Description of problem: I installed firefox flatpak, killed existing firefox, ran flatpak, it gave me option to restore which I did, then the tabs which required to get saml login information failed to get it and asked me to login using username/passwd. Version-Release number of selected component (if applicable): [parag@f30 ~]$ flatpak info org.mozilla.Firefox stable Firefox - Browse the Web ID: org.mozilla.Firefox Ref: app/org.mozilla.Firefox/x86_64/stable Arch: x86_64 Branch: stable Origin: fedora Collection: Installation: system Installed: 201.7 MB Runtime: org.fedoraproject.Platform/x86_64/f29 Sdk: org.fedoraproject.Sdk/x86_64/f29 Commit: 5ac207ed18979af9a6e60ce68514a87bb91de4093f4d32d6e9ae480590fbd966 Subject: Export org.mozilla.Firefox Date: 2019-03-28 20:27:32 +0000 Alt-id: ece033460d927e21d89db3ba48168e7f509bf3cf5f65eb58182af9ba49aefc67 How reproducible: always Steps to Reproduce: 1. Install flatpak firefox 2. Restore session 3. websites which was not asking username/passwd because I already had kerberos ticket, now start asking for it. 4) if I move back to rpm based firefox, those websites do not ask username/passwd. Actual results: saml not working Expected results: saml should work Additional info:
I'm having this problem in the the latest firefox flatpak in Fedora. My base OS is Fedora 31 Silverblue. $ flatpak --user info org.mozilla.Firefox Firefox - Browse the Web ID: org.mozilla.Firefox Ref: app/org.mozilla.Firefox/x86_64/stable Arch: x86_64 Branch: stable Origin: fedora Collection: Installation: user Installed: 369.0 MB Runtime: org.fedoraproject.Platform/x86_64/f30 Sdk: org.fedoraproject.Sdk/x86_64/f30 Commit: 19e5b7f8d1745f1456bb47525cdeeaebe284e9501d07ec787b3c822c54e3a772 Subject: Export org.mozilla.Firefox Date: 2019-10-23 10:08:03 +0000 Alt-id: 445138d3b3fbdf203c44481fe2f8be5a667d53a2a5336bd0182176dad5bde21e
There are some holes to be poked in the Flatpak sandbox in order to get the kerberos ticket visible inside. Since https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 has merged into the GNOME Platform runtime, you just need to allow your Flatpak to access /run/.heim_org.h5l.kcm-socket. For that, I just proposed https://src.fedoraproject.org/flatpaks/firefox/pull-request/1 Still, the Firefox Flatpak needs to be ported to a newer runtime that will include the changes inherited from the GNOME runtime. It will be likely present in org.fedoraproject.Platform//f31.
Thanks Felipe! Do you happen to know when we'll move over to f31 as the base for the firefox flatpak ?
(In reply to Felipe Borges from comment #2) > There are some holes to be poked in the Flatpak sandbox in order to get the > kerberos ticket visible inside. > > Since https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 has > merged into the GNOME Platform runtime, you just need to allow your Flatpak > to access /run/.heim_org.h5l.kcm-socket. For that, I just proposed > https://src.fedoraproject.org/flatpaks/firefox/pull-request/1 > > Still, the Firefox Flatpak needs to be ported to a newer runtime that will > include the changes inherited from the GNOME runtime. It will be likely > present in org.fedoraproject.Platform//f31. OK so I was able to workaround for now in the firefox flatpak (currently based on Fedora 30) by doing two things: - add --filesystem=/run/.heim_org.h5l.kcm-socket - copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the platform flatpak - This file is owned by the sssd-kcm rpm - cp /etc/krb5.conf.d/kcm_default_ccache ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f30/active/files/etc/krb5.conf.d/ Felipe, does the changes in that gnome MR make it so that 2nd step is not needed? I look in the flatpak runtime for f31 and there is no kcm_default_ccache file there. Should we add the sssd-kcm to https://src.fedoraproject.org/modules/flatpak-runtime/tree/f31 ?
(In reply to Dusty Mabe from comment #4) > OK so I was able to workaround for now in the firefox flatpak (currently > based > on Fedora 30) by doing two things: > > - add --filesystem=/run/.heim_org.h5l.kcm-socket > - copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the > platform flatpak > - This file is owned by the sssd-kcm rpm > - cp /etc/krb5.conf.d/kcm_default_ccache > ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f30/active/ > files/etc/krb5.conf.d/ > > Felipe, does the changes in that gnome MR make it so that 2nd step is not > needed? Yes, https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 adds a /etc/krb5.conf with the right text to the GNOME runtime. > I look in the flatpak runtime for f31 and there is no kcm_default_ccache > file there. Is there a /etc/krb5.conf? The GNOME runtime doesn't use the /etc/krb.conf.d setup. Everything is in the /etc/krb5.conf file. > Should we add the sssd-kcm to > https://src.fedoraproject.org/modules/flatpak-runtime/tree/f31 ? The sssd-kcm RPM also contains things other than just the configuration file. eg., /usr/libexec/sssd/sssd_kcm and friends. We should probably split the configuration file out because it can be useful for toolbox containers also.
(In reply to Debarshi Ray from comment #5) > > Is there a /etc/krb5.conf? The GNOME runtime doesn't use the /etc/krb.conf.d > setup. Everything is in the /etc/krb5.conf file. Yes there is an /etc/krb5.conf.
OK - the firefox flatpak in Fedora has now moved to Fedora 31. I no longer need to add `--filesystem=/run/.heim_org.h5l.kcm-socket` because of https://src.fedoraproject.org/flatpaks/firefox/pull-request/1 . However I do still need to do: - copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the platform flatpak - This file is owned by the sssd-kcm rpm - cp /etc/krb5.conf.d/kcm_default_ccache ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f31/active/files/etc/krb5.conf.d/ > Yes, https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 adds a /etc/krb5.conf with the right text to the GNOME runtime. When can we expect that change to land in the F31 org.fedoraproject.Platform ?
I still have this problem with the F32 org.fedoraproject.Platform. The krb5.conf file didn't change between F31->F32. $ md5sum /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/{f31,f32}/active/files/etc/krb5.conf c523bd80412c3f7aae8cfdcefd9a15d4 /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f31/active/files/etc/krb5.conf c523bd80412c3f7aae8cfdcefd9a15d4 /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f32/active/files/etc/krb5.conf
Still have this problem. The krb5.conf file did change recently but didn't change anything: [dustymabe@media ~]$ md5sum /var/b/shared/krb5.conf /etc/krb5.conf c523bd80412c3f7aae8cfdcefd9a15d4 /var/b/shared/krb5.conf 004cbdc2eadda9ee121af9f082f1af78 /etc/krb5.conf [dustymabe@media ~]$ diff -u /var/b/shared/krb5.conf /etc/krb5.conf --- /var/b/shared/krb5.conf 2020-09-25 17:33:52.825862130 -0400 +++ /etc/krb5.conf 2020-08-13 09:59:36.000000000 -0400 @@ -15,6 +15,8 @@ rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 + dns_canonicalize_hostname = fallback + qualify_shortname = "" # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} The workaround from https://bugzilla.redhat.com/show_bug.cgi?id=1699235#c7 still works.
Today I learnt that changes from the upstream org.gnome.Platform//3.34 runtime won't just automatically migrate to the Fedora runtimes. I am not sure how I got that implication, and given my lack of understanding of the tooling, I sort of assumed that it would be true. My apologies and thanks for the constant poking! I am talking to Kalev right now on finding a way to get the /etc/krb5.conf.d/kcm_default_ccache file into the Fedora runtime.
Here's a pull request to split the /etc/krb5.conf.d/kcm_default_ccache file out of the sssd-kcm sub-package into a separate sub-package that doesn't contain the entire implementation of a Kerberos KCM server: https://src.fedoraproject.org/rpms/sssd/pull-request/6 This new configuration-only sub-package can then be pulled into the Fedora Flatpak runtimes.
In the PR above, we got a suggestion to use KRB5CCNAME=KCM: env variable instead and that seems to work great. I went ahead and added it to firefox flatpak and doing a new build now. https://src.fedoraproject.org/flatpaks/firefox/c/8e1915338fedca8ce4e362cd130716e942b87a07?branch=master
FEDORA-FLATPAK-2020-33129f0e78 has been submitted as an update to Fedora 32 Flatpaks. https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2020-33129f0e78
FEDORA-FLATPAK-2020-33129f0e78 has been pushed to the Fedora 32 Flatpaks testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2020-33129f0e78 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-FLATPAK-2020-33129f0e78 has been pushed to the Fedora 32 Flatpaks stable repository. If problem still persists, please make note of it in this bug report.
This seems to work for me. Thanks!
You are welcome!