Ubuntu
thunderbird package

[snap]Thunderbird doesn't authenticate with sssd-kcm

Bug #2056760 reported by Helga
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Invalid
Undecided
Unassigned
thunderbird (Ubuntu)
New
High
Unassigned

Bug Description

I have Kerberos authentication set up in Thunderbird for my mailbox.

My environment contains:

helga@helga-rashomon:~$ env | grep KRB
KRB5CCNAME=KCM:

This means that Kerberos authentication should work through the sssd-kcm server.

I initialize Kerberos and verify that it functions correctly:

helga@helga-rashomon:~$ klist
Ticket cache: KCM:1000
Default principal: <email address hidden>

Valid starting Expires Service principal
03/11/24 04:14:24 03/12/24 04:14:24 <email address hidden>
03/11/24 04:15:24 03/12/24 04:14:24 HTTP/redmine.example.org@
        Ticket server: <email address hidden>

(listing redacted to say example.org instead of the real address. the redmine listing shows that Firefox works correctly with this address)

However, when I open the Snap Thunderbird, it does not recognize this Kerberos setup, showing me "The Kerberos/GSSAPI ticket was not accepted by the IMAP server". klist -A likewise shows no changes.

The exact same setup works when I specify KRB5CCNAME=DIR:${HOME}/krb5cc in .profile instead.
The sssd-kcm setup also works in Thunderbird native and Flatpak profiles.

Considering the Flatpak specifically permits access to /run/.heim_org.h5l.kcm-socket, could it be that the Thunderbird Snap is not allowed to access this socket?

Revision history for this message
Helga (hkrobo) wrote :

OS version:
helga@helga-rashomon:~$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu Noble Numbat (development branch)
Release: 24.04

Thunderbird snap version: 115.8.1-2

Apologies for not providing info initially, see: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/2056758

Attached is the output of ubuntu-bug --save

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Hi Helga,

Thanks for taking the time to report this bug and trying to make Ubuntu better.

From what I understood this is an issue with the snap package of Thunderbird, if that's the case you should try to report here (?):

https://snapcraft.io/thunderbird

I am not sure if this bug will reach the snap maintainers here.

And I do not think this is an issue with the sssd package in the Ubuntu archive, but an integration issue affecting the snap package.

Revision history for this message
Helga (hkrobo) wrote :

> I am not sure if this bug will reach the snap maintainers here.

When I run ubuntu-bug with the Firefox snap, it gets opened on Launchpad. The contact details for Thunderbird lead to Launchpad. the "Report problem with Firefox" button is exclusively for copyright and policy violations, not bug reports. Therefore, I think Launchpad is probably the appropriate platform.

> And I do not think this is an issue with the sssd package in the Ubuntu archive, but an integration issue affecting the snap package.

Yes, you're probably right.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I am adding a server-triage-discuss here so we can ensure this is the correct place for this report.

Changed in sssd (Ubuntu):
status: New → Incomplete
tags: added: server-traige-discuss
Revision history for this message
Sebastien Bacher (seb128) wrote :

> Considering the Flatpak specifically permits access to /run/.heim_org.h5l.kcm-socket, could it be that the Thunderbird Snap is not allowed to access this socket?

Could you check if your get any correspondin apparmor DENIED in journalctl?

Revision history for this message
Helga (hkrobo) wrote :

Seems I do:

```
Ապր 20 23:24:32 helga-rashomon kernel: audit: type=1400 audit(1713641072.496:307): apparmor="DENIED" operation="open" class="file" profile="snap.thunderbird.thunderbird" name="/etc/gss/mech.d/" pid=54398 comm="IMAP" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Ապր 20 23:24:32 helga-rashomon kernel: audit: type=1400 audit(1713641072.503:308): apparmor="DENIED" operation="connect" class="file" profile="snap.thunderbird.thunderbird" name="/run/.heim_org.h5l.kcm-socket" pid=54398 comm="IMAP" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Ապր 20 23:24:32 helga-rashomon dbus-daemon[2973]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="GetServerInformation" mask="send" name=":1.26" pid=54398 label="snap.thunderbird.thunderbird" peer_pid=3360 peer_label="plasmashell"
Ապր 20 23:24:32 helga-rashomon kernel: audit: type=1400 audit(1713641072.529:309): apparmor="DENIED" operation="connect" class="file" profile="snap.thunderbird.thunderbird" name="/run/.heim_org.h5l.kcm-socket" pid=54398 comm="IMAP" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
```

Revision history for this message
Sebastien Bacher (seb128) wrote :

So yes, it seems the snap sandbox is denying access to the kcm-socket...

Changed in thunderbird (Ubuntu):
importance: Undecided → High
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Marking the sssd tracker as invalid then.

tags: removed: server-traige-discuss
Changed in sssd (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.