Comment 30 for bug 1849346

The magic disappears in Firefox's AppArmor profile, which doesn't allow it to access `/tmp/krb5cc_*`. As an easy workaround until the Snap configuration is fixed, edit `/etc/krb5.conf` to relocate your Kerberos ticket cache somewhere Firefox *can* access it:

```
[libdefaults]
 default_ccache_name = FILE:/home/%{username}/krb5cc
```

(Don't forget to re-`kinit`.)

---

In addition to the AppArmor problems, the snap is also missing the `krb5/plugins/tls/k5tls.so` module that's required to access KDCs via MS-KKDCP (aka KdcProxy). Now _most_ realms should work fine without the k5tls plugin, but in some cases it might be necessary to manually specify non-proxied KDC hostnames in krb5.conf `[realms]`. (If you're using Azure AD Kerberos, you're out of luck.)

The magic environment variables to reveal such problems are `KRB5_TRACE=/dev/stderr NSPR_LOG_MODULES=negotiateauth:5`.