33 pboushy-mobl kernel: audit: type=1400
audit(1768250913.628:604): apparmor="DENIED" operation="open" class="file"
profile="snap.chromium.chromium" name="/var/lib/snapd/hostfs/tmp/krb5cc_1000"
pid=111480 comm="Chrome_ChildIOT" requested_mask="a" denied_mask="a" fsuid=1000
ouid=1000
Jan 12 13:48:45 pboushy-mobl kernel: audit: type=1400
audit(1768250925.398:606): apparmor="DENIED" operation="open" class="file"
profile="snap.chromium.chromium" name="/var/lib/snapd/hostfs/tmp/krb5cc_1000"
pid=111480 comm="Chrome_ChildIOT" requested_mask="a" denied_mask="a" fsuid=1000
ouid=1000
** Affects: firefox (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- Kerberos authentication slow in FIrefox (snap) and Chromium (snap)
+ Kerberos authentication slow in Firefox (snap) and Chromium (snap)
** Also affects: chromium (Ubuntu)
Importance: Undecided
Status: New
** No longer affects: chromium (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138268
Title:
Kerberos authentication slow in Firefox (snap) and Chromium (snap)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/2138268/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
