User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.99 Safari/537.36
Steps to reproduce:
This issue concerns the Firefox snap package. I have configured Firefox to use SPNEGO authentication against my authentication server using the policy `Authentication/SPNEGO` (as documented at https://github.com/mozilla/policy-templates/blob/master/README.md#authentication). Firefox shows the policy in `about:policies` and the corresponding setting `network.negotiate-auth.trusted-uris` in `about:config`, so the policy is found and applied correctly.
Actual results:
Even though the policy is active, Firefox does not attempt Kerberos authentication against my authentication server. The exact same policy DOES work with the regular deb-based version of Firefox, so the issue has to be in the snap package.
I guess that the snap version does not have access to the required files and/or environment variables. I logged which files and directories the deb-based Firefox accesses that seem to have to do with Kerberos/SPNEGO using `strace -f -t -e trace=file firefox` on my system running Ubuntu 21.10 beta:
```
/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
/lib/x86_64-linux-gnu/libkrb5.so.3
/lib/x86_64-linux-gnu/libk5crypto.so.3
/lib/x86_64-linux-gnu/libkrb5support.so.0
/etc/gss/mech
/etc/gss/mech.d
/etc/krb5.conf
/etc/krb5/user/10017/client.keytab
/usr/share/locale/*/LC_MESSAGES/mit-krb5.mo
/usr/share/locale-langpack/*/LC_MESSAGES/mit-krb5.mo
/tmp/krb5cc_10017_QfHqc3
```
`10017` is the user ID of the user running firefox. The last file `/tmp/krb5cc_10017_QfHqc3` is the user's Kerberos ticket cache, which is given by the environment variable `KRB5CCNAME`.
So the first step would be to allow the snap to access the listed files and directories, as well as to the environment variable `KRB5CCNAME`. Of course, the list is just generated by looking at the deb-based Firefox on my system and might not be complete.
In any case, I'd be happy to test an updated snap.
Expected results:
Kerberos/SPNEGO authentication should work the same as in the deb-based Firefox.
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.99 Safari/537.36
Steps to reproduce:
This issue concerns the Firefox snap package. I have configured Firefox to use SPNEGO authentication against my authentication server using the policy `Authentication /SPNEGO` (as documented at https:/ /github. com/mozilla/ policy- templates/ blob/master/ README. md#authenticati on). Firefox shows the policy in `about:policies` and the corresponding setting `network. negotiate- auth.trusted- uris` in `about:config`, so the policy is found and applied correctly.
Actual results:
Even though the policy is active, Firefox does not attempt Kerberos authentication against my authentication server. The exact same policy DOES work with the regular deb-based version of Firefox, so the issue has to be in the snap package.
I guess that the snap version does not have access to the required files and/or environment variables. I logged which files and directories the deb-based Firefox accesses that seem to have to do with Kerberos/SPNEGO using `strace -f -t -e trace=file firefox` on my system running Ubuntu 21.10 beta: 64-linux- gnu/libgssapi_ krb5.so. 2 64-linux- gnu/libkrb5. so.3 64-linux- gnu/libk5crypto .so.3 64-linux- gnu/libkrb5supp ort.so. 0 user/10017/ client. keytab locale/ */LC_MESSAGES/ mit-krb5. mo locale- langpack/ */LC_MESSAGES/ mit-krb5. mo 10017_QfHqc3 10017_QfHqc3` is the user's Kerberos ticket cache, which is given by the environment variable `KRB5CCNAME`.
```
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/etc/gss/mech
/etc/gss/mech.d
/etc/krb5.conf
/etc/krb5/
/usr/share/
/usr/share/
/tmp/krb5cc_
```
`10017` is the user ID of the user running firefox. The last file `/tmp/krb5cc_
So the first step would be to allow the snap to access the listed files and directories, as well as to the environment variable `KRB5CCNAME`. Of course, the list is just generated by looking at the deb-based Firefox on my system and might not be complete.
In any case, I'd be happy to test an updated snap.
Expected results:
Kerberos/SPNEGO authentication should work the same as in the deb-based Firefox.