[Bug 1849346]
Mantas Mikulėnas
1849346 at bugs.launchpad.net
Tue Mar 22 19:30:28 UTC 2022
The magic disappears in Firefox's AppArmor profile, which doesn't allow
it to access `/tmp/krb5cc_*`. As an easy workaround until the Snap
configuration is fixed, edit `/etc/krb5.conf` to relocate your Kerberos
ticket cache somewhere Firefox *can* access it:
```
[libdefaults]
default_ccache_name = FILE:/home/%{username}/krb5cc
```
(Don't forget to re-`kinit`.)
---
In addition to the AppArmor problems, the snap is also missing the
`krb5/plugins/tls/k5tls.so` module that's required to access KDCs via
MS-KKDCP (aka KdcProxy). Now _most_ realms should work fine without the
k5tls plugin, but in some cases it might be necessary to manually
specify non-proxied KDC hostnames in krb5.conf `[realms]`. (If you're
using Azure AD Kerberos, you're out of luck.)
The magic environment variables to reveal such problems are
`KRB5_TRACE=/dev/stderr NSPR_LOG_MODULES=negotiateauth:5`.
--
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions
More information about the Ubuntu-mozillateam-bugs
mailing list