Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

This is a clone for upstream bug:

https://fedorahosted.org/freeipa/ticket/4906

Customer is using firefox 40.0.3

Version-Release number of selected component (if applicable): 

ipa-server-4.1.0-18.el7_1.4.x86_64

How reproducible: 

I have not reproduced but seems it can be reproduced always with firefox version 40.



Steps to Reproduce:

Install extension for kerberos auth kerberosauth.xpi in firefox 40.X

Actual results:

the extension will show as corrupted.

Expected results:


Additional info:

The workaround is here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#man-configure-firefox

Basically, add in about:config the property:

network.negotiate-auth.trusted-uris: .<domain name>

The intended course of action is to show manual configuration in browserconfig.html instead of configuration with the extension for versions of Firefox >= 40.

The reasoning is:
* plan for enterprise environments was not published yet which forces as to use AMO (addons.mozilla.org)
* with AMO the user experience is worse than a manual configuration 

steps for AMO: 
* go to AMO page
* installed the extension
* go back to IPA page
* probably refresh
* click configure
* confirm

manual config:
* go to about:config
* set  network.negotiate-auth.trusted-uris with *domain.name

Fixed upstream
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/f1b2b0f5a1a73c2cffc19fe4fc8fb644bf1875be
master:
https://fedorahosted.org/freeipa/changeset/a94f3e5be88aec378e62f8696ca928635e0569a5

Created attachment 1077898 [details]
firefox_38_browser_config

Created attachment 1077899 [details]
firefox_41_browser_config

Verified.

IPA server version :: 

ipa-server-4.2.0-12.el7.x86_64

Attached images for behavior changes.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html