Ubuntu
firefox package

Kerberos does not work anymore on Firefox under Ubuntu 22.04

Bug #1970182 reported by Ronzo
58
This bug affects 11 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

There seems to be a problem with the AppArmor config regarding Firefox and Kerberos.

journalctl -f | grep DEN
Apr 25 10:26:48 chupacabra audit[3575]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/gss/mech.d/" pid=3575 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 25 10:26:48 chupacabra kernel: audit: type=1400 audit(1650875208.417:138): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/gss/mech.d/" pid=3575 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=

Ronzo (ronzo)
tags: added: jammy
Revision history for this message
Ronzo (ronzo) wrote :

Adding the following line to the libdefaults section of /etc/krb5.conf fixes the problem:

default_ccache_name = FILE:/home/%{username}/krb5cc

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Libera.chat.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1970182/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
Paul White (paulw2u)
affects: ubuntu → firefox (Ubuntu)
Revision history for this message
Martin Schmitt (unixtippse) wrote (last edit ):

The workaround provided by Ronzo is much appreciated, but considering that this will mostly be relevant in larger environments with central authentication, keeping the cached credentials openly in the middle of the home directory may at least open support issues with users wondering what that file may be, deleting it, and so on.

We've also experimented with other paths and bind-mounting a dedicated ccache directory into the boundaries of the Snap, which either fails due to missing access permissions or the requirement to start Firefox with a different $KRB5CCNAME environment than the default.

If the Snap could access the krb5.conf(5) default default_ccache_name, that would be a huge step forward.

Revision history for this message
Dan Mick (dmick-m) wrote :

A full year later, bug still exists. Oh yeah, Firefox snap was a great idea.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.