You are not logged in.

#1 2021-08-31 07:08:22

tdVzu1t
Member
Registered: 2021-04-25
Posts: 5

Kerberos tokens for SSO in firefox flatpak

Hi,

Flatpak firefox gives a nice sandboxed browser but I don't know how to give the browser access to my system's kerberos token. On the firefox side it should be a simple case of going to about:config and setting network.negotiate-auth.trusted-uris to the specific domain where I want my kerberos token to be used.

However, I need some flatpak magic. I know that my tokens are created successfully and they show up with klist. I found a helpful discussion, which seems to describe the exact problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1699235
This proposes that we:
1) use the kerberos cache manager and adding this flag to the flatpak run command: --filesystem=/run/.heim_org.h5l.kcm-socket. That I can do. I added default_ccache_name = KCM: to my /etc/krb5.conf
2) copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the platform flatpak

This second path (/etc/krb5.conf.d) doesn't exist. There was then mention about using sssd-kcm, which I tried to install but that comes without an example /etc/sssd/sssd.conf file, and I can't configure it so that it launches successfully (even if that would help the missing path).

Any tips on how to dig into this a little deeper? Many thanks in advance.

Last edited by tdVzu1t (2021-08-31 07:12:24)

Offline

#2 2021-09-14 07:02:00

tdVzu1t
Member
Registered: 2021-04-25
Posts: 5

Re: Kerberos tokens for SSO in firefox flatpak

No solution, but an update: I dumped the flatpak version of firefox and installed the one in `extra/firefox`. This works fine with local kerberos tokens, confirming that the issue remains with passing tokens through to the sandbox. Any hints much appreciated, of course!

Offline

#3 2021-09-14 07:53:54

icar
Member
From: Catalunya
Registered: 2020-07-31
Posts: 442

Re: Kerberos tokens for SSO in firefox flatpak

Use something like Flatseal to manage permissions.
You need to figure out where tokens are created and then give access to that particular directory.

Offline

Board footer

Powered by FluxBB