Bug 1301140

Summary: firefox no longer allows kerberos extention to be installed
Product: [Fedora] Fedora Reporter: Dennis Gilmore <dennis>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: abokovoy, ipa-maint, jhrozek, mkosek, pvoborni, rcritten, sgallagh, ssorce
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 18:40:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dennis Gilmore 2016-01-22 17:29:36 UTC 
Description of problem:
Firefox 43 does not allow the kerberos extention to be installed 

in Fedora ipa/config/browserconfig.html on the ipa sever no longer works. existing installs firefox disables the extention.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Alexander Bokovoy 2016-01-22 17:43:20 UTC 
See https://fedorahosted.org/freeipa/ticket/4906
Comment 2 Petr Vobornik 2016-01-22 17:48:05 UTC 
What version? 

FreeIPA 4.3 which is available in rawhide doesn't suggest to install extension for Firefox >= 40

https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=a94f3e5be88aec378e62f8696ca928635e0569a5
Comment 3 Alexander Bokovoy 2016-01-22 18:01:56 UTC 
Here is what you can see on Firefox configuration page in IPA 4.3:
---------------------------------------------------------------
Firefox configuration
Step 1

Make sure you select all three checkboxes.
Step 2

    In the address bar of Firefox, type about:config to display the list of current configuration options.
    In the Filter field, type negotiate to restrict the list of options.
    Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
    Enter the name of the domain against which you want to authenticate, for example, .example.com.

Step 3

---------------------------------------------------------------
Comment 4 Dennis Gilmore 2016-01-23 21:07:52 UTC 
I have freeipa-server-4.1.4-4.fc22.x86_64 installed and running
Comment 5 Alexander Bokovoy 2016-01-24 09:06:09 UTC 
So this is not an issue in Rawhide then.
Comment 6 Dennis Gilmore 2016-01-25 00:11:05 UTC 
it is an issue for rawhide clients
Comment 7 Dennis Gilmore 2016-01-25 00:12:30 UTC 
it is also an issue for all fedora clients regardless of the version.
Comment 8 Tomas Babej 2016-01-26 13:13:37 UTC 
Dennis, can you elaborate?

As far as I understand the issue, Kerberos extension should not be installed for Firefox 40 and above, but rather a manual procedure should be used.

This procedure is documented in all FreeIPA releases starting from 4.3, but works with the older releases too:

1.) go to about:config
2.) set network.negotiate-auth.trusted-uris with *domain.name
Comment 9 Dennis Gilmore 2016-01-26 14:48:15 UTC 
my ipa server is on a fully updated fedora 22 server. regardless of the client os I use to access the server I get offered the extension to be installed on firefox greater than 40. at the least you need to backport disabling the extention to all supported releases. 

There are ways to get your extention signed by mozilla.
Comment 10 Petr Vobornik 2016-01-26 16:01:09 UTC 
FreeIPA on F23 will receive update to version 4.2.4 which has the ticket - probably in 3 weeks.

As for F22 I would avoid updating to 4.1.5. That release was not very well tested and therefore it is safer to stay on 4.1.4 for the remaining 5 or so months (F22 EOL). That said F22 can receive backport of patch for ticket #4966.

Demo of the new config page: http://ipa.demo1.freeipa.org/ipa/config/browserconfig.html
Comment 11 Jan Kurik 2016-02-24 14:19:53 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 12 Fedora End Of Life 2016-07-19 18:40:29 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.