This affects my company as well, ever since the snap transition
Kerberos/ GSS won't work in any snaps (also affecting any NFSv4 mounts
with sec=krb5). Our solution going on nearly four years now has been to
maintain our own .deb versions of all packages only offered as a snap.
It's sad because Ubun
We encounter the same bug and so far i came to the same conclusion.
Firefox snaps for Ubuntu 22.04 and Ubuntu 24.04 are the same files, they
have the same checksums. So, yes, the bug on Ubuntu 24.04 does not come
directly from the files of the snap.
--
You received this bug notification because y
This issue is confirmed in the Firefox Snap and not an issue in the
Mozilla Firefox APT. The issue does not appear to be browser-based,
but package-format based.
The current "fix" is to not use Snap.
--
You received this bug notification because you are a member of Desktop
Packages, which is su
** Bug watch added: Mozilla Bugzilla #1275744
https://bugzilla.mozilla.org/show_bug.cgi?id=1275744
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSS
(In reply to Mantas Mikulėnas (grawity) from comment #6)
> The magic environment variables to reveal such problems are
> `KRB5_TRACE=/dev/stderr NSPR_LOG_MODULES=negotiateauth:5`.
This worked for me on Snap version `125.0.2-1` but I got no output on
version `131.0-1`. After some digging
(https:/
On Ubuntu 22.04 I was able to work around this issue for Firefox by
punching a hole through the Snap sandbox in order to make the file
accessible both inside and outside of the sandbox. Specifically, I used
the following script:
#!/bin/bash
src="/tmp/krb5cc_$(id -u)"
dest="/tmp/snap-p
Any updates on this?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Status in Mozilla Firefo
*** Bug 1831722 has been marked as a duplicate of this bug. ***
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb
I think we're hoping to tackle this for the next (Ubuntu) cycle.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after de
(In reply to vegardalsli from comment #16)
> Im not sure what this beeing an upstream issue means. Is there a bug or a
> point of contact upstream that we can get in contact with?
> Thank you for increasing the priority of this case btw.
It means that the issue is not in our codebase but it's a u
Amin, is this on any roadmap?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Status in Mozil
Im not sure what this beeing an upstream issue means. Is there a bug or a point
of contact upstream that we can get in contact with?
Thank you for increasing the priority of this case btw.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
If you force people into a snap package at least there should be no loss in
functionality.
I have linked the snapd project so maybe someone from there could have a look.
** Also affects: snapd
Importance: Undecided
Status: New
--
You received this bug notification because you are a me
** Changed in: firefox (Ubuntu)
Importance: Medium => High
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->
(In reply to vegardalsli from comment #12)
> I can confirm this is still a huge issue i have hundreds of users with this
> problem in my environment.
> This is both a big security and productivity issue for my users.
>
> How can we get this fixed?
Unfortunately, this is an upstream issue, and I
I'll second that too.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Status in Mozilla Firef
I'll second that. We've got a lot of users with this issue in our
environment as well.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no
I can confirm this is still a huge issue i have hundreds of users with this
problem in my environment.
This is both a big security and productivity issue for my users.
How can we get this fixed?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscr
I hope this gets some attention very soon. Its a huge issue for
enterprise users.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no long
No, this isn't being worked on.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Status in Moz
Olivier, is there any progress on that matter?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
I've also experienced this bug and it's a show-stopper for either
upgrading or requires changing distro, and makes Ubuntu unusable for
many enterprises. We don't accept user/password combination so a
fallback to that from Kerberos isn't possible and moving the ccache
isn't possible or supported eit
This is a problem for snap versions of Chromium and Firefox, they are
unable to access the kerberos ticket and also (not sure why)
/etc/gss/mech.d/
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.l
This should have been a show-stopper for Firefox Snap.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap tr
My workplace was hit with this earlier this week (Upgrading from Ubuntu
20.04 -> 22.04.1). Just like to point out that KRB5CCNAME can refer to
several different cache storage
[alternatives](https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html#ccache-
types), for example I use `KEYRING:p
Hallo,
I can confirm this is a problem also for us,
with the latest firefox and chromium from snap store,
including the limited applicability of the workaround regarding
ccache_name location
thanks
--
You received this bug notification because you are a member of Desktop
Packages, which is subs
The severity field is not set for this bug.
:gerard-majax, could you have a look please?
For more information, please visit [auto_nag
documentation](https://wiki.mozilla.org/Release_Management/autonag#workflow.2Fno_severity.py).
--
You received this bug notification because you are a member of D
(In reply to Mantas M. (grawity) from comment #6)
> The magic disappears in Firefox's AppArmor profile, which doesn't allow it to
> access `/tmp/krb5cc_*`. As an easy workaround until the Snap configuration is
> fixed, edit `/etc/krb5.conf` to relocate your Kerberos ticket cache somewhere
> Fire
The magic disappears in Firefox's AppArmor profile, which doesn't allow
it to access `/tmp/krb5cc_*`. As an easy workaround until the Snap
configuration is fixed, edit `/etc/krb5.conf` to relocate your Kerberos
ticket cache somewhere Firefox *can* access it:
```
[libdefaults]
default_ccach
Being on Ubuntu 22.04, the .deb package has been removed and one is
forced to use the snap version.
kerberos does not work with the latest version and this is quite a
blocker for me as there is no alternative (other than switching
browsers).
--
You received this bug notification because you are
@frigo Thanks for the tip.
Unfortunately my systems requires pam_krb5 which has precedence over
default_ccache_name and sets KRB5CCNAME directly.
I tried to set ccache_dir in the pam section of krb5.conf but I didn't manage.
While waiting for this to be fixed I'll continue with the not-snap versio
** Changed in: chromium-browser (Ubuntu)
Importance: Undecided => Medium
** Changed in: chromium-browser (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Status in Mozilla Firefox:
New
Status in chr
The same applies to Chromium, please set it to medium as well, Luka.
Thanks!
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer wo
Unless the snap move was intended to provide isolation from Kerberos,
setting to medium because this breaks many enterprise usecases for
Firefox.
** Changed in: firefox (Ubuntu)
Importance: Undecided => Medium
** Changed in: firefox (Ubuntu)
Status: Confirmed => Triaged
--
You receive
if the goal is to have a single snap making use of the kerberos ticket,
as a workaround you can put something like this in /etc/krb5.conf
[libdefaults]
default_ccache_name =
DIR:/home/%{username}/snap/firefox/common/.cache/.k5_ccache
the default connections for the firefox snap prevent
In my brand new Ubuntu 21.10 Impish has forced the change of Firefox as Snap,
so I'm suffering Kerberos not working from inside the Firefox snap.
Kerberos works fine at Linux level.KInit, KList, etc... shows that the tickets
are assigned and handle correctly when requested.
Which is different in
Launchpad has imported 4 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=1734791.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://he
** Also affects: firefox (Ubuntu)
Importance: Undecided
Status: New
** Also affects: firefox via
https://bugzilla.mozilla.org/show_bug.cgi?id=1734791
Importance: Unknown
Status: Unknown
** Changed in: firefox (Ubuntu)
Status: New => Confirmed
** No longer affects: t
There is a similar bug follow up at
https://bugzilla.mozilla.org/show_bug.cgi?id=1734791
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI
Which is different in our case that for normal people is that the use of
Kerberos requires to set in firefox the preference
"network.negotiate-auth.trusted-uris" which by default is not set.
In my case it is set as network.negotiate-auth.trusted-uris=cern.ch
I have everything setup correctly, li
Today my brand new Ubuntu 21.10 Impish has forced the change of Firefox as
Snap, so I'm suffering Kerberos not working from inside the Firefox snap.
Kerberos works fine at Linux level.KInit, KList, etc... shows that the tickets
are assigned and handle correctly when requested.
Some closed door se
Maybe the information I collected here
https://bugzilla.mozilla.org/show_bug.cgi?id=1734791 for the Firefox
snap, which suffers from the same problem, is helpful in order to fix
the problem for the Chromium snap as well.
** Bug watch added: Mozilla Bugzilla #1734791
https://bugzilla.mozilla.org
Same problem here, chromium is not able to use kerberos ticket. I think,
it is time to get back chromium as a deb package until snap is really
working.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bu
Unsure why thunderbird is listed there, it's not mentioned in the
description nor posts, could you give some details on what isn't working
and how?
** Changed in: thunderbird (Ubuntu)
Importance: Undecided => Low
** Changed in: thunderbird (Ubuntu)
Status: Confirmed => Incomplete
--
Y
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: thunderbird (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.
Observed the same issue issue using the Thunderbird snap instead of the
RPM.
** Also affects: thunderbird (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
ht
The snap should have the required libraries to support kerberos
authentication, but it's likely that confinement is getting in the way.
Does kerberos allow verbose logging on the server end, to inspect where
authentication is failing?
--
You received this bug notification because you are a member
Sorry, I changed the issue's type accidently.
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap]
Why do you think it's a security issue?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1849346
Title:
[snap] kerberos GSSAPI no longer works after deb->snap transition
Statu
This problem still persist and SPNEGO won't work even with new policies:
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AuthServerAllowlist
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AuthNegotiateDelegateAllowlist
The policies are loaded successfully but k
Sorry this sucks guys - when is it going to get fixed? Ubuntu 20.04 also
stopped working for me since the transition to snap happend - all
kerberos and gssapi authentications no longer work
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
The same problem here, after upgrading to 'snapped' chromium 79 we lost
Single Sign-On, all our Kerberos security based intranet web servers
started asking for username and password.
Kerberos ticket cache is file /tmp/krb5cc_:
johndoe@computer:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default
Thanks, that's useful.
I'm not familiar with SPNEGO/GSSAPI/kerberos, could you maybe come up
with easy steps to reproduce the problem on a clean system? That would
allow me to dig further into the problem.
--
You received this bug notification because you are a member of Desktop
Packages, which
The /etc/gss/mech.d/ and /etc/krb5.conf.d/ denials may be relevant. Both
directories are empty in my case, but lack of access may be killing some
logic that relies on checking them.
** Attachment added: "AppArmor denials"
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1849346/
Thanks for the report.
Can you check for apparmor denials in the system journal when reproducing the
problem? Run the following command in a terminal before launching chromium:
journalctl -f | grep DEN
** Tags added: snap
--
You received this bug notification because you are a member of De
** Summary changed:
- kerberos GSSAPI no longer works after deb->snap transition
+ [snap] kerberos GSSAPI no longer works after deb->snap transition
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs
** Description changed:
I configure AuthServerWhitelist as documented:
- https://cloud.google.com/docs/chrome-
- enterprise/policies/?policy=AuthServerWhitelist
+ https://www.chromium.org/developers/design-documents/http-authentication
and can see my whitelisted domains in chrome://polic
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: chromium-browser (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launc
Public bug reported:
I configure AuthServerWhitelist as documented:
https://cloud.google.com/docs/chrome-
enterprise/policies/?policy=AuthServerWhitelist
and can see my whitelisted domains in chrome://policy/
but websites that used to work with SPEGNO/GSSAPI/kerberos no longer
work. I'm guessin
60 matches
Mail list logo
