I don't think the fix is working as intended, at least not in my testing. The problem directory (/var/lib/sss/pubconf/krb5.include.d/) still isn't mounted inside snap confinement. We can see this in Remmina:
ubuntu@ubuntu-desktop:~$ ls /var/lib/sss/pubconf/krb5.include.d/ ubuntu@ubuntu-desktop:~$ snap run --shell remmina ubuntu@ubuntu-desktop:/home/ubuntu$ ls /var/lib/sss/pubconf/krb5.include.d/ ls: cannot access '/var/lib/sss/pubconf/krb5.include.d/': No such file or directory I ran Remmina with some extra logging: KRB5_TRACE=/dev/stderr NSPR_LOG_MODULES=negotiateauth:5 snap run remmina Then attempted an SSH connection using Kerberos auth, and I saw the following error: [18:21:34:176] [12329:000030ad] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5_init_context (Included profile directory could not be read [-1429577696]) This error is only triggered when /etc/krb5.conf contains the following line: includedir /etc/krb5.conf.d/ This config directory is what includes the includedir to the problem directory: cat etc/krb5.conf.d/enable_sssd_conf_dir # This file should normally be installed by your distribution into a # directory that is included from the Kerberos configuration file (/etc/krb5.conf) # On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ To try and workaround this, I added a bind mount to Remmina to include this directory. After adding the bind mount, authentication succeeded. To get this moving along for a support case, I opened an MR in Remmina to add this upstream (https://gitlab.com/Remmina/Remmina/-/merge_requests/2736). This isn't ideal though, since the contents of the bind mount will be empty so if an application is expecting specific contents from the base system to exist in there, it could still fail until it's manually copied into snap confinement. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122317 Title: Unreadable includedir /var/lib/sss/pubconf/krb5.include.d/ causes Kerberos authentication failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122317/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
