I'm having this problem in the the latest firefox flatpak in Fedora. My base OS is Fedora 31 Silverblue.

$ flatpak --user info org.mozilla.Firefox

Firefox - Browse the Web

          ID: org.mozilla.Firefox
         Ref: app/org.mozilla.Firefox/x86_64/stable
        Arch: x86_64
      Branch: stable
      Origin: fedora
  Collection: 
Installation: user
   Installed: 369.0 MB
     Runtime: org.fedoraproject.Platform/x86_64/f30
         Sdk: org.fedoraproject.Sdk/x86_64/f30

      Commit: 19e5b7f8d1745f1456bb47525cdeeaebe284e9501d07ec787b3c822c54e3a772
     Subject: Export org.mozilla.Firefox
        Date: 2019-10-23 10:08:03 +0000
      Alt-id: 445138d3b3fbdf203c44481fe2f8be5a667d53a2a5336bd0182176dad5bde21e

There are some holes to be poked in the Flatpak sandbox in order to get the kerberos ticket visible inside.

Since https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 has merged into the GNOME Platform runtime, you just need to allow your Flatpak to access /run/.heim_org.h5l.kcm-socket. For that, I just proposed https://src.fedoraproject.org/flatpaks/firefox/pull-request/1

Still, the Firefox Flatpak needs to be ported to a newer runtime that will include the changes inherited from the GNOME runtime. It will be likely present in org.fedoraproject.Platform//f31.

Thanks Felipe!

Do you happen to know when we'll move over to f31 as the base for the firefox flatpak ?

(In reply to Felipe Borges from comment #2)
> There are some holes to be poked in the Flatpak sandbox in order to get the
> kerberos ticket visible inside.
> 
> Since https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 has
> merged into the GNOME Platform runtime, you just need to allow your Flatpak
> to access /run/.heim_org.h5l.kcm-socket. For that, I just proposed
> https://src.fedoraproject.org/flatpaks/firefox/pull-request/1
> 
> Still, the Firefox Flatpak needs to be ported to a newer runtime that will
> include the changes inherited from the GNOME runtime. It will be likely
> present in org.fedoraproject.Platform//f31.


OK so I was able to workaround for now in the firefox flatpak (currently based
on Fedora 30) by doing two things:

- add --filesystem=/run/.heim_org.h5l.kcm-socket
- copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the platform flatpak
    - This file is owned by the sssd-kcm rpm
    - cp /etc/krb5.conf.d/kcm_default_ccache ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f30/active/files/etc/krb5.conf.d/

Felipe, does the changes in that gnome MR make it so that 2nd step is not needed?

I look in the flatpak runtime for f31 and there is no kcm_default_ccache file there.
Should we add the sssd-kcm to https://src.fedoraproject.org/modules/flatpak-runtime/tree/f31 ?

(In reply to Dusty Mabe from comment #4)
> OK so I was able to workaround for now in the firefox flatpak (currently
> based
> on Fedora 30) by doing two things:
> 
> - add --filesystem=/run/.heim_org.h5l.kcm-socket
> - copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the
> platform flatpak
>     - This file is owned by the sssd-kcm rpm
>     - cp /etc/krb5.conf.d/kcm_default_ccache
> ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f30/active/
> files/etc/krb5.conf.d/
> 
> Felipe, does the changes in that gnome MR make it so that 2nd step is not
> needed?

Yes, https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 adds a /etc/krb5.conf with the right text to the GNOME runtime.

> I look in the flatpak runtime for f31 and there is no kcm_default_ccache
> file there.

Is there a /etc/krb5.conf? The GNOME runtime doesn't use the /etc/krb.conf.d setup. Everything is in the /etc/krb5.conf file.

> Should we add the sssd-kcm to
> https://src.fedoraproject.org/modules/flatpak-runtime/tree/f31 ?

The sssd-kcm RPM also contains things other than just the configuration file. eg., /usr/libexec/sssd/sssd_kcm and friends. We should probably split the configuration file out because it can be useful for toolbox containers also.

(In reply to Debarshi Ray from comment #5)
> 
> Is there a /etc/krb5.conf? The GNOME runtime doesn't use the /etc/krb.conf.d
> setup. Everything is in the /etc/krb5.conf file.

Yes there is an /etc/krb5.conf.

OK - the firefox flatpak in Fedora has now moved to Fedora 31. I no longer need to add `--filesystem=/run/.heim_org.h5l.kcm-socket` because of https://src.fedoraproject.org/flatpaks/firefox/pull-request/1 . However I do still need to do:

- copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the platform flatpak
    - This file is owned by the sssd-kcm rpm
    - cp /etc/krb5.conf.d/kcm_default_ccache ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f31/active/files/etc/krb5.conf.d/



> Yes, https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 adds a /etc/krb5.conf with the right text to the GNOME runtime.

When can we expect that change to land in the F31 org.fedoraproject.Platform ?

I still have this problem with the F32 org.fedoraproject.Platform. The krb5.conf file didn't change between F31->F32.

$ md5sum /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/{f31,f32}/active/files/etc/krb5.conf
c523bd80412c3f7aae8cfdcefd9a15d4  /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f31/active/files/etc/krb5.conf
c523bd80412c3f7aae8cfdcefd9a15d4  /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f32/active/files/etc/krb5.conf

Still have this problem. The krb5.conf file did change recently but didn't change anything:

[dustymabe@media ~]$ md5sum /var/b/shared/krb5.conf /etc/krb5.conf
c523bd80412c3f7aae8cfdcefd9a15d4  /var/b/shared/krb5.conf
004cbdc2eadda9ee121af9f082f1af78  /etc/krb5.conf

[dustymabe@media ~]$ diff -u /var/b/shared/krb5.conf /etc/krb5.conf
--- /var/b/shared/krb5.conf	2020-09-25 17:33:52.825862130 -0400
+++ /etc/krb5.conf	2020-08-13 09:59:36.000000000 -0400
@@ -15,6 +15,8 @@
     rdns = false
     pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
     spake_preauth_groups = edwards25519
+    dns_canonicalize_hostname = fallback
+    qualify_shortname = ""
 #    default_realm = EXAMPLE.COM
     default_ccache_name = KEYRING:persistent:%{uid}
 

The workaround from https://bugzilla.redhat.com/show_bug.cgi?id=1699235#c7 still works.

Today I learnt that changes from the upstream org.gnome.Platform//3.34 runtime won't just automatically migrate to the Fedora runtimes. I am not sure how I got that implication, and given my lack of understanding of the tooling, I sort of assumed that it would be true.

My apologies and thanks for the constant poking!

I am talking to Kalev right now on finding a way to get the /etc/krb5.conf.d/kcm_default_ccache file into the Fedora runtime.

Here's a pull request to split the /etc/krb5.conf.d/kcm_default_ccache file out of the sssd-kcm sub-package into a separate sub-package that doesn't contain the entire implementation of a Kerberos KCM server:
https://src.fedoraproject.org/rpms/sssd/pull-request/6

This new configuration-only sub-package can then be pulled into the Fedora Flatpak runtimes.

In the PR above, we got a suggestion to use KRB5CCNAME=KCM: env variable instead and that seems to work great. I went ahead and added it to firefox flatpak and doing a new build now.

https://src.fedoraproject.org/flatpaks/firefox/c/8e1915338fedca8ce4e362cd130716e942b87a07?branch=master

FEDORA-FLATPAK-2020-33129f0e78 has been submitted as an update to Fedora 32 Flatpaks. https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2020-33129f0e78

FEDORA-FLATPAK-2020-33129f0e78 has been pushed to the Fedora 32 Flatpaks testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2020-33129f0e78

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

FEDORA-FLATPAK-2020-33129f0e78 has been pushed to the Fedora 32 Flatpaks stable repository.
If problem still persists, please make note of it in this bug report.

This seems to work for me. Thanks!

You are welcome!