Responding in SRU form as I already have it prepped; TL;DR we won't do a targeted SRU for this fix as snaps affected by this will need to wait for snapd 2.75.
[ Impact ] The Firefox snap fails to apply any krb5 configuration if any file that is included via an `includedir` is not allowed in the snap sandbox. It is typical (although not the default) for users to include the following directive in `/etc/krb5.conf`: includedir /etc/krb5.conf.d/ sssd in Noble+ comes with `/etc/krb5.conf.d/enable_sssd_conf_dir` with: includedir /var/lib/sss/pubconf/krb5.include.d/ `/var/lib/sss/pubconf/krb5.include.d/` is not accessible from within the Firefox snap's environment; Firefox attempts to open the directory and recieves ENOENT (see comment #5 [1]), causing GSS negotiation to fail. A similar failure has also been observed in the Remmina snap. A profile change for the kerberosclient abstraction landed upstream in 61be493 [3] and has been backported to 4.1.5 [4]. Apparmor (including the affected profile) is vendored in snapd; 4.1.6 should land in snapd 2.75 [5]. I've confirmed using the test plan below that modifying the system profile has no effect on Firefox' behavior. We'll need to wait for snapd 2.75. [1] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122317/comments/5 [2] https://forum.snapcraft.io/t/system-file-access-for-remmina-to-allow-kerberos-authentication/50261/7 [3] https://gitlab.com/apparmor/apparmor/-/commit/61be493f48dfd28eb41982283c768b1af49afb20 [4] https://gitlab.com/apparmor/apparmor/-/commit/031234e1866476c5c0faccbd1ec3e2d41c50d432 [5] https://github.com/canonical/snapd/pull/16527 [ Test Plan ] Deploy MIT kerberos in your environment following the Ubuntu Server documentation [1]. In another machine, deploy apache2: ``` apt-get install libapache2-mod-auth-gssapi krb5-user apache2 ``` Configure `mod_auth_gssapi` for Kerberos. In the default `VirtualHost` in `/etc/apache2/sites-available/000-default.conf`: ``` <Location /> AuthType GSSAPI AuthName "Kerberos authenticated intranet with mod_auth_gssapi" GssapiCredStore keytab:/etc/krb5.keytab # Only allow krb5 and ignore ntlmssp and iakerb GssapiAllowedMech krb5 # We don't want to fallback to Basic Auth GssapiBasicAuth Off # Resolve remote's user into REMOTE_USER variable. Proper setting of [realms].auth_to_local in /etc/krb5.conf is required GssapiLocalName On # Enforce encrypted HTTPS/TLS connection GssapiSSLonly Off require valid-user </Location> ``` Configure a service principle on this machine, using its domain name `HTTP/srv.krb-00425248.wh.omg.lol` [2]. Fixup perms on the keytab so that apache can access it: ``` sudo chown www-data:www-data /etc/krb5.keytab ``` Deploy an Ubuntu Desktop machine, setup & run Firefox: ``` sudo snap install firefox sudo snap connect firefox:kerberos-tickets sudo apt install krb5-user kinit -p ubuntu KRB5_TRACE=/dev/stderr NSPR_LOG_MODULES=negotiateauth:5 KRB5CCNAME=FILE:/tmp/krb5cc_1000 snap run firefox ``` Navigate to `about:config`, and add the DNS name for your apache server to `network.negotiate-auth.trusted-uris` and `network.negotiate- auth.delegation-uris`. Navigate to your apache2 server; you should see the default apache2 index.html. Checking the request details in the debugger should show an `Authorization: Negotiate ...` header . Insert `includedir /etc/krb5.conf.d/` at the beginning of `/etc/krb5.conf`. Reload the page. Expected behavior: HTTP 200 Actual behavior: Observe an HTTP 401 from the server, and this on Firefox's stdout: ``` [Parent 11650: BgIOThreadPool #2]: D/negotiateauth entering nsAuthGSSAPI::GetNextToken() [Parent 11650: BgIOThreadPool #2]: D/negotiateauth gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate [Parent 11650: BgIOThreadPool #2]: D/negotiateauth leaving nsAuthGSSAPI::GetNextToken [rv=80004005] ``` [1] https://documentation.ubuntu.com/server/how-to/kerberos/install-a-kerberos-server/ [2] https://documentation.ubuntu.com/server/how-to/kerberos/configure-service-principals/ ** Changed in: apparmor (Ubuntu Jammy) Status: In Progress => Invalid ** Changed in: apparmor (Ubuntu Jammy) Assignee: Wesley Hershberger (whershberger) => (unassigned) ** Changed in: apparmor (Ubuntu Noble) Status: In Progress => Deferred ** Changed in: apparmor (Ubuntu Noble) Assignee: Wesley Hershberger (whershberger) => (unassigned) ** Changed in: apparmor (Ubuntu Questing) Status: In Progress => Deferred ** Changed in: apparmor (Ubuntu Questing) Assignee: Wesley Hershberger (whershberger) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122317 Title: Unreadable includedir /var/lib/sss/pubconf/krb5.include.d/ causes Kerberos authentication failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122317/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
