One of the reasons we see slowness and you might not is the number of KDCs we have in our REALM. Is your test REALM a single server?
Yes, we run `kinit` ahead of loading firefox and the TGT is cached properly. Here are the full reproduction steps in order: 1. Create /etc/krb5.conf.d/COMPANY.conf with your domain's settings. (I can send you our file via email if you need) 2. Add the includedir directive to /etc/krb5.conf: $ echo "includedir /etc/krb5.conf.d/" > /etc/krb5.conf 3. Comment out the includedir in enable_sssd_conf_dir due to LP:2122317 $ sed -i '/includedir/s/^/#/' '/etc/krb5.conf.d/enable_sssd_conf_dir' 4. Get and confirm you received a kerberos ticket: $ kinit $username $ klist 5. Quit Firefox (in case it's running already), make sure the kerberos-ticket plug is connected, and then run firefox with the various ENV variables: $ killall firefox $ sudo snap connect firefox:kerberos-tickets $ KRB5_TRACE=/dev/stderr NSPR_LOG_MODULES=negotiateauth:5 KRB5CCNAME=FILE:/tmp/krb5cc_1000 snap run firefox 6. Load a kerberized webpage that has at minimum 2 requests in the page that require authentication. It takes a long time while it does the Kerberos ST process including a bunch of DNS queries. 7. Press ctrl+shift+r to do a refresh without page cache. You should see it takes approximately the same amount of time because it has to do the Kerberos ST process again. Expected result is that the second request should be almost instantaneous because it uses the ST from the kerberos cache. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138268 Title: Kerberos authentication slow in Firefox (snap) and Chromium (snap) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/2138268/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
